--- loncom/lonssl.pm 2018/08/09 13:27:55 1.18 +++ loncom/lonssl.pm 2018/12/11 13:05:40 1.22 @@ -1,5 +1,5 @@ # -# $Id: lonssl.pm,v 1.18 2018/08/09 13:27:55 raeburn Exp $ +# $Id: lonssl.pm,v 1.22 2018/12/11 13:05:40 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -112,11 +112,12 @@ sub SetFdBlocking { # Socket IO::Socket::INET Original ordinary socket. # CACert string Full path name to the certificate # authority certificate file. -# MyCert string Full path name to the certificate +# MyCert string Full path name to the certificate # issued to this host. -# KeyFile string Full pathname to the host's private +# KeyFile string Full pathname to the host's private # key file for the certificate. -# peer string lonHostID of remote LON-CAPA server +# peer string lonid of remote LON-CAPA server +# peerdef string default lonHostID of remote server # CRLFile Full path name to the certificate # revocation list file for the cluster # to which server belongs (optional) @@ -134,9 +135,10 @@ sub PromoteClientSocket { $MyCert, $KeyFile, $peer, + $peerdef, $CRLFile) = @_; - Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer\n"); + Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer, RemoteDefHost: $peerdef\n"); # To create the ssl socket we need to duplicate the existing # socket. Otherwise closing the ssl socket will close the plaintext socket @@ -158,12 +160,17 @@ sub PromoteClientSocket { # Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to # SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01 # used by CentOS/RHEL/Scientific Linux 5). - + + my $verify_cn = $peerdef; + if ($verify_cn eq '') { + $verify_cn = $peer; + } + my %sslargs = (SSL_use_cert => 1, SSL_key_file => $KeyFile, SSL_cert_file => $MyCert, SSL_ca_file => $CACert, - SSL_verifycn_name => $peer, + SSL_verifycn_name => $verify_cn, SSL_verify_mode => Net::SSLeay::VERIFY_PEER()); if (($CRLFile ne '') && (-e $CRLFile)) { $sslargs{SSL_check_crl} = 1; @@ -238,7 +245,7 @@ sub PromoteServerSocket { $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER(); if (($CRLFile ne '') && (-e $CRLFile)) { $sslargs{SSL_check_crl} = 1; - $sslargs{SSL_crl_file} = $CRLFile; + $sslargs{SSL_crl_file} = $CRLFile; } } my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs); @@ -411,16 +418,18 @@ sub has_badcert_file { } sub Read_Connect_Config { - my ($secureconf,$checkedcrl,$perlvarref) = @_; - return unless ((ref($secureconf) eq 'HASH') && (ref($checkedcrl) eq 'HASH')); + my ($secureconf,$perlvarref,$crlchecked) = @_; + return unless (ref($secureconf) eq 'HASH'); unless (ref($perlvarref) eq 'HASH') { $perlvarref = $perlvar; } - # Clear hash of clients for which Certificate Revocation List checked - foreach my $key (keys(%{$checkedcrl})) { - delete($checkedcrl->{$key}); + # Clear hash of clients in lond for which Certificate Revocation List checked + if (ref($crlcheckedref) eq 'HASH') { + foreach my $key (keys(%{$crlcheckedref})) { + delete($crlcheckedref->{$key}); + } } # Clean out the old table first. foreach my $key (keys(%{$secureconf})) { @@ -429,7 +438,7 @@ sub Read_Connect_Config { my $result; my $tablename = $perlvarref->{'lonTabDir'}."/connectionrules.tab"; - if (open(my $fh,"<$tablename")) { + if (open(my $fh,'<',$tablename)) { while (my $line = <$fh>) { chomp($line); my ($name,$value) = split(/=/,$line); @@ -452,7 +461,7 @@ sub Read_Host_Types { unless (ref($perlvarref) eq 'HASH') { $perlvarref = $perlvar; } - + # Clean out the old table first. foreach my $key (keys(%{$hosttypes})) { delete($hosttypes->{$key}); @@ -460,7 +469,7 @@ sub Read_Host_Types { my $result; my $tablename = $perlvarref->{'lonTabDir'}."/hosttypes.tab"; - if (open(my $fh,"<$tablename")) { + if (open(my $fh,'<',$tablename)) { while (my $line = <$fh>) { chomp($line); my ($name,$value) = split(/:/,$line);