add ssl_ca_cert option to check client cert
option ssl_ca_cert is used to check ssl certs in input connections from clients. Change-Id: Ifcc398d6157488cc7b9057d3946f2ada58776754
This commit is contained in:
Andrey Pavlov
parent
5fc752ca6f
commit
1a43b6a1c3
|
|
@ -47,6 +47,9 @@ wsgi_opts = [
|
|||
'generate log lines. The following values can be formatted '
|
||||
'into it: client_ip, date_time, request_line, status_code, '
|
||||
'body_length, wall_seconds.'),
|
||||
cfg.StrOpt('ssl_ca_file',
|
||||
help="Path to the CA certificate file that should be used"
|
||||
"to verify connecting clients."),
|
||||
cfg.StrOpt('ssl_cert_file',
|
||||
help="SSL certificate of API server"),
|
||||
cfg.StrOpt('ssl_key_file',
|
||||
|
|
@ -157,17 +160,19 @@ class Server(ServiceBase):
|
|||
|
||||
if self._use_ssl:
|
||||
try:
|
||||
ca_file = CONF.ssl_ca_file
|
||||
cert_file = CONF.ssl_cert_file
|
||||
key_file = CONF.ssl_key_file
|
||||
|
||||
if ca_file and not os.path.exists(ca_file):
|
||||
raise RuntimeError(
|
||||
_("Unable to find ca_file : %s") % ca_file)
|
||||
if cert_file and not os.path.exists(cert_file):
|
||||
raise RuntimeError(_("Unable to find cert_file : %s") %
|
||||
cert_file)
|
||||
|
||||
if key_file and not os.path.exists(key_file):
|
||||
raise RuntimeError(_("Unable to find key_file : %s") %
|
||||
key_file)
|
||||
|
||||
if self._use_ssl and (not cert_file or not key_file):
|
||||
raise RuntimeError(_("When running server in SSL mode, "
|
||||
"you must specify both a cert_file "
|
||||
|
|
@ -180,6 +185,10 @@ class Server(ServiceBase):
|
|||
'cert_reqs': ssl.CERT_NONE,
|
||||
}
|
||||
|
||||
if ca_file:
|
||||
ssl_kwargs['ca_certs'] = ca_file
|
||||
ssl_kwargs['cert_reqs'] = ssl.CERT_REQUIRED
|
||||
|
||||
dup_socket = eventlet.wrap_ssl(dup_socket,
|
||||
**ssl_kwargs)
|
||||
except Exception:
|
||||
|
|
|
|||
Loading…
Reference in New Issue