From 1a43b6a1c3905ff98a930920caa3a2bbf6428165 Mon Sep 17 00:00:00 2001 From: Andrey Pavlov Date: Tue, 16 Jan 2018 15:47:07 +0300 Subject: [PATCH] add ssl_ca_cert option to check client cert option ssl_ca_cert is used to check ssl certs in input connections from clients. Change-Id: Ifcc398d6157488cc7b9057d3946f2ada58776754 --- ec2api/wsgi.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/ec2api/wsgi.py b/ec2api/wsgi.py index 961dae35..3af54e82 100644 --- a/ec2api/wsgi.py +++ b/ec2api/wsgi.py @@ -47,6 +47,9 @@ wsgi_opts = [ 'generate log lines. The following values can be formatted ' 'into it: client_ip, date_time, request_line, status_code, ' 'body_length, wall_seconds.'), + cfg.StrOpt('ssl_ca_file', + help="Path to the CA certificate file that should be used" + "to verify connecting clients."), cfg.StrOpt('ssl_cert_file', help="SSL certificate of API server"), cfg.StrOpt('ssl_key_file', @@ -157,17 +160,19 @@ class Server(ServiceBase): if self._use_ssl: try: + ca_file = CONF.ssl_ca_file cert_file = CONF.ssl_cert_file key_file = CONF.ssl_key_file + if ca_file and not os.path.exists(ca_file): + raise RuntimeError( + _("Unable to find ca_file : %s") % ca_file) if cert_file and not os.path.exists(cert_file): raise RuntimeError(_("Unable to find cert_file : %s") % cert_file) - if key_file and not os.path.exists(key_file): raise RuntimeError(_("Unable to find key_file : %s") % key_file) - if self._use_ssl and (not cert_file or not key_file): raise RuntimeError(_("When running server in SSL mode, " "you must specify both a cert_file " @@ -180,6 +185,10 @@ class Server(ServiceBase): 'cert_reqs': ssl.CERT_NONE, } + if ca_file: + ssl_kwargs['ca_certs'] = ca_file + ssl_kwargs['cert_reqs'] = ssl.CERT_REQUIRED + dup_socket = eventlet.wrap_ssl(dup_socket, **ssl_kwargs) except Exception: