# XMLRPC-specific code for SFA Client
-from sfa.util.ssl import simple_ssl_context
-
+import ssl
import xmlrpc.client
import http.client
# targetting only python-2.7 we can get rid of some older code
+def sfa_client_ssl_context():
+ ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ ssl_context.verify_mode = ssl.CERT_NONE
+ ssl_context.check_hostname = False
+# with open("root.gid") as root:
+# ssl_context.load_verify_locations(cadata=root.read())
+ return ssl_context
+
+
class XMLRPCTransport(xmlrpc.client.Transport):
def __init__(self, key_file=None, cert_file=None, timeout=None):
# host may be a string, or a (host, x509-dict) tuple
host, extra_headers, x509 = self.get_host_info(host)
conn = http.client.HTTPSConnection(
- host, None, key_file=self.key_file,
- cert_file=self.cert_file, context=simple_ssl_context())
-
- # Some logic to deal with timeouts. It appears that some (or all) versions
- # of python don't set the timeout after the socket is created. We'll do it
- # ourselves by forcing the connection to connect, finding the socket, and
- # calling settimeout() on it. (tested with python 2.6)
- if self.timeout:
- if hasattr(conn, 'set_timeout'):
- conn.set_timeout(self.timeout)
-
- if hasattr(conn, "_conn"):
- # HTTPS is a wrapper around HTTPSConnection
- real_conn = conn._conn
- else:
- real_conn = conn
- conn.connect()
- if hasattr(real_conn, "sock") and hasattr(real_conn.sock, "settimeout"):
- real_conn.sock.settimeout(float(self.timeout))
-
+ host, port=None,
+ key_file=self.key_file,
+ cert_file=self.cert_file,
+ timeout=self.timeout,
+ context=sfa_client_ssl_context(),
+ check_hostname=False,
+ )
+
+# # Some logic to deal with timeouts. It appears that some (or all) versions
+# # of python don't set the timeout after the socket is created. We'll do it
+# # ourselves by forcing the connection to connect, finding the socket, and
+# # calling settimeout() on it. (tested with python 2.6)
+# if self.timeout:
+# if hasattr(conn, 'set_timeout'):
+# conn.set_timeout(self.timeout)
+#
+# if hasattr(conn, "_conn"):
+# # HTTPS is a wrapper around HTTPSConnection
+# real_conn = conn._conn
+# else:
+# real_conn = conn
+# conn.connect()
+# if hasattr(real_conn, "sock") and hasattr(real_conn.sock, "settimeout"):
+# real_conn.sock.settimeout(float(self.timeout))
+#
return conn
def getparser(self):
self.url = url
xmlrpc.client.ServerProxy.__init__(
self, url, transport, allow_none=allow_none,
- context=simple_ssl_context(), verbose=verbose)
+ context=sfa_client_ssl_context(), verbose=verbose)
def __getattr__(self, attr):
logger.debug("xml-rpc %s method:%s" % (self.url, attr))
# Taken from the web (XXX find reference). Implements an HTTPS xmlrpc server
+# xxx should probably use instead http.server.ThreadingHTTPServer
class SecureXMLRPCServer(http.server.HTTPServer,
xmlrpc.server.SimpleXMLRPCDispatcher):
self.method_map = {}
# add cache to the request handler
HandlerClass.cache = Cache()
+
+ # initialize base classes
+ http.server.HTTPServer.__init__(self, server_address, HandlerClass)
xmlrpc.server.SimpleXMLRPCDispatcher.__init__(self, True, None)
- socketserver.BaseServer.__init__(self, server_address, HandlerClass)
+
+ # define SSL context:
+ # require client certificate
ssl_context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
+ ssl_context.verify_mode = ssl.CERT_REQUIRED
+ # set local certificate/private key
ssl_context.load_cert_chain(cert_file, key_file)
- # If you wanted to verify certs against known CAs..
- # this is how you would do it
- # ssl_context.load_verify_locations('/etc/sfa/trusted_roots/plc.gpo.gid')
+ # define trusted roots as CAs
config = Config()
trusted_cert_files = TrustedRoots(
config.get_trustedroots_dir()).get_file_list()
with open(cert_file) as cafile:
cadata += cafile.read()
ssl_context.load_verify_locations(cadata=cadata)
+
# ctx.set_verify(SSL.VERIFY_PEER |
# SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback)
# ctx.set_verify_depth(5)