import SimpleXMLRPCServer
from OpenSSL import SSL
from Queue import Queue
+
+#import sfa.util.sfalogging
from sfa.trust.certificate import Keypair, Certificate
from sfa.trust.credential import *
from sfa.util.faults import *
from sfa.plc.api import SfaAPI
from sfa.util.cache import Cache
-from sfa.util.debug import log
-
+#from sfa.util.debug import log
##
# Verification callback for pyOpenSSL. We do our own checking of keys because
# we have our own authentication spec. Thus we disable several of the normal
#print " preverified"
return 1
- # we're only passing single certificates, not chains
- if depth > 0:
- #print " depth > 0 in verify_callback"
- return 0
# the certificate verification done by openssl checks a number of things
# that we aren't interested in, so we look out for those error messages
#print " X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY"
return 1
+ # allow chained certs with self-signed roots
+ if err == 19:
+ return 1
+
# allow certs that are untrusted
if err == 21:
#print " X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE"
remote_addr = (remote_ip, remote_port) = self.connection.getpeername()
self.api.remote_addr = remote_addr
response = self.api.handle(remote_addr, request, self.server.method_map)
-
-
except Exception, fault:
# This should only happen if the module is buggy
# internal error, report as HTTP server error
- self.send_response(500)
- self.end_headers()
traceback.print_exc()
- else:
- # got a valid XML RPC response
- self.send_response(200)
- self.send_header("Content-type", "text/xml")
- self.send_header("Content-length", str(len(response)))
- self.end_headers()
- self.wfile.write(response)
-
- # shut down the connection
- self.wfile.flush()
- self.connection.shutdown() # Modified here!
+ response = self.api.prepare_response(fault)
+ #self.send_response(500)
+ #self.end_headers()
+
+ # got a valid response
+ self.send_response(200)
+ self.send_header("Content-type", "text/xml")
+ self.send_header("Content-length", str(len(response)))
+ self.end_headers()
+ self.wfile.write(response)
+
+ # shut down the connection
+ self.wfile.flush()
+ self.connection.shutdown() # Modified here!
##
# Taken from the web (XXX find reference). Implements an HTTPS xmlrpc server
SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self, True, None)
SocketServer.BaseServer.__init__(self, server_address, HandlerClass)
ctx = SSL.Context(SSL.SSLv23_METHOD)
- ctx.use_privatekey_file(key_file)
+ ctx.use_privatekey_file(key_file)
ctx.use_certificate_file(cert_file)
+ # If you wanted to verify certs against known CAs.. this is how you would do it
+ #ctx.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid')
ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback)
+ ctx.set_verify_depth(5)
ctx.set_app_data(self)
self.socket = SSL.Connection(ctx, socket.socket(self.address_family,
self.socket_type))
def noop(self, cred, anything):
self.decode_authentication(cred)
-
return anything
##