Merge "Choose the highest TLS version"
This commit is contained in:
commit
ef85028392
|
@ -165,6 +165,12 @@ class OpenFlowController(object):
|
|||
|
||||
def server_loop(self, ofp_tcp_listen_port, ofp_ssl_listen_port):
|
||||
if CONF.ctl_privkey is not None and CONF.ctl_cert is not None:
|
||||
p = 'PROTOCOL_TLS'
|
||||
|
||||
ssl_args = {'ssl_ctx': ssl.SSLContext(getattr(ssl, p))}
|
||||
# Restrict non-safe versions
|
||||
ssl_args['ssl_ctx'].options |= ssl.OP_NO_SSLv3 | ssl.OP_NO_SSLv2
|
||||
|
||||
if CONF.ca_certs is not None:
|
||||
server = StreamServer((CONF.ofp_listen_host,
|
||||
ofp_ssl_listen_port),
|
||||
|
@ -172,15 +178,13 @@ class OpenFlowController(object):
|
|||
keyfile=CONF.ctl_privkey,
|
||||
certfile=CONF.ctl_cert,
|
||||
cert_reqs=ssl.CERT_REQUIRED,
|
||||
ca_certs=CONF.ca_certs,
|
||||
ssl_version=ssl.PROTOCOL_TLSv1)
|
||||
ca_certs=CONF.ca_certs, **ssl_args)
|
||||
else:
|
||||
server = StreamServer((CONF.ofp_listen_host,
|
||||
ofp_ssl_listen_port),
|
||||
datapath_connection_factory,
|
||||
keyfile=CONF.ctl_privkey,
|
||||
certfile=CONF.ctl_cert,
|
||||
ssl_version=ssl.PROTOCOL_TLSv1)
|
||||
certfile=CONF.ctl_cert, **ssl_args)
|
||||
else:
|
||||
server = StreamServer((CONF.ofp_listen_host,
|
||||
ofp_tcp_listen_port),
|
||||
|
|
|
@ -42,6 +42,7 @@ if HUB_TYPE == 'eventlet':
|
|||
import ssl
|
||||
import socket
|
||||
import traceback
|
||||
import sys
|
||||
|
||||
getcurrent = eventlet.getcurrent
|
||||
sleep = eventlet.sleep
|
||||
|
@ -137,7 +138,17 @@ if HUB_TYPE == 'eventlet':
|
|||
if ssl_args:
|
||||
def wrap_and_handle(sock, addr):
|
||||
ssl_args.setdefault('server_side', True)
|
||||
handle(ssl.wrap_socket(sock, **ssl_args), addr)
|
||||
if 'ssl_ctx' in ssl_args:
|
||||
ctx = ssl_args.pop('ssl_ctx')
|
||||
ctx.load_cert_chain(ssl_args.pop('certfile'),
|
||||
ssl_args.pop('keyfile'))
|
||||
if 'cert_reqs' in ssl_args:
|
||||
ctx.verify_mode = ssl_args.pop('cert_reqs')
|
||||
if 'ca_certs' in ssl_args:
|
||||
ctx.load_verify_locations(ssl_args.pop('ca_certs'))
|
||||
handle(ctx.wrap_socket(sock, **ssl_args), addr)
|
||||
else:
|
||||
handle(ssl.wrap_socket(sock, **ssl_args), addr)
|
||||
|
||||
self.handle = wrap_and_handle
|
||||
else:
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDaDCCAlCgAwIBAgIJAKL09YuU92JPMA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNV
|
||||
BAYTAkpQMRMwEQYDVQQIDApTb21lLVN0YXRlMSQwIgYDVQQKDBtSeXUgU0ROIEZy
|
||||
YW1ld29yayBDb21tdW5pdHkwIBcNMTkwMzI1MDE1NzQzWhgPMjI5MzAxMDYwMTU3
|
||||
NDNaMEgxCzAJBgNVBAYTAkpQMRMwEQYDVQQIDApTb21lLVN0YXRlMSQwIgYDVQQK
|
||||
DBtSeXUgU0ROIEZyYW1ld29yayBDb21tdW5pdHkwggEiMA0GCSqGSIb3DQEBAQUA
|
||||
A4IBDwAwggEKAoIBAQDLT29+6JwD75wH7gPVxU52hrysBfxE6WjyT/nT+aSIQmZu
|
||||
SU6/5hECOnV4YdyB7rxFu2WO2SD5PgeoHPBpTqtxrdTWoVOWVljnNcqEwSCS7bl9
|
||||
nbgX8uxCacg9qbFNJJRBAS0XQ2bSsD0GoOnhj3Olrz1u0wRIUqrR3A5giMbYwQPr
|
||||
S4cmkxfgp2uV+WCHk40WxZnGgWzIRhO11GK9CAGncncPYhj+23w+GFaHIf00TdV2
|
||||
JEvwLFuLf1EaewZ7rz8zf1sLHAxqx20A6VdledEpNAzt1L8goPhk1mHvRgUC7E2v
|
||||
FnSt1ePCJsVrvccudMdPBXSMfgJC2gmfdQefdSXRAgMBAAGjUzBRMB0GA1UdDgQW
|
||||
BBRjlXSQ2rVjwOr1io6iJyidmjCNfzAfBgNVHSMEGDAWgBRjlXSQ2rVjwOr1io6i
|
||||
JyidmjCNfzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCC1Uvo
|
||||
4PdC5YQSXkAhrxgVhexp87VVkoWwpno75hvfoCjtSkb7+cskvQbPM14zbjIUrsli
|
||||
qmTkjXyTUe8q5U06OitMAyM6qUvS0nFDi5aPQYV6N0XmJ+rV18prfQORyHvEmEyv
|
||||
nqHVPoQkmGPpJ8aOVrTlECyxG7wLI2UxBEB3Atk51QHzbGGLKW7g5tHY6J5cMe/9
|
||||
ydeClJk2/AXkoqWkbtJrbw46alH97CajuLn/4D9B/Rm+M1Kg48gze5zJ7+WrB0Jl
|
||||
pAhRqMM3upaOlXdeYDdNDgE0j/ulZGY2UssFIoHylcrb4QKQXjwqRXYhuuucJQJ3
|
||||
vsY4y1D/qps9llRL
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,28 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQDLT29+6JwD75wH
|
||||
7gPVxU52hrysBfxE6WjyT/nT+aSIQmZuSU6/5hECOnV4YdyB7rxFu2WO2SD5Pgeo
|
||||
HPBpTqtxrdTWoVOWVljnNcqEwSCS7bl9nbgX8uxCacg9qbFNJJRBAS0XQ2bSsD0G
|
||||
oOnhj3Olrz1u0wRIUqrR3A5giMbYwQPrS4cmkxfgp2uV+WCHk40WxZnGgWzIRhO1
|
||||
1GK9CAGncncPYhj+23w+GFaHIf00TdV2JEvwLFuLf1EaewZ7rz8zf1sLHAxqx20A
|
||||
6VdledEpNAzt1L8goPhk1mHvRgUC7E2vFnSt1ePCJsVrvccudMdPBXSMfgJC2gmf
|
||||
dQefdSXRAgMBAAECggEAcvPsB6Z/qB4Pa9Bg7LqNnaia/uy3cUND6lXb3MW3CK/6
|
||||
eHsMgqYTkd3502IJqpGQdCD70CPmZ+Zxr9UE/ZXUjAcMY3p952/U/o3EfwEvaMPu
|
||||
8B6AG1Jn0Tk8VdkffY2kIYkHtLKQbanmJ1xOQRG6AsEti/7V2gqbuOKiYmSTgbPG
|
||||
Upw9JNdtR6bZrGrrEXJbPCrSCej47MDyE+nt4zMIsqmY5IlbTMHcTKVDGeKbT9qT
|
||||
7/Uyg+Tb62eber9iQhE0OteLt2GwrJR5yZ5QKNKM4SPqwYlOvQ9z289eZMVU3uwI
|
||||
1NI1YRM5EMsdWrzFye7H/T/jsCaWrO0zmI/I4BMfEQKBgQDtUgPyY4PgVXVZ/hha
|
||||
l5pi66GQ79+6LJP3SHb3I6p0iULq3oV+onG0Ezvx2vc21sbuLEazNlJoXzEzSIVM
|
||||
/RjNJ9FsD/ENEuJedkspwtZZ4O4ZH6wKyHg/LCUly59ER37Ql/XwIX7adKCn7Z4d
|
||||
9xN3aQmPtLna/aIZ8HyptRpT9QKBgQDbUB67YXiIFY+k5cwtK0m8T3rY4WNpEwzr
|
||||
Y/1l+0EvXqCousU9MnLveyY8EcLDh5SnM0CvH4mFS8xL/r/kcUO9cHwuM+KZ77KN
|
||||
Ukp9CRT9raxDZY/F0FVuET4LrJNnekCMsOnMxO51il/AHcul7886sEirkB1dsXND
|
||||
nkh9h8g87QJ/cRikyN6j+kS/qCNvd7zH1lx0op2uAQs9eJsQFrbohKDlQwjIlZDU
|
||||
nvyLlLbFGV1BcD+pcb5xh0vWJppo7EexihNvug/e0FwvhNTa/QvdGvgWf+KYGotu
|
||||
wqxHB7wCKofn54CDs+xCh9kMtvqGX8FfhYiJBfMan0I//hydTEMCSQKBgEiv6E+g
|
||||
gYtQ4hf8FczOsRSZnxSstv8HUlvd+wlG2hbyHPtvU5nx04gt38E+/bdCg3FbGlAw
|
||||
eqrUMXTqjP0Q0SvDUVUa2zq76AjQwmFoli1x10tLKPieEQJ28oJ6Ayzjpus6Y3L7
|
||||
vjD02MFa3rkznxJLhPpfvGvmOVaq6km4rBQNAoGBALQGfaRiAtp6lSubi4Etdwtg
|
||||
Tps2o1SBXfzENpq6s99k+UdCBLh90uzuA897GClsUYeuAYUyxQP3otIZUuSjq/Ht
|
||||
JHYwT9QxOkSYrNCfQW/nF0CJjZ6TcvcFp8SdyUUbwCR2rkDK7LlMzxkfU3cCrwMP
|
||||
q51oIVlKjIxg86JJXrRQ
|
||||
-----END PRIVATE KEY-----
|
|
@ -17,6 +17,7 @@
|
|||
|
||||
import json
|
||||
import os
|
||||
import ssl
|
||||
import sys
|
||||
import warnings
|
||||
import logging
|
||||
|
@ -29,9 +30,11 @@ from nose.tools import eq_, raises
|
|||
from os_ken.base import app_manager # To suppress cyclic import
|
||||
from os_ken.controller import controller
|
||||
from os_ken.controller import handler
|
||||
from os_ken.lib import hub
|
||||
from os_ken.ofproto import ofproto_v1_3_parser
|
||||
from os_ken.ofproto import ofproto_v1_2_parser
|
||||
from os_ken.ofproto import ofproto_v1_0_parser
|
||||
hub.patch()
|
||||
|
||||
|
||||
LOG = logging.getLogger('test_controller')
|
||||
|
@ -173,3 +176,52 @@ class Test_Datapath(unittest.TestCase):
|
|||
self.assertEqual(state, handler.MAIN_DISPATCHER)
|
||||
self.assertEqual(kwargs, {})
|
||||
self.assertEqual(expected_json, output_json)
|
||||
|
||||
|
||||
class TestOpenFlowController(unittest.TestCase):
|
||||
"""
|
||||
Test cases for OpenFlowController
|
||||
"""
|
||||
@mock.patch("os_ken.controller.controller.CONF")
|
||||
def _test_ssl(self, this_dir, port, conf_mock):
|
||||
conf_mock.ofp_ssl_listen_port = port
|
||||
conf_mock.ofp_listen_host = "127.0.0.1"
|
||||
conf_mock.ca_certs = None
|
||||
conf_mock.ctl_cert = os.path.join(this_dir, 'cert.crt')
|
||||
conf_mock.ctl_privkey = os.path.join(this_dir, 'cert.key')
|
||||
c = controller.OpenFlowController()
|
||||
c()
|
||||
|
||||
def test_ssl(self):
|
||||
"""Tests SSL server functionality."""
|
||||
# TODO: TLS version enforcement is necessary to avoid
|
||||
# vulnerable versions. Currently, this only tests TLS
|
||||
# connectivity.
|
||||
this_dir = os.path.dirname(sys.modules[__name__].__file__)
|
||||
saved_exception = None
|
||||
try:
|
||||
ssl_version = ssl.PROTOCOL_TLS
|
||||
except AttributeError:
|
||||
# For compatibility with older pythons.
|
||||
ssl_version = ssl.PROTOCOL_TLSv1
|
||||
for i in range(3):
|
||||
try:
|
||||
# Try a few times as this can fail with EADDRINUSE
|
||||
port = random.randint(5000, 10000)
|
||||
server = hub.spawn(self._test_ssl, this_dir, port)
|
||||
hub.sleep(1)
|
||||
client = hub.StreamClient(("127.0.0.1", port),
|
||||
timeout=5,
|
||||
ssl_version=ssl_version)
|
||||
if client.connect() is not None:
|
||||
break
|
||||
except Exception as e:
|
||||
saved_exception = e
|
||||
continue
|
||||
finally:
|
||||
try:
|
||||
hub.kill(server)
|
||||
except Exception:
|
||||
pass
|
||||
else:
|
||||
self.fail("Failed to connect: " + str(saved_exception))
|
||||
|
|
Loading…
Reference in New Issue