Changeset fe157b9 for fedd


Ignore:
Timestamp:
Dec 22, 2008 5:58:25 PM (16 years ago)
Author:
Ted Faber <faber@…>
Branches:
axis_example, compt_changes, info-ops, master, version-1.30, version-2.00, version-3.01, version-3.02
Children:
ca24951
Parents:
b09f346
Message:

Zero-length self-signed certs failed under python 2.4/M2Crypto0.13. This explicitly fixes them

File:
1 edited

Legend:

Unmodified
Added
Removed
  • fedd/federation/util.py

    rb09f346 rfe157b9  
    77from M2Crypto import SSL
    88from fedid import fedid
     9
     10
     11# If this is an old enough version of M2Crypto.SSL that has an
     12# ssl_verify_callback that doesn't allow 0-length signed certs, create a
     13# version of that callback that does.  This is edited from the original in
     14# M2Crypto.SSL.cb.  This version also elides the printing to stderr.
     15if not getattr(SSL.cb, 'ssl_verify_callback_allow_unknown_ca', None):
     16    from M2Crypto.SSL.Context import map
     17    from M2Crypto import m2
     18
     19    def ssl_verify_callback(ssl_ctx_ptr, x509_ptr, errnum, errdepth, ok):
     20        unknown_issuer = [
     21            m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
     22            m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
     23            m2.X509_V_ERR_CERT_UNTRUSTED,
     24            m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
     25            ]
     26        ssl_ctx = map()[ssl_ctx_ptr]
     27
     28        if errnum in unknown_issuer:
     29            if ssl_ctx.get_allow_unknown_ca():
     30                ok = 1
     31        # CRL checking goes here...
     32        if ok:
     33            if ssl_ctx.get_verify_depth() >= errdepth:
     34                ok = 1
     35            else:
     36                ok = 0
     37        return ok
     38else:
     39    def ssl_verify_callback(ssl_ctx_ptr, x509_ptr, errnum, errdepth, ok):
     40        raise ValueError("This should never be called")
    941
    1042class fedd_ssl_context(SSL.Context):
     
    4880            # attribute.  This should work under both regines.
    4981            callb = getattr(SSL.cb, 'ssl_verify_callback_allow_unknown_ca',
    50                     SSL.cb.ssl_verify_callback)
     82                    ssl_verify_callback)
    5183            self.set_allow_unknown_ca(True)
    5284            self.set_verify(SSL.verify_peer, 10, callback=callb)
Note: See TracChangeset for help on using the changeset viewer.