Changeset 816daef


Ignore:
Timestamp:
Jul 8, 2011 6:32:31 PM (13 years ago)
Author:
Ted Faber <faber@…>
Branches:
compt_changes, info-ops, master
Children:
2d601b7
Parents:
c410811a
Message:

New SSL error code complicates self-signed certs

File:
1 edited

Legend:

Unmodified
Added
Removed
  • fedd/federation/util.py

    rc410811a r816daef  
    1919from service_error import service_error
    2020from urlparse import urlparse
     21from M2Crypto import m2
    2122
    2223
     
    2728if not getattr(SSL.cb, 'ssl_verify_callback_allow_unknown_ca', None):
    2829    from M2Crypto.SSL.Context import map
    29     from M2Crypto import m2
    30 
    31     def ssl_verify_callback(ssl_ctx_ptr, x509_ptr, errnum, errdepth, ok):
     30
     31    def fedd_ssl_verify_callback(ssl_ctx_ptr, x509_ptr, errnum, errdepth, ok):
    3232        unknown_issuer = [
    3333            m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
     
    3636            m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
    3737            ]
     38        # m2.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN should also be allowed
     39        if getattr(m2, 'X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN', None):
     40            unknown_issuer.append(getattr(m2,
     41                'X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN', None))
    3842        ssl_ctx = map()[ssl_ctx_ptr]
    3943
     
    4953        return ok
    5054else:
    51     def ssl_verify_callback(ssl_ctx_ptr, x509_ptr, errnum, errdepth, ok):
    52         raise ValueError("This should never be called")
     55    def fedd_ssl_verify_callback(ok, store):
     56        '''
     57        m2.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN should also be allowed
     58        '''
     59        errnum = store.get_error()
     60        if errnum == m2.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
     61            ok = 1
     62            return ok
     63        else:
     64            return SSL.cb.ssl_verify_callback_allow_unknown_ca(ok, store)
    5365
    5466class fedd_ssl_context(SSL.Context):
     
    89101            self.set_verify(SSL.verify_peer, 10)
    90102        else:
    91             # More legacy code.  Recent versions of M2Crypto express the
    92             # allow_unknown_ca option through a callback turned to allow it.
    93             # Older versions use a standard callback that respects the
    94             # attribute.  This should work under both regines.
    95             callb = getattr(SSL.cb, 'ssl_verify_callback_allow_unknown_ca',
    96                     ssl_verify_callback)
     103            # Install the proper callback to allow self-signed certs
    97104            self.set_allow_unknown_ca(True)
    98             self.set_verify(SSL.verify_peer, 10, callback=callb)
     105            self.set_verify(SSL.verify_peer, 10,
     106                    callback=fedd_ssl_verify_callback)
    99107
    100108class file_expanding_opts(OptionParser):
Note: See TracChangeset for help on using the changeset viewer.