[Yum] Server/Client SSL Certs

Paul McIntyre paul.mcintyre at vulnerableminds.com
Tue Oct 9 14:03:02 UTC 2007


Here is a quick patch to add SSL client and server cert support. I'm still
looking around to see if I need to make any other changes. I won't be able
to test it for a bit.
-Paul

diff --git a/yum/config.py b/yum/config.py
index bf00852..d26d42e 100644
--- a/yum/config.py
+++ b/yum/config.py
@@ -529,6 +529,11 @@ class YumConf(StartupConf):
     metadata_expire = IntOption(1800)   # time in seconds
     mirrorlist_expire = IntOption(86400) # time in seconds (1 day)
     rpm_check_debug = BoolOption(True)
+
+    ssl_ca_cert = Option()
+    ssl_verify = BoolOption(False)
+    ssl_client_cert = Option()
+    ssl_client_key = Option()

     _reposlist = []

@@ -562,6 +567,11 @@ class RepoConf(BaseConfig):
     metadata_expire = Inherit(YumConf.metadata_expire)
     mirrorlist_expire = Inherit(YumConf.mirrorlist_expire)
     cost = IntOption(1000)
+
+    ssl_ca_cert=Inherit(YumConf.ssl_ca_cert)
+    ssl_verify=Inherit(YumConf.ssl_verify)
+    ssl_client_cert=Inherit(YumConf.ssl_client_cert)
+    ssl_client_key=Inherit(YumConf.ssl_client_key)

 def readStartupConfig(configfile, root):
     '''
diff --git a/yum/yumRepo.py b/yum/yumRepo.py
index 85db15b..766c4ca 100644
--- a/yum/yumRepo.py
+++ b/yum/yumRepo.py
@@ -33,6 +33,12 @@ from yum import config
 from yum import misc
 from constants import *

+try:
+    from M2Crypto import SSL
+    have_m2crypto = True
+except ImportError:
+    have_m2crypto = False
+
 import logging
 import logginglevels

@@ -234,6 +240,10 @@ class YumRepository(Repository, config.RepoConf):
         self.pkgdir = ""
         self.hdrdir = ""
         self.cost = 1000
+        self.ssl_ca_cert=None
+        ssl_verify=False
+        ssl_client_cert=None
+        ssl_client_key=None

         # holder for stuff we've grabbed
         self.retrieved = { 'primary':0, 'filelists':0, 'other':0,
'groups':0 }
@@ -422,7 +432,9 @@ class YumRepository(Repository, config.RepoConf):
                                     interrupt_callback=
self.interrupt_callback,
                                     timeout=self.timeout,
                                     http_headers=headers,
-                                    reget='simple')
+                                    reget='simple'
+                                    # Do not include ssl_ca_cert as this
will override ssl_context
+                                    ssl_context=self._buildcontext())


         self._grab = mgclass(self._grabfunc, self.urls,
@@ -501,6 +513,24 @@ class YumRepository(Repository, config.RepoConf):
         # store them all back in baseurl for compat purposes
         self.baseurl = self._urls
         self.check()
+
+    def _buildcontext(self):
+        """Generate SSL contxtet. Has info like CA and client keys. Returns
None if M2Crypto is not present"""
+        if have_m2crypto:
+            ctx=SSL.Context()
+            if self.ssl_verify:
+                ctx.set_verify(
SSL.verify_peer|SSL.verify_fail_if_no_peer_cert,12)
+            else:
+                cxt.set_allow_unknown_ca(True)
+                ctx.set_verify(SSL.verify_none, -1)
+            if self.ssl_ca_cert:
+                ctx.load_verify_locations(capath=self.ssl_ca_cert)
+            if self.ssl_client_cert:
+                ctx.load_cert(certfile=self.ssl_client_cert,keyfile=
self.ssl_client_key)
+            if self.ca_cert:
+                ctx.load_verify_locations(self.ca_cert)
+       else:
+            return None

     def _replace_and_check_url(self, url_list):
         goodurls = []


On 10/8/07, Paul McIntyre <paul.mcintyre at vulnerableminds.com> wrote:
>
> I was looking over some older messages and it looks like someone may have
> already done it.
>
> http://www.mail-archive.com/yum-devel@linux.duke.edu/msg01239.html
>
> However it doesn't look like the patches were applied.
>
> -Paul
>
> On 10/8/07, seth vidal < skvidal at fedoraproject.org> wrote:
> >
> >
> > On Mon, 2007-10-08 at 13:42 -0400, Paul McIntyre wrote:
> > > I've been looking at setting up a YUM server and was looking for a way
> > > to control client access to the server. My preferred method is
> > > client/server SSL certs. Another option I've been considering is
> > > username/passwords. I was wondering if there was a recommended method.
> > > If not I may try to to patch the trunk for client/server certs from
> > > the repo config.
> > >
> >
> > that's a good patch to try. As soon as I get a word back from the
> > urlgrabber maintainer I hope to see that patch in yum and urlgrabber
> > proper.
> >
> > also check out func when you get a chance:
> >
> > https://hosted.fedoraproject.org/projects/func/
> >
> > -sv
> >
> >
> > _______________________________________________
> > Yum mailing list
> > Yum at lists.dulug.duke.edu
> > https://lists.dulug.duke.edu/mailman/listinfo/yum
> >
>
>
>
> --
> Paul
>
> 0x9F9E08F2 paul.mcintyre at vulnerableminds.com
> A47A A126 0883 8991 4B07 9C86 5D56 5205 9F9E 08F2
>



-- 
Paul

0x9F9E08F2 paul.mcintyre at vulnerableminds.com
A47A A126 0883 8991 4B07 9C86 5D56 5205 9F9E 08F2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.baseurl.org/pipermail/yum/attachments/20071009/4e191cfe/attachment-0001.htm 


More information about the Yum mailing list