# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1209631816 -3600
# Node ID 1e169f4e8e727e8f32a476d4b4eb8bd5504a362f
# Parent 013a47065e8c4e815e3b1aba0883341c19238e82
Add SSL/TLS support to relocation
* SSL/TLS support is disabled by default, as other server did.
* If "xend-relocation-server-ssl-key-file" and
"xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled
automatically.
* "xend-relocation-tls" is used by relocation client only.
Signed-off-by: Zhigang Wang <zhigang.x.wang@xxxxxxxxxx>
---
tools/examples/xend-config.sxp | 9 ++++++
tools/python/xen/web/tcp.py | 41 +++++++++++++++++++++++++++++++
tools/python/xen/xend/XendDomain.py | 12 +++++++--
tools/python/xen/xend/XendOptions.py | 11 ++++++++
tools/python/xen/xend/server/relocate.py | 13 ++++++++-
5 files changed, 82 insertions(+), 4 deletions(-)
diff -r 013a47065e8c -r 1e169f4e8e72 tools/examples/xend-config.sxp
--- a/tools/examples/xend-config.sxp Thu May 01 09:45:44 2008 +0100
+++ b/tools/examples/xend-config.sxp Thu May 01 09:50:16 2008 +0100
@@ -82,6 +82,15 @@
# is set.
#(xend-relocation-port 8002)
+# Whether to use tls when relocating.
+#(xend-relocation-tls no)
+
+# SSL key and certificate to use for the relocation interface.
+# Setting these will mean that this port serves only SSL connections as
+# opposed to plaintext ones.
+#(xend-relocation-server-ssl-key-file /etc/xen/xmlrpc.key)
+#(xend-relocation-server-ssl-cert-file /etc/xen/xmlrpc.crt)
+
# Address xend should listen on for HTTP connections, if xend-http-server is
# set.
# Specifying 'localhost' prevents remote connections.
diff -r 013a47065e8c -r 1e169f4e8e72 tools/python/xen/web/tcp.py
--- a/tools/python/xen/web/tcp.py Thu May 01 09:45:44 2008 +0100
+++ b/tools/python/xen/web/tcp.py Thu May 01 09:50:16 2008 +0100
@@ -21,6 +21,8 @@ import re
import re
import socket
import time
+
+from OpenSSL import SSL
import connection
@@ -64,3 +66,42 @@ class TCPListener(connection.SocketListe
sock.close()
except:
pass
+
+class SSLTCPListener(TCPListener):
+
+ def __init__(self, protocol_class, port, interface, hosts_allow,
+ ssl_key_file = None, ssl_cert_file = None):
+ if not ssl_key_file or not ssl_cert_file:
+ raise ValueError("SSLXMLRPCServer requires ssl_key_file "
+ "and ssl_cert_file to be set.")
+
+ self.ssl_key_file = ssl_key_file
+ self.ssl_cert_file = ssl_cert_file
+
+ TCPListener.__init__(self, protocol_class, port, interface,
hosts_allow)
+
+
+ def createSocket(self):
+ # make a SSL socket
+ ctx = SSL.Context(SSL.SSLv23_METHOD)
+ ctx.set_options(SSL.OP_NO_SSLv2)
+ ctx.use_privatekey_file (self.ssl_key_file)
+ ctx.use_certificate_file(self.ssl_cert_file)
+ sock = SSL.Connection(ctx,
+ socket.socket(socket.AF_INET,
socket.SOCK_STREAM))
+ sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+
+ # SO_REUSEADDR does not always ensure that we do not get an address
+ # in use error when restarted quickly
+ # we implement a timeout to try and avoid failing unnecessarily
+ timeout = time.time() + 30
+ while True:
+ try:
+ sock.bind((self.interface, self.port))
+ return sock
+ except socket.error, (_errno, strerrno):
+ if _errno == errno.EADDRINUSE and time.time() < timeout:
+ time.sleep(0.5)
+ else:
+ raise
+
diff -r 013a47065e8c -r 1e169f4e8e72 tools/python/xen/xend/XendDomain.py
--- a/tools/python/xen/xend/XendDomain.py Thu May 01 09:45:44 2008 +0100
+++ b/tools/python/xen/xend/XendDomain.py Thu May 01 09:50:16 2008 +0100
@@ -1293,8 +1293,16 @@ class XendDomain:
if port == 0:
port = xoptions.get_xend_relocation_port()
- try:
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+ try:
+ tls = xoptions.get_xend_relocation_tls()
+ if tls:
+ from OpenSSL import SSL
+ ctx = SSL.Context(SSL.SSLv23_METHOD)
+ sock = SSL.Connection(ctx, socket.socket(socket.AF_INET,
socket.SOCK_STREAM))
+ sock.set_connect_state()
+ else:
+ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((dst, port))
except socket.error, err:
raise XendError("can't connect: %s" % err[1])
diff -r 013a47065e8c -r 1e169f4e8e72 tools/python/xen/xend/XendOptions.py
--- a/tools/python/xen/xend/XendOptions.py Thu May 01 09:45:44 2008 +0100
+++ b/tools/python/xen/xend/XendOptions.py Thu May 01 09:50:16 2008 +0100
@@ -192,6 +192,12 @@ class XendOptions:
return self.get_config_bool("xend-relocation-server",
self.xend_relocation_server_default)
+ def get_xend_relocation_server_ssl_key_file(self):
+ return self.get_config_string("xend-relocation-server-ssl-key-file")
+
+ def get_xend_relocation_server_ssl_cert_file(self):
+ return self.get_config_string("xend-relocation-server-ssl-cert-file")
+
def get_xend_port(self):
"""Get the port xend listens at for its HTTP interface.
"""
@@ -202,6 +208,11 @@ class XendOptions:
"""
return self.get_config_int('xend-relocation-port',
self.xend_relocation_port_default)
+
+ def get_xend_relocation_tls(self):
+ """Whether to use tls when relocating.
+ """
+ return self.get_config_bool('xend-relocation-tls', 'no')
def get_xend_relocation_hosts_allow(self):
return self.get_config_string("xend-relocation-hosts-allow",
diff -r 013a47065e8c -r 1e169f4e8e72 tools/python/xen/xend/server/relocate.py
--- a/tools/python/xen/xend/server/relocate.py Thu May 01 09:45:44 2008 +0100
+++ b/tools/python/xen/xend/server/relocate.py Thu May 01 09:50:16 2008 +0100
@@ -132,5 +132,14 @@ def listenRelocation():
else:
hosts_allow = map(re.compile, hosts_allow.split(" "))
- tcp.TCPListener(RelocationProtocol, port, interface = interface,
- hosts_allow = hosts_allow)
+ ssl_key_file = xoptions.get_xend_relocation_server_ssl_key_file()
+ ssl_cert_file = xoptions.get_xend_relocation_server_ssl_cert_file()
+
+ if ssl_key_file and ssl_cert_file:
+ tcp.SSLTCPListener(RelocationProtocol, port, interface = interface,
+ hosts_allow = hosts_allow,
+ ssl_key_file = ssl_key_file,
+ ssl_cert_file = ssl_cert_file)
+ else:
+ tcp.TCPListener(RelocationProtocol, port, interface = interface,
+ hosts_allow = hosts_allow)
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
Home