diff --git a/ec2api/wsgi.py b/ec2api/wsgi.py index 961dae35..3af54e82 100644 --- a/ec2api/wsgi.py +++ b/ec2api/wsgi.py @@ -47,6 +47,9 @@ wsgi_opts = [ 'generate log lines. The following values can be formatted ' 'into it: client_ip, date_time, request_line, status_code, ' 'body_length, wall_seconds.'), + cfg.StrOpt('ssl_ca_file', + help="Path to the CA certificate file that should be used" + "to verify connecting clients."), cfg.StrOpt('ssl_cert_file', help="SSL certificate of API server"), cfg.StrOpt('ssl_key_file', @@ -157,17 +160,19 @@ class Server(ServiceBase): if self._use_ssl: try: + ca_file = CONF.ssl_ca_file cert_file = CONF.ssl_cert_file key_file = CONF.ssl_key_file + if ca_file and not os.path.exists(ca_file): + raise RuntimeError( + _("Unable to find ca_file : %s") % ca_file) if cert_file and not os.path.exists(cert_file): raise RuntimeError(_("Unable to find cert_file : %s") % cert_file) - if key_file and not os.path.exists(key_file): raise RuntimeError(_("Unable to find key_file : %s") % key_file) - if self._use_ssl and (not cert_file or not key_file): raise RuntimeError(_("When running server in SSL mode, " "you must specify both a cert_file " @@ -180,6 +185,10 @@ class Server(ServiceBase): 'cert_reqs': ssl.CERT_NONE, } + if ca_file: + ssl_kwargs['ca_certs'] = ca_file + ssl_kwargs['cert_reqs'] = ssl.CERT_REQUIRED + dup_socket = eventlet.wrap_ssl(dup_socket, **ssl_kwargs) except Exception: