WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-api

[Xen-API] [PATCH] add primitive SSL cert verification

To: xen-api@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-API] [PATCH] add primitive SSL cert verification
From: David Scott <dave.scott@xxxxxxxxxxxxx>
Date: Tue, 22 Dec 2009 14:48:02 +0000
Delivery-date: Tue, 22 Dec 2009 07:00:12 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User David Scott <dave.scott@xxxxxxxxxxxxx>
# Date 1261493243 0
# Node ID 2680884fb5c9752e32bc40cc0644ac6015823770
# Parent  7e4670b5a046dd914812272b81f9d8be55e5aa00
CA-36092: Modifying Stunnel.connect's verify_cert argument to be tri-state.

The values are:
  Some true -> do verification
  Some false -> don't do verification
  None -> do verification if the file /var/xapi/verify_certificates exists

Signed-off-by: Magnus Therning <magnus.therning@xxxxxxxxxxxxx>
Acked-by: David Scott <dave.scott@xxxxxxxxxxxxx>

diff -r 7e4670b5a046 -r 2680884fb5c9 stunnel/stunnel.ml
--- a/stunnel/stunnel.ml        Tue Dec 22 11:37:00 2009 +0000
+++ b/stunnel/stunnel.ml        Tue Dec 22 14:47:23 2009 +0000
@@ -23,6 +23,7 @@
 
 let certificate_path = "/etc/stunnel/certs"
 let crl_path = "/etc/stunnel/crls"
+let verify_certificates_ctrl = "/var/xapi/verify_certificates"
 
 let use_new_stunnel = ref false
 let new_stunnel_path = "/usr/sbin/stunnelng"
@@ -265,10 +266,20 @@
     @param extended_diagnosis If true, the stunnel log file will not be
     deleted.  Instead, it is the caller's responsibility to delete it.  This
     allows the caller to use diagnose_failure below if stunnel fails.  *)
-let connect ?unique_id ?use_external_fd_wrapper ?write_to_log
-    ?(verify_cert=false) ?(extended_diagnosis=false) host port = 
-  let connect = if !use_new_stunnel then attempt_one_connect_new else 
attempt_one_connect in
-  retry (fun () -> connect ?unique_id ?use_external_fd_wrapper ?write_to_log 
verify_cert extended_diagnosis host port) 5
+let connect
+               ?unique_id
+               ?use_external_fd_wrapper
+               ?write_to_log
+               ?verify_cert
+               ?(extended_diagnosis=false)
+               host
+               port = 
+       let connect = if !use_new_stunnel then attempt_one_connect_new else 
attempt_one_connect in
+       let _verify_cert = match verify_cert with
+               | Some x -> x
+               | None -> Sys.file_exists verify_certificates_ctrl
+       in
+       retry (fun () -> connect ?unique_id ?use_external_fd_wrapper 
?write_to_log _verify_cert extended_diagnosis host port) 5
 
 let sub_after i s =
   let len = String.length s in
1 file changed, 15 insertions(+), 4 deletions(-)
stunnel/stunnel.ml |   19 +++++++++++++++----


Attachment: add_verification.patch
Description: Text Data

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-API] [PATCH] add primitive SSL cert verification, David Scott <=