Diff for /loncom/lonssl.pm between versions 1.15 and 1.16

version 1.15, 2017/02/28 05:42:06 version 1.16, 2018/07/29 03:03:36
Line 116  sub SetFdBlocking { Line 116  sub SetFdBlocking {
 #                                          issued to this host.  #                                          issued to this host.
 #                KeyFile string       Full pathname to the host's private   #                KeyFile string       Full pathname to the host's private 
 #                                          key file for the certificate.  #                                          key file for the certificate.
   #               peer    string             lonHostID of remote LON-CAPA server 
 # Returns  # Returns
 # - Reference to an SSL socket on success  # - Reference to an SSL socket on success
 #       - undef on failure.  Reason for failure can be interrogated from   #       - undef on failure.  Reason for failure can be interrogated from 
Line 127  sub PromoteClientSocket { Line 128  sub PromoteClientSocket {
     my ($PlaintextSocket,      my ($PlaintextSocket,
  $CACert,   $CACert,
  $MyCert,   $MyCert,
  $KeyFile)          = @_;   $KeyFile,
           $peer)          = @_;
           
           
     Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert\n");      Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, Remote Host: $peer\n");
   
     # To create the ssl socket we need to duplicate the existing      # To create the ssl socket we need to duplicate the existing
     # socket.  Otherwise closing the ssl socket will close the plaintext socket      # socket.  Otherwise closing the ssl socket will close the plaintext socket
Line 146  sub PromoteClientSocket { Line 148  sub PromoteClientSocket {
     # mode of SSL_VERIFY_NONE should be explicitly set for client, if       # mode of SSL_VERIFY_NONE should be explicitly set for client, if 
     # verification is not to be used, and SSL_verify_mode is not set.      # verification is not to be used, and SSL_verify_mode is not set.
     # Starting with rev. 1.95, the default became SSL_VERIFY_PEER which      # Starting with rev. 1.95, the default became SSL_VERIFY_PEER which
     # prevents connections to lond.      # prevents an SSL connection to lond unless SSL_verifycn_name is set
     # Set SSL_verify_mode to Net::SSLeay::VERIFY_NONE() instead of to      # to the lonHostID of the remote host, (and the remote certificate has
     # SSL_VERIFY_NONE for compatibility with IO::Socket::SSL rev. 1.01      # the remote lonHostID as CN, and has been signed by the LON-CAPA CA. 
       # Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to
       # SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01
     # used by CentOS/RHEL/Scientific Linux 5).      # used by CentOS/RHEL/Scientific Linux 5).
           
     my $client = IO::Socket::SSL->new_from_fd($dupfno,      my $client = IO::Socket::SSL->new_from_fd($dupfno,
Line 156  sub PromoteClientSocket { Line 160  sub PromoteClientSocket {
       SSL_key_file  => $KeyFile,        SSL_key_file  => $KeyFile,
       SSL_cert_file => $MyCert,        SSL_cert_file => $MyCert,
       SSL_ca_file   => $CACert,        SSL_ca_file   => $CACert,
       SSL_verify_mode => Net::SSLeay::VERIFY_NONE());        SSL_verifycn_name => $peer,
         SSL_verify_mode => Net::SSLeay::VERIFY_PEER());
           
     if(!$client) {      if(!$client) {
  $lasterror = IO::Socket::SSL::errstr();   $lasterror = IO::Socket::SSL::errstr();
Line 168  sub PromoteClientSocket { Line 173  sub PromoteClientSocket {
 #----------------------------------------------------------------------  #----------------------------------------------------------------------
 # Name PromoteServerSocket  # Name PromoteServerSocket
 # Description Given an ordinary IO::Socket::INET Creates an SSL socket   # Description Given an ordinary IO::Socket::INET Creates an SSL socket 
 #               for a server that is connected to the same client.l  #               for a server that is connected to the same client.
 # Parameters Name Type           Description  # Parameters Name Type           Description
 #               Socket IO::Socket::INET   Original ordinary socket.  #               Socket IO::Socket::INET   Original ordinary socket.
 #               CACert string           Full path name to the certificate   #               CACert string           Full path name to the certificate 
Line 177  sub PromoteClientSocket { Line 182  sub PromoteClientSocket {
 #                                          issued to this host.  #                                          issued to this host.
 #                KeyFile string       Full pathname to the host's private   #                KeyFile string       Full pathname to the host's private 
 #                                          key file for the certificate.  #                                          key file for the certificate.
   #                peer   string             lonHostID of remote LON-CAPA client
 # Returns  # Returns
 # - Reference to an SSL socket on success  # - Reference to an SSL socket on success
 #       - undef on failure.  Reason for failure can be interrogated from   #       - undef on failure.  Reason for failure can be interrogated from 
Line 188  sub PromoteServerSocket { Line 194  sub PromoteServerSocket {
     my ($PlaintextSocket,      my ($PlaintextSocket,
  $CACert,   $CACert,
  $MyCert,   $MyCert,
  $KeyFile)          = @_;   $KeyFile,
           $peer)          = @_;
   
   
   
Line 209  sub PromoteServerSocket { Line 216  sub PromoteServerSocket {
       SSL_use_cert  => 1,        SSL_use_cert  => 1,
       SSL_key_file  => $KeyFile,        SSL_key_file  => $KeyFile,
       SSL_cert_file => $MyCert,        SSL_cert_file => $MyCert,
       SSL_ca_file   => $CACert);        SSL_ca_file   => $CACert,
         SSL_verifycn_name => $peer,
         SSL_verify_mode => Net::SSLeay::VERIFY_PEER());
     if(!$client) {      if(!$client) {
  $lasterror = IO::Socket::SSL::errstr();   $lasterror = IO::Socket::SSL::errstr();
  return undef;   return undef;

Removed from v.1.15  
changed lines
  Added in v.1.16


FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>