diff options
author | Ng Pheng Siong <ngps@netmemetic.com> | 2003-06-30 06:26:15 +0000 |
---|---|---|
committer | Ng Pheng Siong <ngps@netmemetic.com> | 2003-06-30 06:26:15 +0000 |
commit | 47501fd1b52acdf1ba7efafe25d63147bb5bdc39 (patch) | |
tree | 73f60193ba28e3a597897c38e7ffb86ebad0e2c6 | |
parent | 96ffc2f6e4d5d39a44c4b7a7a3fc158936e6d950 (diff) | |
download | m2crypto-47501fd1b52acdf1ba7efafe25d63147bb5bdc39.tar.gz |
*** empty log message ***
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@178 2715db39-9adf-0310-9c64-84f055769b4b
-rw-r--r-- | BUGS | 8 | ||||
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | INSTALL | 8 | ||||
-rw-r--r-- | LICENCE | 2 | ||||
-rw-r--r-- | M2Crypto/SSL/Connection.py | 8 | ||||
-rw-r--r-- | M2Crypto/SSL/Context.py | 24 | ||||
-rw-r--r-- | README | 6 | ||||
-rw-r--r-- | SWIG/_ssl.i | 16 | ||||
-rw-r--r-- | demo/Zope/ZServer/HTTPS_Server.py | 28 | ||||
-rw-r--r-- | demo/Zope/ZServer/medusa/https_server.py | 4 | ||||
-rw-r--r-- | demo/Zope/ca.pem | 36 | ||||
-rw-r--r-- | demo/Zope/z2s.py | 80 | ||||
-rw-r--r-- | demo/Zope/z2s.py.diff | 103 | ||||
-rw-r--r-- | demo/https.howto/ca.pem | 36 | ||||
-rw-r--r-- | demo/medusa/ca.pem | 36 | ||||
-rw-r--r-- | demo/smime/ca.pem | 36 | ||||
-rw-r--r-- | demo/ssl/ca.pem | 36 | ||||
-rw-r--r-- | demo/ssl/echo.py | 23 | ||||
-rw-r--r-- | demo/ssl/echod-async.py | 5 | ||||
-rw-r--r-- | demo/ssl/echod-iterative.py | 3 | ||||
-rw-r--r-- | demo/ssl/echod_lib.py | 12 | ||||
-rw-r--r-- | demo/ssl/https_cli.py | 8 | ||||
-rw-r--r-- | demo/ssl/https_srv.py | 4 | ||||
-rw-r--r-- | setup.py | 6 |
24 files changed, 348 insertions, 185 deletions
@@ -1,5 +1,5 @@ ------------- - 12 May 2003 + 29 Jun 2003 ------------- 1. SSL.Connection.makefile() returns an instance of BIO.IOBuffer, @@ -19,5 +19,9 @@ ftps_server. (Works using Python 2.1.) 5. Possible concurrency bugs in the SSL functionality as reported by Brent Chun. +6. demo/ssl/echod-forking.py no longer works. (Tested with Python 2.2.2.) +I won't bother try fixing this, since forking servers are passe. + + --------------------------------------------------------------------------- -$Id: BUGS,v 1.4 2003/05/11 16:20:36 ngps Exp $ +$Id: BUGS,v 1.5 2003/06/30 06:12:41 ngps Exp $ @@ -1,4 +1,9 @@ + Changes since 0.11 +-------------------- +- ZServerSSL with client certificate-based authentication rides again. + + Changes since 0.10 -------------------- - Dave Berkeley <dave@rotwang.freeserve.co.uk> contributed fixes to @@ -1,10 +1,10 @@ ========================== - Installing M2Crypto 0.11 + Installing M2Crypto 0.12 ========================== :Author: Ng Pheng Siong -:Id: $Id: INSTALL,v 1.6 2003/06/22 16:28:47 ngps Exp $ -:Date: $Date: 2003/06/22 16:28:47 $ +:Id: $Id: INSTALL,v 1.7 2003/06/30 06:12:41 ngps Exp $ +:Date: $Date: 2003/06/30 06:12:41 $ :Web-Site: http://www.post1.com/home/ngps/m2 .. contents:: @@ -34,7 +34,7 @@ Preparation http://sebsauvage.net/python/mingw.html -2. (**This step applies to both Windows and Un\*x platforms**). Tweak +2. **This step applies to both Windows and Un\*x platforms**: Tweak Distutils per the above webpage. The following differs slightly from Sebastien's instructions: @@ -1,4 +1,4 @@ -Copyright (c) 1999-2002 Ng Pheng Siong. All rights reserved. +Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, diff --git a/M2Crypto/SSL/Connection.py b/M2Crypto/SSL/Connection.py index 8f3e60b..fed6b73 100644 --- a/M2Crypto/SSL/Connection.py +++ b/M2Crypto/SSL/Connection.py @@ -2,7 +2,7 @@ Copyright (c) 1999-2002 Ng Pheng Siong. All rights reserved.""" -RCS_id='$Id: Connection.py,v 1.10 2003/06/22 16:49:01 ngps Exp $' +RCS_id='$Id: Connection.py,v 1.11 2003/06/30 06:14:34 ngps Exp $' # Python import socket, sys @@ -53,6 +53,12 @@ class Connection: def ssl_get_error(self, ret): return m2.ssl_get_error(self.ssl, ret) + def set_client_CA_list_from_file(self, cafile): + m2.ssl_set_client_CA_list(self.ssl, cafile) + + def set_client_CA_list_from_context(self): + m2.ssl_set_client_CA_list_from_context(self.ssl, self.ctx.ctx) + def setup_addr(self, addr): self.addr = addr diff --git a/M2Crypto/SSL/Context.py b/M2Crypto/SSL/Context.py index e5b4bc2..f8a818d 100644 --- a/M2Crypto/SSL/Context.py +++ b/M2Crypto/SSL/Context.py @@ -2,7 +2,7 @@ Copyright (c) 1999-2001 Ng Pheng Siong. All rights reserved.""" -RCS_id='$Id: Context.py,v 1.5 2003/06/22 16:52:50 ngps Exp $' +RCS_id='$Id: Context.py,v 1.6 2003/06/30 06:14:34 ngps Exp $' # M2Crypto import cb @@ -89,27 +89,29 @@ class Context: if not m2.ssl_ctx_check_privkey(self.ctx): raise ValueError, 'public/private key mismatch' - def load_client_ca(self, cafile): + def set_client_CA_list_from_file(self, cafile): """Load CA certs into the context. These CA certs are sent to the peer during *SSLv3 certificate request*. 'cafile' - File object containing one or more PEM-encoded CA certificates concatenated together. """ - m2.ssl_ctx_load_client_CA(self.ctx, cafile) + m2.ssl_ctx_set_client_CA_list_from_file(self.ctx, cafile) - load_client_CA = load_client_ca + # Deprecated. + load_client_CA = load_client_ca = set_client_CA_list_from_file - def load_verify_info(self, cafile): + def load_verify_locations(self, cafile): """Load CA certs into the context. These CA certs are used during verification of the peer's certificate. - 'cafile' - File object containing one or more PEM-encoded CA + 'cafile' - File containing one or more PEM-encoded CA certificates concatenated together. """ return m2.ssl_ctx_load_verify_locations(self.ctx, cafile) - load_verify_location = load_verify_info + # Deprecated. + load_verify_info = load_verify_locations def set_session_id_ctx(self, id): ret = m2.ssl_ctx_set_session_id_context(self.ctx, id) @@ -130,8 +132,12 @@ class Context: """ return self.allow_unknown_ca - def set_verify(self, mode, depth, callback=cb.ssl_verify_callback): - m2.ssl_ctx_set_verify(self.ctx, mode, callback) + #def set_verify(self, mode, depth, callback=cb.ssl_verify_callback): + def set_verify(self, mode, depth, callback=None): + if callback is None: + m2.ssl_ctx_set_verify_default(self.ctx, mode) + else: + m2.ssl_ctx_set_verify(self.ctx, mode, callback) m2.ssl_ctx_set_verify_depth(self.ctx, depth) def get_verify_mode(self): @@ -1,10 +1,10 @@ =============== - M2Crypto 0.11 + M2Crypto 0.12 =============== :Author: Ng Pheng Siong -:Id: $Id: README,v 1.4 2003/06/22 16:28:47 ngps Exp $ -:Date: $Date: 2003/06/22 16:28:47 $ +:Id: $Id: README,v 1.5 2003/06/30 06:12:41 ngps Exp $ +:Date: $Date: 2003/06/30 06:12:41 $ :Web-Site: http://www.post1.com/home/ngps/m2 diff --git a/SWIG/_ssl.i b/SWIG/_ssl.i index f892183..bd7748b 100644 --- a/SWIG/_ssl.i +++ b/SWIG/_ssl.i @@ -1,5 +1,5 @@ /* Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved. */ -/* $Id: _ssl.i,v 1.2 2003/06/22 18:26:44 ngps Exp $ */ +/* $Id: _ssl.i,v 1.3 2003/06/30 06:17:42 ngps Exp $ */ %{ #include <pythread.h> @@ -171,10 +171,14 @@ int ssl_ctx_check_privkey(SSL_CTX *ctx) { return ret; } -void ssl_ctx_load_client_CA(SSL_CTX *ctx, const char *ca_file) { +void ssl_ctx_set_client_CA_list_from_file(SSL_CTX *ctx, const char *ca_file) { SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file)); } +void ssl_ctx_set_verify_default(SSL_CTX *ctx, int mode) { + SSL_CTX_set_verify(ctx, mode, NULL); +} + void ssl_ctx_set_verify(SSL_CTX *ctx, int mode, PyObject *pyfunc) { Py_XDECREF(ssl_verify_cb_func); Py_INCREF(pyfunc); @@ -220,6 +224,14 @@ int bio_set_ssl(BIO *bio, SSL *ssl, int flag) { return BIO_ctrl(bio, BIO_C_SET_SSL, flag, (char *)ssl); } +void ssl_set_client_CA_list_from_file(SSL *ssl, const char *ca_file) { + SSL_set_client_CA_list(ssl, SSL_load_client_CA_file(ca_file)); +} + +void ssl_set_client_CA_list_from_context(SSL *ssl, SSL_CTX *ctx) { + SSL_set_client_CA_list(ssl, SSL_CTX_get_client_CA_list(ctx)); +} + int ssl_set_session_id_context(SSL *ssl, PyObject *sid_ctx) { const void *buf; int len; diff --git a/demo/Zope/ZServer/HTTPS_Server.py b/demo/Zope/ZServer/HTTPS_Server.py index 5357057..afe89b4 100644 --- a/demo/Zope/ZServer/HTTPS_Server.py +++ b/demo/Zope/ZServer/HTTPS_Server.py @@ -37,13 +37,12 @@ changes from Zope's HTTP server: Well, this is a *HTTPS* server :) X.509 certificate-based authentication -- When this is in force, - zhttps_handler, a subclass of zhttp_handler, is installed. The - https server is configured to _require_ an X.509 certificate - from the client. When the request reaches zhttps_handler, it pulls - the client's distinguished name (DN) from the certificate, maps - that to a Zope user name and sets REMOTE_USER accordingly; if a - mapping does not exist, REMOTE_USER is not set. Zope's REMOTE_USER - machinery takes care of the rest. + zhttps_handler, a subclass of zhttp_handler, is installed. The + https server is configured to _require_ an X.509 certificate from + the client. When the request reaches zhttps_handler, it sets + REMOTE_USER to the client's subject distinguished name (DN) from + the certificate. Zope's REMOTE_USER machinery takes care of the + rest, e.g., in conjunction with the RemoteUserFolder product. """ @@ -60,25 +59,22 @@ from medusa.https_server import https_server, https_channel from medusa.asyncore import dispatcher -ZSERVER_SSL_VERSION='0.11' - +ZSERVER_SSL_VERSION='0.12' register_subsystem('ZServer HTTPS_Server') + class zhttps_handler(zhttp_handler): "zhttps handler - sets REMOTE_USER to user's X.509 certificate Subject DN" - def __init__ (self, module, x509_zope_map, uri_base=None, env=None): + def __init__ (self, module, uri_base=None, env=None): zhttp_handler.__init__(self, module, uri_base, env) - self.x509_zope = x509_zope_map def get_environment(self, request): env = zhttp_handler.get_environment(self, request) - peer = request.channel.get_peer_cert().get_subject() - try: - env['REMOTE_USER'] = self.x509_zope[str(peer)] - except KeyError: - pass + peer = request.channel.get_peer_cert() + if peer is not None: + env['REMOTE_USER'] = str(peer.get_subject()) return env diff --git a/demo/Zope/ZServer/medusa/https_server.py b/demo/Zope/ZServer/medusa/https_server.py index c5d16f5..45dd810 100644 --- a/demo/Zope/ZServer/medusa/https_server.py +++ b/demo/Zope/ZServer/medusa/https_server.py @@ -4,12 +4,12 @@ Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved.""" -RCS_id='$Id: https_server.py,v 1.5 2003/06/22 17:09:43 ngps Exp $' +RCS_id='$Id: https_server.py,v 1.6 2003/06/30 06:22:00 ngps Exp $' import asynchat, asyncore, http_server, socket, sys from M2Crypto import SSL -VERSION_STRING='0.11' +VERSION_STRING='0.12' class https_channel(http_server.http_channel): diff --git a/demo/Zope/ca.pem b/demo/Zope/ca.pem index 11d28fc..b7c84a1 100644 --- a/demo/Zope/ca.pem +++ b/demo/Zope/ca.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDRTCCAq6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzER -MA8GA1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQD -ExtNMkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5n -cHNAcG9zdDEuY29tMB4XDTAwMDkxMDA4NTgzNVoXDTAzMDkxMDA4NTgzNVowezEL -MAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0 -byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJ -KoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw -gYkCgYEAw8eBhjy0SrxpEmFqUu+xSd7p8uWq4T/Txfa+9SE/dBeoyydcqj5MO0Qq -TjzNM3YHTy7rOSxJSxFBI0M/Q5rPSC961VJ1ZpdKglTGQTrePf4KxIqcowJgJiBL -+2hCyK3ggCaKvDehQAFzPv9C20ym1gcZpxLbVtG6I86Xu0q19gECAwEAAaOB2DCB -1TAdBgNVHQ4EFgQU+4cjaeucOpMV5cW/KVFP/u0oOAEwgaUGA1UdIwSBnTCBmoAU -+4cjaeucOpMV5cW/KVFP/u0oOAGhf6R9MHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK -EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5 -cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0 -MS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDBdXSoxU/z -g+ruWXqHYVK745tTrAbT+LoOhjZd+sYQ3s4eVHuE556Aw58fqs9xdsOIWM4IkhRW -W99iFjGaNeiix3ppUK1DWKsNvYv+qPiQ81mQfk7VQSf7mdzTr//fCam1yjA2PPO9 -WQBPqSVBuauVvuJEkeJREn01+8kANRg3Zg== +MIIDWTCCAsKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCU0cx +ETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UE +AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMSIwIAYJKoZIhvcNAQkBFhNu +Z3BzQG5ldG1lbWV0aWMuY29tMB4XDTAxMTIxNTA1NTU0NloXDTA0MTIxNDA1NTU0 +NlowgYAxCzAJBgNVBAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxML +TTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3Rl +cjEiMCAGCSqGSIb3DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbTCBnzANBgkqhkiG +9w0BAQEFAAOBjQAwgYkCgYEAx8soJbS719LHK62VVVIQeC3oW0HvFArwPnA0LuEK +q+LaqMOJg1rS7hvFdX03diV+XJw7cC0iECZYJNG4ii1xbY6KRmufkInaAwm54E3N +e+YYVocaqUkcN6xVf6fwnLfPXbpFS/K2Umg11ObKMmi80JmiIdjcjRRCQZC7g1hf +q+kCAwEAAaOB4DCB3TAdBgNVHQ4EFgQU6/qcBzEtQphfXLhiOHbt2KqBwMIwga0G +A1UdIwSBpTCBooAU6/qcBzEtQphfXLhiOHbt2KqBwMKhgYakgYMwgYAxCzAJBgNV +BAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0Ex +JDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3RlcjEiMCAGCSqGSIb3 +DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG +SIb3DQEBBAUAA4GBAD+I14GuS5vJmyv1k7mUMbAicsWRHZ+zrGOq9L/L2LsA+lKQ +dAzEZE2+Zv8LBPJVltbJJhcFNJS/ZMAjEm4xlJuCpvXVMxd/M5AM29aqekWlIK7J +vsdDL8IuzpRkMniUiNKPhmB6IPIOslvUKx6QofcE0wDh6pg4VvIbCjkpZ7gf -----END CERTIFICATE----- diff --git a/demo/Zope/z2s.py b/demo/Zope/z2s.py index b440eb3..9937186 100644 --- a/demo/Zope/z2s.py +++ b/demo/Zope/z2s.py @@ -143,6 +143,11 @@ Options: Multiple -Y options can be provided to run multiple servers. + -x + + If present, this option causes Zope to run in X.509 certificate-based + authentication mode. + -C --force-http-connection-close @@ -332,6 +337,9 @@ WEBDAV_SOURCE_PORT=[] # standard port for this handler, which is disabled by default. WEBDAV_SSL_SOURCE_PORT=[] +# Should we use client X.509 certificate-based authentication? +X509_REMOTE_USER=None + ## FTP configuration # Port for the FTP Server. The standard port for FTP services is 21. @@ -421,7 +429,7 @@ try: opts, args = getopt.getopt(sys.argv[1:], - 'hz:Z:t:i:a:d:u:w:W:y:Y:f:p:m:Sl:2DP:rF:L:XM:C', + 'hz:Z:t:i:a:d:u:w:W:y:Y:x:f:p:m:Sl:2DP:rF:L:XM:C', ['icp=', 'force-http-connection-close' ]) @@ -486,6 +494,11 @@ try: WEBDAV_SOURCE_PORT=server_info(WEBDAV_SOURCE_PORT, v) elif o=='-Y': WEBDAV_SSL_SOURCE_PORT=server_info(WEBDAV_SSL_SOURCE_PORT, v) + elif o=='-x': + if v in ('-', '0', ''): + X509_REMOTE_USER=None + else: + X509_REMOTE_USER=1 elif o=='-f': FTP_PORT=server_info(FTP_PORT, v) elif o=='-P': @@ -651,6 +664,49 @@ try: ## ZServer startup ## + ## In X509_REMOTE_USER mode, we log the client cert's subject DN. + if X509_REMOTE_USER: + + import base64, string, time + + def log (self, bytes): + user_agent=self.get_header('user-agent') + if not user_agent: user_agent='' + referer=self.get_header('referer') + if not referer: referer='' + + get_peer_cert = getattr(self.channel, 'get_peer_cert', None) + if get_peer_cert is not None: + name = str(get_peer_cert().get_subject()) + else: + name = 'Anonymous' + auth=self.get_header('Authorization') + if auth is not None: + if string.lower(auth[:6]) == 'basic ': + try: decoded=base64.decodestring(auth[6:]) + except base64.binascii.Error: decoded='' + t = string.split(decoded, ':', 1) + if len(t) < 2: + name = 'Unknown (bad auth string)' + else: + name = t[0] + + self.channel.server.logger.log ( + self.channel.addr[0], + ' - %s [%s] "%s" %d %d "%s" "%s"\n' % ( + name, + self.log_date_string (time.time()), + self.request, + self.reply_code, + bytes, + referer, + user_agent + ) + ) + + from ZServer.medusa import http_server + http_server.http_request.log = log + # Resolver and Logger, used by other servers if DNS_IP: rs = resolver.caching_resolver(DNS_IP) @@ -722,12 +778,17 @@ try: # HTTPS Server if HTTPS_PORT: ssl_ctx = SSL.Context('sslv23') - ssl_ctx.load_cert('%s/server.pem' % INSTANCE_HOME) - ssl_ctx.load_verify_location('%s/ca.pem' % INSTANCE_HOME) + ssl_ctx.load_cert_chain('%s/server.pem' % INSTANCE_HOME) + ssl_ctx.load_verify_locations('%s/ca.pem' % INSTANCE_HOME) ssl_ctx.load_client_CA('%s/ca.pem' % INSTANCE_HOME) - ssl_ctx.set_verify(SSL.verify_none, 10) + #ssl_ctx.set_allow_unknown_ca(1) ssl_ctx.set_session_id_ctx(MODULE) ssl_ctx.set_tmp_dh('%s/dh1024.pem' % INSTANCE_HOME) + if X509_REMOTE_USER: + ssl_ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert, 10) + #ssl_ctx.set_verify(SSL.verify_peer, 10) + else: + ssl_ctx.set_verify(SSL.verify_none, 10) if type(HTTPS_PORT) is type(0): HTTPS_PORT=((IP_ADDRESS, HTTPS_PORT),) for address, port in HTTPS_PORT: @@ -743,8 +804,11 @@ try: except KeyError: pass HTTPS_ENV['HTTPS']='ON' - - zsh = zhttp_handler(MODULE, '', HTTPS_ENV) + + if X509_REMOTE_USER: + zsh = zhttps_handler(MODULE, '', HTTPS_ENV) + else: + zsh = zhttp_handler(MODULE, '', HTTPS_ENV) hss.install_handler(zsh) # WebDAV source Server (runs HTTP, but munges request to return @@ -794,8 +858,8 @@ try: # 'manage_FTPget'). if WEBDAV_SSL_SOURCE_PORT: ssl_ctx = SSL.Context('sslv23') - ssl_ctx.load_cert('%s/server.pem' % INSTANCE_HOME) - ssl_ctx.load_verify_location('%s/ca.pem' % INSTANCE_HOME) + ssl_ctx.load_cert_chain('%s/server.pem' % INSTANCE_HOME) + ssl_ctx.load_verify_locations('%s/ca.pem' % INSTANCE_HOME) ssl_ctx.load_client_CA('%s/ca.pem' % INSTANCE_HOME) ssl_ctx.set_verify(SSL.verify_none, 10) ssl_ctx.set_session_id_ctx(MODULE) diff --git a/demo/Zope/z2s.py.diff b/demo/Zope/z2s.py.diff index 587e146..afb222d 100644 --- a/demo/Zope/z2s.py.diff +++ b/demo/Zope/z2s.py.diff @@ -1,5 +1,5 @@ --- /usr/local/home/ngps/pkg/zope261/z2.py Thu Jan 30 22:41:42 2003 -+++ z2s.py Sat Jun 21 23:46:07 2003 ++++ z2s.py Mon Jun 30 13:37:51 2003 @@ -105,9 +105,21 @@ Multiple -w options can be provided to run multiple servers. @@ -23,7 +23,7 @@ "WebDAV source" is disabled. The default is disabled. Note that this feature is a workaround for the lack of "source-link" support in standard WebDAV clients. -@@ -118,6 +130,19 @@ +@@ -118,6 +130,24 @@ Multiple -W options can be provided to run multiple servers. @@ -40,10 +40,15 @@ + + Multiple -Y options can be provided to run multiple servers. + ++ -x ++ ++ If present, this option causes Zope to run in X.509 certificate-based ++ authentication mode. ++ -C --force-http-connection-close -@@ -286,9 +311,15 @@ +@@ -286,9 +316,15 @@ # Port for HTTP Server. The standard port for HTTP services is 80. HTTP_PORT=8080 @@ -59,7 +64,7 @@ # Should we close all HTTP connections, ignoring the (usually absent) # 'Connection:' header? FORCE_HTTP_CONNECTION_CLOSE=0 -@@ -297,6 +328,10 @@ +@@ -297,6 +333,13 @@ # standard port for this handler, which is disabled by default. WEBDAV_SOURCE_PORT=[] @@ -67,19 +72,22 @@ +# standard port for this handler, which is disabled by default. +WEBDAV_SSL_SOURCE_PORT=[] + ++# Should we use client X.509 certificate-based authentication? ++X509_REMOTE_USER=None ++ ## FTP configuration # Port for the FTP Server. The standard port for FTP services is 21. -@@ -386,7 +421,7 @@ +@@ -386,7 +429,7 @@ opts, args = getopt.getopt(sys.argv[1:], - 'hz:Z:t:i:a:d:u:w:W:f:p:m:Sl:2DP:rF:L:XM:C', -+ 'hz:Z:t:i:a:d:u:w:W:y:Y:f:p:m:Sl:2DP:rF:L:XM:C', ++ 'hz:Z:t:i:a:d:u:w:W:y:Y:x:f:p:m:Sl:2DP:rF:L:XM:C', ['icp=', 'force-http-connection-close' ]) -@@ -443,10 +478,14 @@ +@@ -443,10 +486,19 @@ MONITOR_PORT=server_info(MONITOR_PORT, v) elif o=='-w': HTTP_PORT=server_info(HTTP_PORT, v) @@ -91,10 +99,15 @@ WEBDAV_SOURCE_PORT=server_info(WEBDAV_SOURCE_PORT, v) + elif o=='-Y': + WEBDAV_SSL_SOURCE_PORT=server_info(WEBDAV_SSL_SOURCE_PORT, v) ++ elif o=='-x': ++ if v in ('-', '0', ''): ++ X509_REMOTE_USER=None ++ else: ++ X509_REMOTE_USER=1 elif o=='-f': FTP_PORT=server_info(FTP_PORT, v) elif o=='-P': -@@ -601,11 +640,14 @@ +@@ -601,14 +653,60 @@ from ZServer import resolver, logger, asyncore from ZServer import zhttp_server, zhttp_handler @@ -109,7 +122,53 @@ ## ZServer startup ## -@@ -668,11 +710,43 @@ ++ ## In X509_REMOTE_USER mode, we log the client cert's subject DN. ++ if X509_REMOTE_USER: ++ ++ import base64, string, time ++ ++ def log (self, bytes): ++ user_agent=self.get_header('user-agent') ++ if not user_agent: user_agent='' ++ referer=self.get_header('referer') ++ if not referer: referer='' ++ ++ get_peer_cert = getattr(self.channel, 'get_peer_cert', None) ++ if get_peer_cert is not None: ++ name = str(get_peer_cert().get_subject()) ++ else: ++ name = 'Anonymous' ++ auth=self.get_header('Authorization') ++ if auth is not None: ++ if string.lower(auth[:6]) == 'basic ': ++ try: decoded=base64.decodestring(auth[6:]) ++ except base64.binascii.Error: decoded='' ++ t = string.split(decoded, ':', 1) ++ if len(t) < 2: ++ name = 'Unknown (bad auth string)' ++ else: ++ name = t[0] ++ ++ self.channel.server.logger.log ( ++ self.channel.addr[0], ++ ' - %s [%s] "%s" %d %d "%s" "%s"\n' % ( ++ name, ++ self.log_date_string (time.time()), ++ self.request, ++ self.reply_code, ++ bytes, ++ referer, ++ user_agent ++ ) ++ ) ++ ++ from ZServer.medusa import http_server ++ http_server.http_request.log = log ++ + # Resolver and Logger, used by other servers + if DNS_IP: + rs = resolver.caching_resolver(DNS_IP) +@@ -668,11 +766,51 @@ # from another web server to ZServer, and would like the CGI # environment to reflect the CGI environment of the other web # server. @@ -125,12 +184,17 @@ + # HTTPS Server + if HTTPS_PORT: + ssl_ctx = SSL.Context('sslv23') -+ ssl_ctx.load_cert('%s/server.pem' % INSTANCE_HOME) -+ ssl_ctx.load_verify_location('%s/ca.pem' % INSTANCE_HOME) ++ ssl_ctx.load_cert_chain('%s/server.pem' % INSTANCE_HOME) ++ ssl_ctx.load_verify_locations('%s/ca.pem' % INSTANCE_HOME) + ssl_ctx.load_client_CA('%s/ca.pem' % INSTANCE_HOME) -+ ssl_ctx.set_verify(SSL.verify_none, 10) ++ #ssl_ctx.set_allow_unknown_ca(1) + ssl_ctx.set_session_id_ctx(MODULE) + ssl_ctx.set_tmp_dh('%s/dh1024.pem' % INSTANCE_HOME) ++ if X509_REMOTE_USER: ++ ssl_ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert, 10) ++ #ssl_ctx.set_verify(SSL.verify_peer, 10) ++ else: ++ ssl_ctx.set_verify(SSL.verify_none, 10) + if type(HTTPS_PORT) is type(0): HTTPS_PORT=((IP_ADDRESS, HTTPS_PORT),) + + for address, port in HTTPS_PORT: @@ -146,14 +210,17 @@ + except KeyError: + pass + HTTPS_ENV['HTTPS']='ON' -+ -+ zsh = zhttp_handler(MODULE, '', HTTPS_ENV) ++ ++ if X509_REMOTE_USER: ++ zsh = zhttps_handler(MODULE, '', HTTPS_ENV) ++ else: ++ zsh = zhttp_handler(MODULE, '', HTTPS_ENV) + hss.install_handler(zsh) + # WebDAV source Server (runs HTTP, but munges request to return # 'manage_FTPget'). if WEBDAV_SOURCE_PORT: -@@ -716,6 +790,34 @@ +@@ -716,6 +854,34 @@ else: sys.WEBDAV_SOURCE_PORT_CLIENTS = None @@ -161,8 +228,8 @@ + # 'manage_FTPget'). + if WEBDAV_SSL_SOURCE_PORT: + ssl_ctx = SSL.Context('sslv23') -+ ssl_ctx.load_cert('%s/server.pem' % INSTANCE_HOME) -+ ssl_ctx.load_verify_location('%s/ca.pem' % INSTANCE_HOME) ++ ssl_ctx.load_cert_chain('%s/server.pem' % INSTANCE_HOME) ++ ssl_ctx.load_verify_locations('%s/ca.pem' % INSTANCE_HOME) + ssl_ctx.load_client_CA('%s/ca.pem' % INSTANCE_HOME) + ssl_ctx.set_verify(SSL.verify_none, 10) + ssl_ctx.set_session_id_ctx(MODULE) @@ -188,7 +255,7 @@ # FTP Server if FTP_PORT: -@@ -906,6 +1008,8 @@ +@@ -906,6 +1072,8 @@ sys.exit(0) # Start Medusa, Ye Hass! diff --git a/demo/https.howto/ca.pem b/demo/https.howto/ca.pem index 11d28fc..b7c84a1 100644 --- a/demo/https.howto/ca.pem +++ b/demo/https.howto/ca.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDRTCCAq6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzER -MA8GA1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQD -ExtNMkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5n -cHNAcG9zdDEuY29tMB4XDTAwMDkxMDA4NTgzNVoXDTAzMDkxMDA4NTgzNVowezEL -MAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0 -byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJ -KoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw -gYkCgYEAw8eBhjy0SrxpEmFqUu+xSd7p8uWq4T/Txfa+9SE/dBeoyydcqj5MO0Qq -TjzNM3YHTy7rOSxJSxFBI0M/Q5rPSC961VJ1ZpdKglTGQTrePf4KxIqcowJgJiBL -+2hCyK3ggCaKvDehQAFzPv9C20ym1gcZpxLbVtG6I86Xu0q19gECAwEAAaOB2DCB -1TAdBgNVHQ4EFgQU+4cjaeucOpMV5cW/KVFP/u0oOAEwgaUGA1UdIwSBnTCBmoAU -+4cjaeucOpMV5cW/KVFP/u0oOAGhf6R9MHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK -EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5 -cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0 -MS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDBdXSoxU/z -g+ruWXqHYVK745tTrAbT+LoOhjZd+sYQ3s4eVHuE556Aw58fqs9xdsOIWM4IkhRW -W99iFjGaNeiix3ppUK1DWKsNvYv+qPiQ81mQfk7VQSf7mdzTr//fCam1yjA2PPO9 -WQBPqSVBuauVvuJEkeJREn01+8kANRg3Zg== +MIIDWTCCAsKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCU0cx +ETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UE +AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMSIwIAYJKoZIhvcNAQkBFhNu +Z3BzQG5ldG1lbWV0aWMuY29tMB4XDTAxMTIxNTA1NTU0NloXDTA0MTIxNDA1NTU0 +NlowgYAxCzAJBgNVBAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxML +TTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3Rl +cjEiMCAGCSqGSIb3DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbTCBnzANBgkqhkiG +9w0BAQEFAAOBjQAwgYkCgYEAx8soJbS719LHK62VVVIQeC3oW0HvFArwPnA0LuEK +q+LaqMOJg1rS7hvFdX03diV+XJw7cC0iECZYJNG4ii1xbY6KRmufkInaAwm54E3N +e+YYVocaqUkcN6xVf6fwnLfPXbpFS/K2Umg11ObKMmi80JmiIdjcjRRCQZC7g1hf +q+kCAwEAAaOB4DCB3TAdBgNVHQ4EFgQU6/qcBzEtQphfXLhiOHbt2KqBwMIwga0G +A1UdIwSBpTCBooAU6/qcBzEtQphfXLhiOHbt2KqBwMKhgYakgYMwgYAxCzAJBgNV +BAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0Ex +JDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3RlcjEiMCAGCSqGSIb3 +DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG +SIb3DQEBBAUAA4GBAD+I14GuS5vJmyv1k7mUMbAicsWRHZ+zrGOq9L/L2LsA+lKQ +dAzEZE2+Zv8LBPJVltbJJhcFNJS/ZMAjEm4xlJuCpvXVMxd/M5AM29aqekWlIK7J +vsdDL8IuzpRkMniUiNKPhmB6IPIOslvUKx6QofcE0wDh6pg4VvIbCjkpZ7gf -----END CERTIFICATE----- diff --git a/demo/medusa/ca.pem b/demo/medusa/ca.pem index 11d28fc..b7c84a1 100644 --- a/demo/medusa/ca.pem +++ b/demo/medusa/ca.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDRTCCAq6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzER -MA8GA1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQD -ExtNMkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5n -cHNAcG9zdDEuY29tMB4XDTAwMDkxMDA4NTgzNVoXDTAzMDkxMDA4NTgzNVowezEL -MAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0 -byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJ -KoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw -gYkCgYEAw8eBhjy0SrxpEmFqUu+xSd7p8uWq4T/Txfa+9SE/dBeoyydcqj5MO0Qq -TjzNM3YHTy7rOSxJSxFBI0M/Q5rPSC961VJ1ZpdKglTGQTrePf4KxIqcowJgJiBL -+2hCyK3ggCaKvDehQAFzPv9C20ym1gcZpxLbVtG6I86Xu0q19gECAwEAAaOB2DCB -1TAdBgNVHQ4EFgQU+4cjaeucOpMV5cW/KVFP/u0oOAEwgaUGA1UdIwSBnTCBmoAU -+4cjaeucOpMV5cW/KVFP/u0oOAGhf6R9MHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK -EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5 -cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0 -MS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDBdXSoxU/z -g+ruWXqHYVK745tTrAbT+LoOhjZd+sYQ3s4eVHuE556Aw58fqs9xdsOIWM4IkhRW -W99iFjGaNeiix3ppUK1DWKsNvYv+qPiQ81mQfk7VQSf7mdzTr//fCam1yjA2PPO9 -WQBPqSVBuauVvuJEkeJREn01+8kANRg3Zg== +MIIDWTCCAsKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCU0cx +ETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UE +AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMSIwIAYJKoZIhvcNAQkBFhNu +Z3BzQG5ldG1lbWV0aWMuY29tMB4XDTAxMTIxNTA1NTU0NloXDTA0MTIxNDA1NTU0 +NlowgYAxCzAJBgNVBAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxML +TTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3Rl +cjEiMCAGCSqGSIb3DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbTCBnzANBgkqhkiG +9w0BAQEFAAOBjQAwgYkCgYEAx8soJbS719LHK62VVVIQeC3oW0HvFArwPnA0LuEK +q+LaqMOJg1rS7hvFdX03diV+XJw7cC0iECZYJNG4ii1xbY6KRmufkInaAwm54E3N +e+YYVocaqUkcN6xVf6fwnLfPXbpFS/K2Umg11ObKMmi80JmiIdjcjRRCQZC7g1hf +q+kCAwEAAaOB4DCB3TAdBgNVHQ4EFgQU6/qcBzEtQphfXLhiOHbt2KqBwMIwga0G +A1UdIwSBpTCBooAU6/qcBzEtQphfXLhiOHbt2KqBwMKhgYakgYMwgYAxCzAJBgNV +BAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0Ex +JDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3RlcjEiMCAGCSqGSIb3 +DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG +SIb3DQEBBAUAA4GBAD+I14GuS5vJmyv1k7mUMbAicsWRHZ+zrGOq9L/L2LsA+lKQ +dAzEZE2+Zv8LBPJVltbJJhcFNJS/ZMAjEm4xlJuCpvXVMxd/M5AM29aqekWlIK7J +vsdDL8IuzpRkMniUiNKPhmB6IPIOslvUKx6QofcE0wDh6pg4VvIbCjkpZ7gf -----END CERTIFICATE----- diff --git a/demo/smime/ca.pem b/demo/smime/ca.pem index 11d28fc..b7c84a1 100644 --- a/demo/smime/ca.pem +++ b/demo/smime/ca.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDRTCCAq6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzER -MA8GA1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQD -ExtNMkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5n -cHNAcG9zdDEuY29tMB4XDTAwMDkxMDA4NTgzNVoXDTAzMDkxMDA4NTgzNVowezEL -MAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0 -byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJ -KoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw -gYkCgYEAw8eBhjy0SrxpEmFqUu+xSd7p8uWq4T/Txfa+9SE/dBeoyydcqj5MO0Qq -TjzNM3YHTy7rOSxJSxFBI0M/Q5rPSC961VJ1ZpdKglTGQTrePf4KxIqcowJgJiBL -+2hCyK3ggCaKvDehQAFzPv9C20ym1gcZpxLbVtG6I86Xu0q19gECAwEAAaOB2DCB -1TAdBgNVHQ4EFgQU+4cjaeucOpMV5cW/KVFP/u0oOAEwgaUGA1UdIwSBnTCBmoAU -+4cjaeucOpMV5cW/KVFP/u0oOAGhf6R9MHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK -EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5 -cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0 -MS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDBdXSoxU/z -g+ruWXqHYVK745tTrAbT+LoOhjZd+sYQ3s4eVHuE556Aw58fqs9xdsOIWM4IkhRW -W99iFjGaNeiix3ppUK1DWKsNvYv+qPiQ81mQfk7VQSf7mdzTr//fCam1yjA2PPO9 -WQBPqSVBuauVvuJEkeJREn01+8kANRg3Zg== +MIIDWTCCAsKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCU0cx +ETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UE +AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMSIwIAYJKoZIhvcNAQkBFhNu +Z3BzQG5ldG1lbWV0aWMuY29tMB4XDTAxMTIxNTA1NTU0NloXDTA0MTIxNDA1NTU0 +NlowgYAxCzAJBgNVBAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxML +TTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3Rl +cjEiMCAGCSqGSIb3DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbTCBnzANBgkqhkiG +9w0BAQEFAAOBjQAwgYkCgYEAx8soJbS719LHK62VVVIQeC3oW0HvFArwPnA0LuEK +q+LaqMOJg1rS7hvFdX03diV+XJw7cC0iECZYJNG4ii1xbY6KRmufkInaAwm54E3N +e+YYVocaqUkcN6xVf6fwnLfPXbpFS/K2Umg11ObKMmi80JmiIdjcjRRCQZC7g1hf +q+kCAwEAAaOB4DCB3TAdBgNVHQ4EFgQU6/qcBzEtQphfXLhiOHbt2KqBwMIwga0G +A1UdIwSBpTCBooAU6/qcBzEtQphfXLhiOHbt2KqBwMKhgYakgYMwgYAxCzAJBgNV +BAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0Ex +JDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3RlcjEiMCAGCSqGSIb3 +DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG +SIb3DQEBBAUAA4GBAD+I14GuS5vJmyv1k7mUMbAicsWRHZ+zrGOq9L/L2LsA+lKQ +dAzEZE2+Zv8LBPJVltbJJhcFNJS/ZMAjEm4xlJuCpvXVMxd/M5AM29aqekWlIK7J +vsdDL8IuzpRkMniUiNKPhmB6IPIOslvUKx6QofcE0wDh6pg4VvIbCjkpZ7gf -----END CERTIFICATE----- diff --git a/demo/ssl/ca.pem b/demo/ssl/ca.pem index 11d28fc..b7c84a1 100644 --- a/demo/ssl/ca.pem +++ b/demo/ssl/ca.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDRTCCAq6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzER -MA8GA1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQD -ExtNMkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5n -cHNAcG9zdDEuY29tMB4XDTAwMDkxMDA4NTgzNVoXDTAzMDkxMDA4NTgzNVowezEL -MAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0 -byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJ -KoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw -gYkCgYEAw8eBhjy0SrxpEmFqUu+xSd7p8uWq4T/Txfa+9SE/dBeoyydcqj5MO0Qq -TjzNM3YHTy7rOSxJSxFBI0M/Q5rPSC961VJ1ZpdKglTGQTrePf4KxIqcowJgJiBL -+2hCyK3ggCaKvDehQAFzPv9C20ym1gcZpxLbVtG6I86Xu0q19gECAwEAAaOB2DCB -1TAdBgNVHQ4EFgQU+4cjaeucOpMV5cW/KVFP/u0oOAEwgaUGA1UdIwSBnTCBmoAU -+4cjaeucOpMV5cW/KVFP/u0oOAGhf6R9MHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK -EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5 -cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0 -MS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDBdXSoxU/z -g+ruWXqHYVK745tTrAbT+LoOhjZd+sYQ3s4eVHuE556Aw58fqs9xdsOIWM4IkhRW -W99iFjGaNeiix3ppUK1DWKsNvYv+qPiQ81mQfk7VQSf7mdzTr//fCam1yjA2PPO9 -WQBPqSVBuauVvuJEkeJREn01+8kANRg3Zg== +MIIDWTCCAsKgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCU0cx +ETAPBgNVBAoTCE0yQ3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UE +AxMbTTJDcnlwdG8gQ2VydGlmaWNhdGUgTWFzdGVyMSIwIAYJKoZIhvcNAQkBFhNu +Z3BzQG5ldG1lbWV0aWMuY29tMB4XDTAxMTIxNTA1NTU0NloXDTA0MTIxNDA1NTU0 +NlowgYAxCzAJBgNVBAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxML +TTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3Rl +cjEiMCAGCSqGSIb3DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbTCBnzANBgkqhkiG +9w0BAQEFAAOBjQAwgYkCgYEAx8soJbS719LHK62VVVIQeC3oW0HvFArwPnA0LuEK +q+LaqMOJg1rS7hvFdX03diV+XJw7cC0iECZYJNG4ii1xbY6KRmufkInaAwm54E3N +e+YYVocaqUkcN6xVf6fwnLfPXbpFS/K2Umg11ObKMmi80JmiIdjcjRRCQZC7g1hf +q+kCAwEAAaOB4DCB3TAdBgNVHQ4EFgQU6/qcBzEtQphfXLhiOHbt2KqBwMIwga0G +A1UdIwSBpTCBooAU6/qcBzEtQphfXLhiOHbt2KqBwMKhgYakgYMwgYAxCzAJBgNV +BAYTAlNHMREwDwYDVQQKEwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0Ex +JDAiBgNVBAMTG00yQ3J5cHRvIENlcnRpZmljYXRlIE1hc3RlcjEiMCAGCSqGSIb3 +DQEJARYTbmdwc0BuZXRtZW1ldGljLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqG +SIb3DQEBBAUAA4GBAD+I14GuS5vJmyv1k7mUMbAicsWRHZ+zrGOq9L/L2LsA+lKQ +dAzEZE2+Zv8LBPJVltbJJhcFNJS/ZMAjEm4xlJuCpvXVMxd/M5AM29aqekWlIK7J +vsdDL8IuzpRkMniUiNKPhmB6IPIOslvUKx6QofcE0wDh6pg4VvIbCjkpZ7gf -----END CERTIFICATE----- diff --git a/demo/ssl/echo.py b/demo/ssl/echo.py index 776c520..e50d5ff 100644 --- a/demo/ssl/echo.py +++ b/demo/ssl/echo.py @@ -4,7 +4,7 @@ Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved.""" -RCS_id='$Id: echo.py,v 1.3 2002/12/23 04:37:05 ngps Exp $' +RCS_id='$Id: echo.py,v 1.4 2003/06/30 06:25:19 ngps Exp $' import getopt, sys from socket import gethostname @@ -23,10 +23,11 @@ for opt in optlist: Rand.load_file('../randpool.dat', -1) ctx = SSL.Context('sslv3') -ctx.load_cert('client.pem') -ctx.load_verify_info('ca.pem') -ctx.load_client_ca('ca.pem') -ctx.set_verify(SSL.verify_none, 10) +ctx.load_cert_chain('client.pem') +#ctx.set_verify(SSL.verify_none, 10) +ctx.set_verify(SSL.verify_peer, 10, SSL.cb.ssl_verify_callback) +ctx.load_verify_locations('ca.pem') +#ctx.set_allow_unknown_ca(1) ctx.set_info_callback() s = SSL.Connection(ctx) @@ -34,17 +35,17 @@ s.connect((host, port)) print 'Host =', gethostname() print 'Cipher =', s.get_cipher().name() -v = s.get_verify_result() -if v != X509.V_OK: - s.close() - raise SystemExit, 'Server verification failed' +## 2003-06-28, ngps: Depends on ctx.set_verify() above, RTFM for details. +## v = s.get_verify_result() +## if v != X509.V_OK: +## s.close() +## raise SystemExit, 'Server verification failed' peer = s.get_peer_cert() -print 'Server =', peer.get_subject().CN +print 'Server =', str(peer.get_subject()) while 1: data = s.recv() - print 'XXX:', `data` if not data: break sys.stdout.write(data) diff --git a/demo/ssl/echod-async.py b/demo/ssl/echod-async.py index fbeb87b..8218734 100644 --- a/demo/ssl/echod-async.py +++ b/demo/ssl/echod-async.py @@ -4,7 +4,7 @@ Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved.""" -RCS_id='$Id: echod-async.py,v 1.5 2002/12/23 04:37:27 ngps Exp $' +RCS_id='$Id: echod-async.py,v 1.6 2003/06/30 06:25:19 ngps Exp $' import asyncore, errno, socket, time from M2Crypto import Rand, SSL @@ -105,7 +105,8 @@ class ssl_echo_server(SSL.ssl_dispatcher): if __name__=='__main__': Rand.load_file('../randpool.dat', -1) ctx = echod_lib.init_context('sslv23', 'server.pem', 'ca.pem', \ - SSL.verify_peer | SSL.verify_fail_if_no_peer_cert) + #SSL.verify_peer | SSL.verify_fail_if_no_peer_cert) + SSL.verify_none) ctx.set_tmp_dh('dh1024.pem') ssl_echo_server('', 9999, ctx) asyncore.loop() diff --git a/demo/ssl/echod-iterative.py b/demo/ssl/echod-iterative.py index 6d8fc37..4c6822d 100644 --- a/demo/ssl/echod-iterative.py +++ b/demo/ssl/echod-iterative.py @@ -4,7 +4,7 @@ Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved.""" -RCS_id='$Id: echod-iterative.py,v 1.6 2002/12/23 04:38:06 ngps Exp $' +RCS_id='$Id: echod-iterative.py,v 1.7 2003/06/30 06:25:19 ngps Exp $' from M2Crypto import Rand, SSL import echod_lib @@ -17,6 +17,7 @@ if __name__=='__main__': Rand.load_file('../randpool.dat', -1) ctx=echod_lib.init_context('sslv23', 'server.pem', 'ca.pem', \ SSL.verify_peer | SSL.verify_fail_if_no_peer_cert) + #SSL.verify_none) ctx.set_tmp_dh('dh1024.pem') s=SSL.SSLServer(('', 9999), ssl_echo_handler, ctx) s.serve_forever() diff --git a/demo/ssl/echod_lib.py b/demo/ssl/echod_lib.py index 5b13706..0fa654e 100644 --- a/demo/ssl/echod_lib.py +++ b/demo/ssl/echod_lib.py @@ -2,18 +2,18 @@ Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved.""" -RCS_id='$Id: echod_lib.py,v 1.5 2002/12/23 04:39:22 ngps Exp $' +RCS_id='$Id: echod_lib.py,v 1.6 2003/06/30 06:25:19 ngps Exp $' import SocketServer from M2Crypto import SSL def init_context(protocol, certfile, cafile, verify, verify_depth=10): ctx = SSL.Context(protocol) - ctx.load_cert(certfile) - ctx.load_client_ca(cafile) - ctx.load_verify_info(cafile) + ctx.load_cert_chain(certfile) + ctx.load_verify_locations(cafile) + ctx.set_client_CA_list_from_file(cafile) ctx.set_verify(verify, verify_depth) - ctx.set_allow_unknown_ca(1) + #ctx.set_allow_unknown_ca(1) ctx.set_session_id_ctx('echod') ctx.set_info_callback() return ctx @@ -28,9 +28,7 @@ class ssl_echo_handler(SocketServer.BaseRequestHandler): if peer is not None: print 'Client CA =', peer.get_issuer().O print 'Client Subject =', peer.get_subject().CN - print 'XXX' x = self.request.write(self.buffer) - print 'YYY:', x while 1: try: buf = self.request.read() diff --git a/demo/ssl/https_cli.py b/demo/ssl/https_cli.py index ee870b0..9970372 100644 --- a/demo/ssl/https_cli.py +++ b/demo/ssl/https_cli.py @@ -4,7 +4,7 @@ Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved.""" -RCS_id='$Id: https_cli.py,v 1.6 2003/06/22 17:18:25 ngps Exp $' +RCS_id='$Id: https_cli.py,v 1.7 2003/06/30 06:25:44 ngps Exp $' import sys from M2Crypto import Rand, SSL, httpslib, threading @@ -33,8 +33,10 @@ if sys.version[:3] == '1.5': elif sys.version[0] == '2': def test_httpslib(): - ctx = SSL.Context('sslv2') - #ctx.load_cert('client.pem') + ctx = SSL.Context('sslv23') + ctx.load_cert_chain('client.pem') + ctx.load_verify_locations('ca.pem') + ctx.set_verify(SSL.verify_peer, 10) ctx.set_info_callback() h = httpslib.HTTPSConnection('127.0.0.1', 9443, ssl_context=ctx) h.set_debuglevel(1) diff --git a/demo/ssl/https_srv.py b/demo/ssl/https_srv.py index a2e8b73..8297527 100644 --- a/demo/ssl/https_srv.py +++ b/demo/ssl/https_srv.py @@ -15,7 +15,7 @@ TODO: Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved. """ -RCS_id = '$Id: https_srv.py,v 1.2 2002/12/23 04:41:31 ngps Exp $' +RCS_id = '$Id: https_srv.py,v 1.3 2003/06/30 06:26:15 ngps Exp $' import os, sys from SimpleHTTPServer import SimpleHTTPRequestHandler @@ -142,7 +142,7 @@ if __name__ == '__main__': #SSL.verify_peer | SSL.verify_fail_if_no_peer_cert) ctx.set_tmp_dh('dh1024.pem') os.chdir(wdir) - httpsd = HTTPS_Server(('', 9443), HTTP_Handler, ctx) + httpsd = HTTPS_Server(('', 19443), HTTP_Handler, ctx) httpsd.serve_forever() Rand.save_file('../randpool.dat') @@ -6,7 +6,7 @@ Distutils installer for M2Crypto. Copyright (c) 1999-2003, Ng Pheng Siong. All rights reserved. """ -_RCS_id = '$Id: setup.py,v 1.7 2003/06/22 16:45:33 ngps Exp $' +_RCS_id = '$Id: setup.py,v 1.8 2003/06/30 06:13:11 ngps Exp $' import os, shutil from distutils.core import setup, Extension @@ -38,8 +38,8 @@ m2crypto = Extension(name = '__m2crypto', ) setup(name = 'M2Crypto', - version = '0.11', - description = 'M2Crypto: A Python interface to OpenSSL', + version = '0.12', + description = 'M2Crypto: A Python crypto and SSL toolkit', author = 'Ng Pheng Siong', author_email = 'ngps@netmemetic.com', url = 'http://www.post1.com/home/ngps/m2/', |