Add x-ssl option to attempt a minimal SSL connection
This will use the system's CA bundle to try to establish an SSL connection. It's appropriate for client connections.
This commit is contained in:
parent
ee321eca78
commit
1c354eccc9
|
@ -24,6 +24,7 @@ import heapq
|
|||
import logging
|
||||
import proton
|
||||
import warnings
|
||||
import ssl
|
||||
|
||||
from pyngus.endpoint import Endpoint
|
||||
from pyngus.link import _Link
|
||||
|
@ -169,6 +170,11 @@ class Connection(Endpoint):
|
|||
this property is ignored if any of the other SASL related properties
|
||||
are set.
|
||||
|
||||
x-ssl: boolean, Allows clients to connect using SSL setting a minimum
|
||||
viable configuration (using the system's CA bundle to validate the
|
||||
peer's certificate). This setting is overwritten if subsequent SSL
|
||||
settings are found.
|
||||
|
||||
x-ssl-identity: tuple, contains identifying certificate information
|
||||
which will be presented to the peer. The first item in the tuple is
|
||||
the path to the certificate file (PEM format). The second item is the
|
||||
|
@ -730,6 +736,9 @@ class Connection(Endpoint):
|
|||
identity = properties.get('x-ssl-identity')
|
||||
ca_file = properties.get('x-ssl-ca-file')
|
||||
|
||||
if properties.get('x-ssl') and not ca_file:
|
||||
ca_file = ssl.get_default_verify_paths().cafile
|
||||
|
||||
if not identity and not ca_file:
|
||||
return None # SSL not configured
|
||||
|
||||
|
|
|
@ -24,6 +24,7 @@ import subprocess
|
|||
import tempfile
|
||||
import time
|
||||
from string import Template
|
||||
import ssl
|
||||
|
||||
from proton import Condition
|
||||
from proton import Message
|
||||
|
@ -351,7 +352,9 @@ class APITest(common.Test):
|
|||
server_password="server-password",
|
||||
server_dns="some.server.com",
|
||||
client_password=None,
|
||||
client_dns=None):
|
||||
client_dns=None,
|
||||
verify_peer=True,
|
||||
use_system_ca_bundle=False):
|
||||
|
||||
def _testpath(file):
|
||||
""" Set the full path to the PEM files."""
|
||||
|
@ -369,10 +372,18 @@ class APITest(common.Test):
|
|||
|
||||
server = self.container1.create_connection("server",
|
||||
properties=s_props)
|
||||
|
||||
c_props = {"x-ssl-ca-file": _testpath("ca-certificate.pem"),
|
||||
"x-ssl-verify-mode": "verify-peer",
|
||||
"x-ssl-peer-name": server_dns}
|
||||
c_props = {}
|
||||
if use_system_ca_bundle:
|
||||
c_props.update({"x-ssl": True})
|
||||
# Overwrite the SSL_CERT_FILE which is used by OpenSSL to use as a
|
||||
# CA bundle. This way we don't need a server certificate trusted by
|
||||
# the system.
|
||||
os.environ['SSL_CERT_FILE'] = _testpath("ca-certificate.pem")
|
||||
else:
|
||||
c_props.update({"x-ssl-ca-file": _testpath("ca-certificate.pem")})
|
||||
if verify_peer:
|
||||
c_props.update({"x-ssl-verify-mode": "verify-peer",
|
||||
"x-ssl-peer-name": server_dns})
|
||||
if client_password:
|
||||
c_props['x-ssl-identity'] = (_testpath("client-certificate.pem"),
|
||||
_testpath("client-private-key.pem"),
|
||||
|
@ -390,6 +401,15 @@ class APITest(common.Test):
|
|||
except SSLUnavailable:
|
||||
raise common.Skipped("SSL not available.")
|
||||
|
||||
def test_ssl_ok_using_system_ca(self):
|
||||
try:
|
||||
if 'OpenSSL' in ssl.OPENSSL_VERSION:
|
||||
self._test_ssl(use_system_ca_bundle=True)
|
||||
else:
|
||||
raise common.Skipped("OpenSSL not available.")
|
||||
except SSLUnavailable:
|
||||
raise common.Skipped("SSL not available.")
|
||||
|
||||
def test_ssl_pw_fail(self):
|
||||
try:
|
||||
self._test_ssl(server_password="bad-server-password")
|
||||
|
@ -428,6 +448,12 @@ class APITest(common.Test):
|
|||
# should fail to open the certificate
|
||||
pass
|
||||
|
||||
def test_ssl_no_verify_peer(self):
|
||||
try:
|
||||
self._test_ssl(verify_peer=False)
|
||||
except SSLUnavailable:
|
||||
raise common.Skipped("SSL not available.")
|
||||
|
||||
def test_ssl_client_name_fail(self):
|
||||
try:
|
||||
self._test_ssl(client_password="client-password",
|
||||
|
|
Loading…
Reference in New Issue