loncom/lonssl.pm - diff

Return to lonssl.pm CVS log

Up to [LON-CAPA] / loncom

Diff for /loncom/lonssl.pm between versions 1.16 and 1.21

version 1.16, 2018/07/29 03:03:36	version 1.21, 2018/12/10 17:34:22
Line 112 sub SetFdBlocking {	Line 112 sub SetFdBlocking {
# Socket IO::Socket::INET Original ordinary socket.	# Socket IO::Socket::INET Original ordinary socket.
# CACert string Full path name to the certificate	# CACert string Full path name to the certificate
# authority certificate file.	# authority certificate file.
# MyCert string Full path name to the certificate	# MyCert string Full path name to the certificate
# issued to this host.	# issued to this host.
# KeyFile string Full pathname to the host's private	# KeyFile string Full pathname to the host's private
# key file for the certificate.	# key file for the certificate.
# peer string lonHostID of remote LON-CAPA server	# peer string lonid of remote LON-CAPA server
	# peerdef string default lonHostID of remote server
	# CRLFile Full path name to the certificate
	# revocation list file for the cluster
	# to which server belongs (optional)

# Returns	# Returns
# - Reference to an SSL socket on success	# - Reference to an SSL socket on success
# - undef on failure. Reason for failure can be interrogated from	# - undef on failure. Reason for failure can be interrogated from
Line 129 sub PromoteClientSocket {	Line 134 sub PromoteClientSocket {
$CACert,	$CACert,
$MyCert,	$MyCert,
$KeyFile,	$KeyFile,
$peer) = @_;	$peer,
	$peerdef,
	$CRLFile) = @_;
Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, Remote Host: $peer\n");
	Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer\n");

# To create the ssl socket we need to duplicate the existing	# To create the ssl socket we need to duplicate the existing
# socket. Otherwise closing the ssl socket will close the plaintext socket	# socket. Otherwise closing the ssl socket will close the plaintext socket
Line 150 sub PromoteClientSocket {	Line 156 sub PromoteClientSocket {
# Starting with rev. 1.95, the default became SSL_VERIFY_PEER which	# Starting with rev. 1.95, the default became SSL_VERIFY_PEER which
# prevents an SSL connection to lond unless SSL_verifycn_name is set	# prevents an SSL connection to lond unless SSL_verifycn_name is set
# to the lonHostID of the remote host, (and the remote certificate has	# to the lonHostID of the remote host, (and the remote certificate has
# the remote lonHostID as CN, and has been signed by the LON-CAPA CA.	# the remote lonHostID as CN, and has been signed by the LON-CAPA CA.
# Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to	# Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to
# SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01	# SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01
# used by CentOS/RHEL/Scientific Linux 5).	# used by CentOS/RHEL/Scientific Linux 5).

my $client = IO::Socket::SSL->new_from_fd($dupfno,	my $verify_cn = $peerdef;
SSL_use_cert => 1,	if ($verify_cn eq '') {
SSL_key_file => $KeyFile,	$verify_cn = $peer;
SSL_cert_file => $MyCert,	}
SSL_ca_file => $CACert,
SSL_verifycn_name => $peer,	my %sslargs = (SSL_use_cert => 1,
SSL_verify_mode => Net::SSLeay::VERIFY_PEER());	SSL_key_file => $KeyFile,
	SSL_cert_file => $MyCert,
	SSL_ca_file => $CACert,
	SSL_verifycn_name => $verify_cn,
	SSL_verify_mode => Net::SSLeay::VERIFY_PEER());
	if (($CRLFile ne '') && (-e $CRLFile)) {
	$sslargs{SSL_check_crl} = 1;
	$sslargs{SSL_crl_file} = $CRLFile;
	}
	my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
if(!$client) {	if(!$client) {
$lasterror = IO::Socket::SSL::errstr();	if ($IO::Socket::SSL::SSL_ERROR == -1) {
	$lasterror = -1;
	}
return undef;	return undef;
}	}
return $client; # Undef if the client negotiation fails.	return $client; # Undef if the client negotiation fails.
Line 182 sub PromoteClientSocket {	Line 198 sub PromoteClientSocket {
# issued to this host.	# issued to this host.
# KeyFile string Full pathname to the host's private	# KeyFile string Full pathname to the host's private
# key file for the certificate.	# key file for the certificate.
# peer string lonHostID of remote LON-CAPA client	# peer string lonHostID of remote LON-CAPA client
	# CRLFile Full path name to the certificate
	# revocation list file for the cluster
	# to which server belongs (optional)
	# clientversion LON-CAPA version running on remote
	# client
# Returns	# Returns
# - Reference to an SSL socket on success	# - Reference to an SSL socket on success
# - undef on failure. Reason for failure can be interrogated from	# - undef on failure. Reason for failure can be interrogated from
Line 195 sub PromoteServerSocket {	Line 216 sub PromoteServerSocket {
$CACert,	$CACert,
$MyCert,	$MyCert,
$KeyFile,	$KeyFile,
$peer) = @_;	$peer,
	$CRLFile,
	$clientversion) = @_;

# To create the ssl socket we need to duplicate the existing	# To create the ssl socket we need to duplicate the existing
# socket. Otherwise closing the ssl socket will close the plaintext socket	# socket. Otherwise closing the ssl socket will close the plaintext socket
Line 211 sub PromoteServerSocket {	Line 232 sub PromoteServerSocket {
Debug("dup failed: $!\n");	Debug("dup failed: $!\n");
}	}
Debug(" Fileno = $dupfno\n");	Debug(" Fileno = $dupfno\n");
my $client = IO::Socket::SSL->new_from_fd($dupfno,	my %sslargs = (SSL_server => 1, # Server role.
SSL_server => 1, # Server role.	SSL_use_cert => 1,
SSL_use_cert => 1,	SSL_key_file => $KeyFile,
SSL_key_file => $KeyFile,	SSL_cert_file => $MyCert,
SSL_cert_file => $MyCert,	SSL_ca_file => $CACert);
SSL_ca_file => $CACert,	my ($major,$minor) = split(/\./,$clientversion);
SSL_verifycn_name => $peer,	if (($major < 2) \|\| ($major == 2 && $minor < 12)) {
SSL_verify_mode => Net::SSLeay::VERIFY_PEER());	$sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE();
	} else {
	$sslargs{SSL_verifycn_name} = $peer;
	$sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER();
	if (($CRLFile ne '') && (-e $CRLFile)) {
	$sslargs{SSL_check_crl} = 1;
	$sslargs{SSL_crl_file} = $CRLFile;
	}
	}
	my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
if(!$client) {	if(!$client) {
$lasterror = IO::Socket::SSL::errstr();	if ($IO::Socket::SSL::SSL_ERROR == -1) {
	$lasterror = -1;
	}
return undef;	return undef;
}	}
return $client;	return $client;
Line 342 sub KeyFile {	Line 374 sub KeyFile {
return $KeyFilename;	return $KeyFilename;
}	}

	sub CRLFile {

	# I need some perl variables from the configuration file for this:

	my $CertificateDir = $perlvar->{lonCertificateDirectory};
	my $CRLFilename = $perlvar->{lonnetCertRevocationList};

	# Ensure the variables exist:

	if((!$CertificateDir) \|\| (!$CRLFilename)) {
	$lasterror = "Missing parameter dir: $CertificateDir "
	."CRL file: $CRLFilename";
	return undef;
	}

	# Build the actual filename and ensure that it not only exists but
	# is also readable:

	$CRLFilename = $CertificateDir.$pathsep.$CRLFilename;
	if(! (-r $CRLFilename)) {
	$lasterror = "Unreadable key file $CRLFilename";
	return undef;
	}

	return $CRLFilename;
	}

	sub BadCertDir {
	my $SocketDir = $perlvar->{lonSockDir};
	if (-d "$SocketDir/nosslverify/") {
	return "$SocketDir/nosslverify"
	}
	}

	sub has_badcert_file {
	my ($client) = @_;
	my $SocketDir = $perlvar->{lonSockDir};
	if (-e "$SocketDir/nosslverify/$client") {
	return 1;
	}
	return;
	}

sub Read_Connect_Config {	sub Read_Connect_Config {
my ($secureconf,$perlvarref) = @_;	my ($secureconf,$perlvarref) = @_;
return unless (ref($secureconf) eq 'HASH');	return unless (ref($secureconf) eq 'HASH');
Line 349 sub Read_Connect_Config {	Line 424 sub Read_Connect_Config {
unless (ref($perlvarref) eq 'HASH') {	unless (ref($perlvarref) eq 'HASH') {
$perlvarref = $perlvar;	$perlvarref = $perlvar;
}	}

# Clean out the old table first.	# Clean out the old table first.
foreach my $key (keys(%{$secureconf})) {	foreach my $key (keys(%{$secureconf})) {
delete($secureconf->{$key});	delete($secureconf->{$key});
Line 357 sub Read_Connect_Config {	Line 432 sub Read_Connect_Config {

my $result;	my $result;
my $tablename = $perlvarref->{'lonTabDir'}."/connectionrules.tab";	my $tablename = $perlvarref->{'lonTabDir'}."/connectionrules.tab";
if (open(my $fh,"<$tablename")) {	if (open(my $fh,'<',$tablename)) {
while (my $line = <$fh>) {	while (my $line = <$fh>) {
chomp($line);	chomp($line);
my ($name,$value) = split(/=/,$line);	my ($name,$value) = split(/=/,$line);
Line 380 sub Read_Host_Types {	Line 455 sub Read_Host_Types {
unless (ref($perlvarref) eq 'HASH') {	unless (ref($perlvarref) eq 'HASH') {
$perlvarref = $perlvar;	$perlvarref = $perlvar;
}	}

# Clean out the old table first.	# Clean out the old table first.
foreach my $key (keys(%{$hosttypes})) {	foreach my $key (keys(%{$hosttypes})) {
delete($hosttypes->{$key});	delete($hosttypes->{$key});
Line 388 sub Read_Host_Types {	Line 463 sub Read_Host_Types {

my $result;	my $result;
my $tablename = $perlvarref->{'lonTabDir'}."/hosttypes.tab";	my $tablename = $perlvarref->{'lonTabDir'}."/hosttypes.tab";
if (open(my $fh,"<$tablename")) {	if (open(my $fh,'<',$tablename)) {
while (my $line = <$fh>) {	while (my $line = <$fh>) {
chomp($line);	chomp($line);
my ($name,$value) = split(/:/,$line);	my ($name,$value) = split(/:/,$line);

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.16
changed lines
	Added in v.1.21