X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Fserver%2Fthreadedserver.py;fp=sfa%2Fserver%2Fthreadedserver.py;h=282d632616dbcdba48613c2eb6bcc2e639ce610e;hb=38bc23de8fd7236420452ab683f236fab457d98e;hp=4be1aff2d740ecae9449db479f82d13812a04252;hpb=f71aba8ed6780482dd3ab0bdb9d3c4727b05435d;p=sfa.git diff --git a/sfa/server/threadedserver.py b/sfa/server/threadedserver.py index 4be1aff2..282d6326 100644 --- a/sfa/server/threadedserver.py +++ b/sfa/server/threadedserver.py @@ -154,6 +154,7 @@ class SecureXMLRpcRequestHandler(xmlrpc.server.SimpleXMLRPCRequestHandler): # Taken from the web (XXX find reference). Implements an HTTPS xmlrpc server +# xxx should probably use instead http.server.ThreadingHTTPServer class SecureXMLRPCServer(http.server.HTTPServer, xmlrpc.server.SimpleXMLRPCDispatcher): @@ -175,13 +176,18 @@ class SecureXMLRPCServer(http.server.HTTPServer, self.method_map = {} # add cache to the request handler HandlerClass.cache = Cache() + + # initialize base classes + http.server.HTTPServer.__init__(self, server_address, HandlerClass) xmlrpc.server.SimpleXMLRPCDispatcher.__init__(self, True, None) - socketserver.BaseServer.__init__(self, server_address, HandlerClass) + + # define SSL context: + # require client certificate ssl_context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH) + ssl_context.verify_mode = ssl.CERT_REQUIRED + # set local certificate/private key ssl_context.load_cert_chain(cert_file, key_file) - # If you wanted to verify certs against known CAs.. - # this is how you would do it - # ssl_context.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid') + # define trusted roots as CAs config = Config() trusted_cert_files = TrustedRoots( config.get_trustedroots_dir()).get_file_list() @@ -190,6 +196,7 @@ class SecureXMLRPCServer(http.server.HTTPServer, with open(cert_file) as cafile: cadata += cafile.read() ssl_context.load_verify_locations(cadata=cadata) + # ctx.set_verify(SSL.VERIFY_PEER | # SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback) # ctx.set_verify_depth(5)