[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-API] [PATCH] add primitive SSL cert verification



# HG changeset patch
# User David Scott <dave.scott@xxxxxxxxxxxxx>
# Date 1261493243 0
# Node ID 2680884fb5c9752e32bc40cc0644ac6015823770
# Parent  7e4670b5a046dd914812272b81f9d8be55e5aa00
CA-36092: Modifying Stunnel.connect's verify_cert argument to be tri-state.

The values are:
  Some true -> do verification
  Some false -> don't do verification
  None -> do verification if the file /var/xapi/verify_certificates exists

Signed-off-by: Magnus Therning <magnus.therning@xxxxxxxxxxxxx>
Acked-by: David Scott <dave.scott@xxxxxxxxxxxxx>

diff -r 7e4670b5a046 -r 2680884fb5c9 stunnel/stunnel.ml
--- a/stunnel/stunnel.ml        Tue Dec 22 11:37:00 2009 +0000
+++ b/stunnel/stunnel.ml        Tue Dec 22 14:47:23 2009 +0000
@@ -23,6 +23,7 @@
 
 let certificate_path = "/etc/stunnel/certs"
 let crl_path = "/etc/stunnel/crls"
+let verify_certificates_ctrl = "/var/xapi/verify_certificates"
 
 let use_new_stunnel = ref false
 let new_stunnel_path = "/usr/sbin/stunnelng"
@@ -265,10 +266,20 @@
     @param extended_diagnosis If true, the stunnel log file will not be
     deleted.  Instead, it is the caller's responsibility to delete it.  This
     allows the caller to use diagnose_failure below if stunnel fails.  *)
-let connect ?unique_id ?use_external_fd_wrapper ?write_to_log
-    ?(verify_cert=false) ?(extended_diagnosis=false) host port = 
-  let connect = if !use_new_stunnel then attempt_one_connect_new else 
attempt_one_connect in
-  retry (fun () -> connect ?unique_id ?use_external_fd_wrapper ?write_to_log 
verify_cert extended_diagnosis host port) 5
+let connect
+               ?unique_id
+               ?use_external_fd_wrapper
+               ?write_to_log
+               ?verify_cert
+               ?(extended_diagnosis=false)
+               host
+               port = 
+       let connect = if !use_new_stunnel then attempt_one_connect_new else 
attempt_one_connect in
+       let _verify_cert = match verify_cert with
+               | Some x -> x
+               | None -> Sys.file_exists verify_certificates_ctrl
+       in
+       retry (fun () -> connect ?unique_id ?use_external_fd_wrapper 
?write_to_log _verify_cert extended_diagnosis host port) 5
 
 let sub_after i s =
   let len = String.length s in
1 file changed, 15 insertions(+), 4 deletions(-)
stunnel/stunnel.ml |   19 +++++++++++++++----


Attachment: add_verification.patch
Description: Text Data

_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.