[Yum] Server/Client SSL Certs
Paul McIntyre
paul.mcintyre at vulnerableminds.com
Tue Oct 9 14:03:02 UTC 2007
Here is a quick patch to add SSL client and server cert support. I'm still
looking around to see if I need to make any other changes. I won't be able
to test it for a bit.
-Paul
diff --git a/yum/config.py b/yum/config.py
index bf00852..d26d42e 100644
--- a/yum/config.py
+++ b/yum/config.py
@@ -529,6 +529,11 @@ class YumConf(StartupConf):
metadata_expire = IntOption(1800) # time in seconds
mirrorlist_expire = IntOption(86400) # time in seconds (1 day)
rpm_check_debug = BoolOption(True)
+
+ ssl_ca_cert = Option()
+ ssl_verify = BoolOption(False)
+ ssl_client_cert = Option()
+ ssl_client_key = Option()
_reposlist = []
@@ -562,6 +567,11 @@ class RepoConf(BaseConfig):
metadata_expire = Inherit(YumConf.metadata_expire)
mirrorlist_expire = Inherit(YumConf.mirrorlist_expire)
cost = IntOption(1000)
+
+ ssl_ca_cert=Inherit(YumConf.ssl_ca_cert)
+ ssl_verify=Inherit(YumConf.ssl_verify)
+ ssl_client_cert=Inherit(YumConf.ssl_client_cert)
+ ssl_client_key=Inherit(YumConf.ssl_client_key)
def readStartupConfig(configfile, root):
'''
diff --git a/yum/yumRepo.py b/yum/yumRepo.py
index 85db15b..766c4ca 100644
--- a/yum/yumRepo.py
+++ b/yum/yumRepo.py
@@ -33,6 +33,12 @@ from yum import config
from yum import misc
from constants import *
+try:
+ from M2Crypto import SSL
+ have_m2crypto = True
+except ImportError:
+ have_m2crypto = False
+
import logging
import logginglevels
@@ -234,6 +240,10 @@ class YumRepository(Repository, config.RepoConf):
self.pkgdir = ""
self.hdrdir = ""
self.cost = 1000
+ self.ssl_ca_cert=None
+ ssl_verify=False
+ ssl_client_cert=None
+ ssl_client_key=None
# holder for stuff we've grabbed
self.retrieved = { 'primary':0, 'filelists':0, 'other':0,
'groups':0 }
@@ -422,7 +432,9 @@ class YumRepository(Repository, config.RepoConf):
interrupt_callback=
self.interrupt_callback,
timeout=self.timeout,
http_headers=headers,
- reget='simple')
+ reget='simple'
+ # Do not include ssl_ca_cert as this
will override ssl_context
+ ssl_context=self._buildcontext())
self._grab = mgclass(self._grabfunc, self.urls,
@@ -501,6 +513,24 @@ class YumRepository(Repository, config.RepoConf):
# store them all back in baseurl for compat purposes
self.baseurl = self._urls
self.check()
+
+ def _buildcontext(self):
+ """Generate SSL contxtet. Has info like CA and client keys. Returns
None if M2Crypto is not present"""
+ if have_m2crypto:
+ ctx=SSL.Context()
+ if self.ssl_verify:
+ ctx.set_verify(
SSL.verify_peer|SSL.verify_fail_if_no_peer_cert,12)
+ else:
+ cxt.set_allow_unknown_ca(True)
+ ctx.set_verify(SSL.verify_none, -1)
+ if self.ssl_ca_cert:
+ ctx.load_verify_locations(capath=self.ssl_ca_cert)
+ if self.ssl_client_cert:
+ ctx.load_cert(certfile=self.ssl_client_cert,keyfile=
self.ssl_client_key)
+ if self.ca_cert:
+ ctx.load_verify_locations(self.ca_cert)
+ else:
+ return None
def _replace_and_check_url(self, url_list):
goodurls = []
On 10/8/07, Paul McIntyre <paul.mcintyre at vulnerableminds.com> wrote:
>
> I was looking over some older messages and it looks like someone may have
> already done it.
>
> http://www.mail-archive.com/yum-devel@linux.duke.edu/msg01239.html
>
> However it doesn't look like the patches were applied.
>
> -Paul
>
> On 10/8/07, seth vidal < skvidal at fedoraproject.org> wrote:
> >
> >
> > On Mon, 2007-10-08 at 13:42 -0400, Paul McIntyre wrote:
> > > I've been looking at setting up a YUM server and was looking for a way
> > > to control client access to the server. My preferred method is
> > > client/server SSL certs. Another option I've been considering is
> > > username/passwords. I was wondering if there was a recommended method.
> > > If not I may try to to patch the trunk for client/server certs from
> > > the repo config.
> > >
> >
> > that's a good patch to try. As soon as I get a word back from the
> > urlgrabber maintainer I hope to see that patch in yum and urlgrabber
> > proper.
> >
> > also check out func when you get a chance:
> >
> > https://hosted.fedoraproject.org/projects/func/
> >
> > -sv
> >
> >
> > _______________________________________________
> > Yum mailing list
> > Yum at lists.dulug.duke.edu
> > https://lists.dulug.duke.edu/mailman/listinfo/yum
> >
>
>
>
> --
> Paul
>
> 0x9F9E08F2 paul.mcintyre at vulnerableminds.com
> A47A A126 0883 8991 4B07 9C86 5D56 5205 9F9E 08F2
>
--
Paul
0x9F9E08F2 paul.mcintyre at vulnerableminds.com
A47A A126 0883 8991 4B07 9C86 5D56 5205 9F9E 08F2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.baseurl.org/pipermail/yum/attachments/20071009/4e191cfe/attachment-0001.htm
More information about the Yum
mailing list