version 1.18, 2018/08/09 13:27:55
|
version 1.23, 2018/12/11 15:15:26
|
Line 112 sub SetFdBlocking {
|
Line 112 sub SetFdBlocking {
|
# Socket IO::Socket::INET Original ordinary socket. |
# Socket IO::Socket::INET Original ordinary socket. |
# CACert string Full path name to the certificate |
# CACert string Full path name to the certificate |
# authority certificate file. |
# authority certificate file. |
# MyCert string Full path name to the certificate |
# MyCert string Full path name to the certificate |
# issued to this host. |
# issued to this host. |
# KeyFile string Full pathname to the host's private |
# KeyFile string Full pathname to the host's private |
# key file for the certificate. |
# key file for the certificate. |
# peer string lonHostID of remote LON-CAPA server |
# peer string lonid of remote LON-CAPA server |
|
# peerdef string default lonHostID of remote server |
# CRLFile Full path name to the certificate |
# CRLFile Full path name to the certificate |
# revocation list file for the cluster |
# revocation list file for the cluster |
# to which server belongs (optional) |
# to which server belongs (optional) |
Line 134 sub PromoteClientSocket {
|
Line 135 sub PromoteClientSocket {
|
$MyCert, |
$MyCert, |
$KeyFile, |
$KeyFile, |
$peer, |
$peer, |
|
$peerdef, |
$CRLFile) = @_; |
$CRLFile) = @_; |
|
|
Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer\n"); |
Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer, RemoteDefHost: $peerdef\n"); |
|
|
# To create the ssl socket we need to duplicate the existing |
# To create the ssl socket we need to duplicate the existing |
# socket. Otherwise closing the ssl socket will close the plaintext socket |
# socket. Otherwise closing the ssl socket will close the plaintext socket |
Line 158 sub PromoteClientSocket {
|
Line 160 sub PromoteClientSocket {
|
# Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to |
# Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to |
# SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01 |
# SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01 |
# used by CentOS/RHEL/Scientific Linux 5). |
# used by CentOS/RHEL/Scientific Linux 5). |
|
|
|
my $verify_cn = $peerdef; |
|
if ($verify_cn eq '') { |
|
$verify_cn = $peer; |
|
} |
|
|
my %sslargs = (SSL_use_cert => 1, |
my %sslargs = (SSL_use_cert => 1, |
SSL_key_file => $KeyFile, |
SSL_key_file => $KeyFile, |
SSL_cert_file => $MyCert, |
SSL_cert_file => $MyCert, |
SSL_ca_file => $CACert, |
SSL_ca_file => $CACert, |
SSL_verifycn_name => $peer, |
SSL_verifycn_name => $verify_cn, |
SSL_verify_mode => Net::SSLeay::VERIFY_PEER()); |
SSL_verify_mode => Net::SSLeay::VERIFY_PEER()); |
if (($CRLFile ne '') && (-e $CRLFile)) { |
if (($CRLFile ne '') && (-e $CRLFile)) { |
$sslargs{SSL_check_crl} = 1; |
$sslargs{SSL_check_crl} = 1; |
Line 238 sub PromoteServerSocket {
|
Line 245 sub PromoteServerSocket {
|
$sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER(); |
$sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER(); |
if (($CRLFile ne '') && (-e $CRLFile)) { |
if (($CRLFile ne '') && (-e $CRLFile)) { |
$sslargs{SSL_check_crl} = 1; |
$sslargs{SSL_check_crl} = 1; |
$sslargs{SSL_crl_file} = $CRLFile; |
$sslargs{SSL_crl_file} = $CRLFile; |
} |
} |
} |
} |
my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs); |
my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs); |
Line 411 sub has_badcert_file {
|
Line 418 sub has_badcert_file {
|
} |
} |
|
|
sub Read_Connect_Config { |
sub Read_Connect_Config { |
my ($secureconf,$checkedcrl,$perlvarref) = @_; |
my ($secureconf,$perlvarref,$crlcheckedref) = @_; |
return unless ((ref($secureconf) eq 'HASH') && (ref($checkedcrl) eq 'HASH')); |
return unless (ref($secureconf) eq 'HASH'); |
|
|
unless (ref($perlvarref) eq 'HASH') { |
unless (ref($perlvarref) eq 'HASH') { |
$perlvarref = $perlvar; |
$perlvarref = $perlvar; |
} |
} |
|
|
# Clear hash of clients for which Certificate Revocation List checked |
# Clear hash of clients in lond for which Certificate Revocation List checked |
foreach my $key (keys(%{$checkedcrl})) { |
if (ref($crlcheckedref) eq 'HASH') { |
delete($checkedcrl->{$key}); |
foreach my $key (keys(%{$crlcheckedref})) { |
|
delete($crlcheckedref->{$key}); |
|
} |
} |
} |
# Clean out the old table first. |
# Clean out the old table first. |
foreach my $key (keys(%{$secureconf})) { |
foreach my $key (keys(%{$secureconf})) { |
Line 429 sub Read_Connect_Config {
|
Line 438 sub Read_Connect_Config {
|
|
|
my $result; |
my $result; |
my $tablename = $perlvarref->{'lonTabDir'}."/connectionrules.tab"; |
my $tablename = $perlvarref->{'lonTabDir'}."/connectionrules.tab"; |
if (open(my $fh,"<$tablename")) { |
if (open(my $fh,'<',$tablename)) { |
while (my $line = <$fh>) { |
while (my $line = <$fh>) { |
chomp($line); |
chomp($line); |
my ($name,$value) = split(/=/,$line); |
my ($name,$value) = split(/=/,$line); |
Line 452 sub Read_Host_Types {
|
Line 461 sub Read_Host_Types {
|
unless (ref($perlvarref) eq 'HASH') { |
unless (ref($perlvarref) eq 'HASH') { |
$perlvarref = $perlvar; |
$perlvarref = $perlvar; |
} |
} |
|
|
# Clean out the old table first. |
# Clean out the old table first. |
foreach my $key (keys(%{$hosttypes})) { |
foreach my $key (keys(%{$hosttypes})) { |
delete($hosttypes->{$key}); |
delete($hosttypes->{$key}); |
Line 460 sub Read_Host_Types {
|
Line 469 sub Read_Host_Types {
|
|
|
my $result; |
my $result; |
my $tablename = $perlvarref->{'lonTabDir'}."/hosttypes.tab"; |
my $tablename = $perlvarref->{'lonTabDir'}."/hosttypes.tab"; |
if (open(my $fh,"<$tablename")) { |
if (open(my $fh,'<',$tablename)) { |
while (my $line = <$fh>) { |
while (my $line = <$fh>) { |
chomp($line); |
chomp($line); |
my ($name,$value) = split(/:/,$line); |
my ($name,$value) = split(/:/,$line); |