Alon Bar-Lev has uploaded a new change for review. Change subject: host-deploy: getChainFromSSL: acquire chain from session and not negotiation ......................................................................
host-deploy: getChainFromSSL: acquire chain from session and not negotiation although the negotiation seems to be the right place to acquire the chain, in some cases it was missing the root certificate authority, while the chain out of the session is a complete one. Change-Id: I397f1341984f78e8fc0a07e9256eeac362b0fcaf Signed-off-by: Alon Bar-Lev <[email protected]> --- M vdsm_reg/deployUtil.py.in 1 file changed, 9 insertions(+), 28 deletions(-) git pull ssh://gerrit.ovirt.org:29418/vdsm refs/changes/73/23773/1 diff --git a/vdsm_reg/deployUtil.py.in b/vdsm_reg/deployUtil.py.in index ba45d64..20d5c0c 100644 --- a/vdsm_reg/deployUtil.py.in +++ b/vdsm_reg/deployUtil.py.in @@ -19,6 +19,7 @@ # # Description: Deployment utilities. +import contextlib import subprocess import logging import traceback @@ -1649,38 +1650,18 @@ # which depends on M2Crypto from M2Crypto import SSL - # openssl verify callback does not - # accept context, so we collect the chain - # in semi-global dictionary - # - # a certificate may be revisit more than one time. - # - # format: - # depth: certificate - chain = {} - - def verify(ok, store): - chain[store.get_error_depth()] = store.get_current_cert().as_pem() - return True - def check_ignore(*args, **kw): return True ctx = SSL.Context() - ctx.set_verify( - SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, - depth=10, - callback=verify - ) - sock = SSL.Connection(ctx) - # we would like to ignore any issue with certificates - sock.set_post_connection_check_callback(check_ignore) - sock.connect(host) - sock.close() - - # return sorted by depth - # first is end certificate - return [chain[depth] for depth in sorted(chain.keys())] + ctx.set_verify(SSL.verify_none, 10) + with contextlib.closing(SSL.Connection(ctx)) as sock: + # we would like to ignore any issue with certificates + sock.set_post_connection_check_callback(check_ignore) + sock.connect(host) + # if we do not shutdown some sites hungs on close + sock.shutdown(3) + return [c.as_pem() for c in sock.get_peer_cert_chain()] def getRhevmCert(IP, port): -- To view, visit http://gerrit.ovirt.org/23773 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I397f1341984f78e8fc0a07e9256eeac362b0fcaf Gerrit-PatchSet: 1 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ vdsm-patches mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
