[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] Add SSL/TLS support to relocation

# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1209631816 -3600
# Node ID 1e169f4e8e727e8f32a476d4b4eb8bd5504a362f
# Parent  013a47065e8c4e815e3b1aba0883341c19238e82
Add SSL/TLS support to relocation

 * SSL/TLS support is disabled by default, as other server did.

 * If "xend-relocation-server-ssl-key-file" and
   "xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled
   automatically.

 * "xend-relocation-tls" is used by relocation client only.

Signed-off-by: Zhigang Wang <zhigang.x.wang@xxxxxxxxxx>
---
 tools/examples/xend-config.sxp           |    9 ++++++
 tools/python/xen/web/tcp.py              |   41 +++++++++++++++++++++++++++++++
 tools/python/xen/xend/XendDomain.py      |   12 +++++++--
 tools/python/xen/xend/XendOptions.py     |   11 ++++++++
 tools/python/xen/xend/server/relocate.py |   13 ++++++++-
 5 files changed, 82 insertions(+), 4 deletions(-)

diff -r 013a47065e8c -r 1e169f4e8e72 tools/examples/xend-config.sxp
--- a/tools/examples/xend-config.sxp    Thu May 01 09:45:44 2008 +0100
+++ b/tools/examples/xend-config.sxp    Thu May 01 09:50:16 2008 +0100
@@ -82,6 +82,15 @@
 # is set.
 #(xend-relocation-port 8002)
 
+# Whether to use tls when relocating.
+#(xend-relocation-tls no)
+
+# SSL key and certificate to use for the relocation interface.
+# Setting these will mean that this port serves only SSL connections as
+# opposed to plaintext ones.
+#(xend-relocation-server-ssl-key-file  /etc/xen/xmlrpc.key)
+#(xend-relocation-server-ssl-cert-file  /etc/xen/xmlrpc.crt)
+
 # Address xend should listen on for HTTP connections, if xend-http-server is
 # set.
 # Specifying 'localhost' prevents remote connections.
diff -r 013a47065e8c -r 1e169f4e8e72 tools/python/xen/web/tcp.py
--- a/tools/python/xen/web/tcp.py       Thu May 01 09:45:44 2008 +0100
+++ b/tools/python/xen/web/tcp.py       Thu May 01 09:50:16 2008 +0100
@@ -21,6 +21,8 @@ import re
 import re
 import socket
 import time
+
+from OpenSSL import SSL
 
 import connection
 
@@ -64,3 +66,42 @@ class TCPListener(connection.SocketListe
                 sock.close()
             except:
                 pass
+
+class SSLTCPListener(TCPListener):
+
+    def __init__(self, protocol_class, port, interface, hosts_allow,
+                 ssl_key_file = None, ssl_cert_file = None):
+        if not ssl_key_file or not ssl_cert_file:
+            raise ValueError("SSLXMLRPCServer requires ssl_key_file "
+                             "and ssl_cert_file to be set.")
+
+        self.ssl_key_file = ssl_key_file
+        self.ssl_cert_file = ssl_cert_file
+
+        TCPListener.__init__(self, protocol_class, port, interface, 
hosts_allow)
+
+
+    def createSocket(self):
+        # make a SSL socket
+        ctx = SSL.Context(SSL.SSLv23_METHOD)
+        ctx.set_options(SSL.OP_NO_SSLv2)
+        ctx.use_privatekey_file (self.ssl_key_file)
+        ctx.use_certificate_file(self.ssl_cert_file)
+        sock = SSL.Connection(ctx,
+                              socket.socket(socket.AF_INET, 
socket.SOCK_STREAM))
+        sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+
+        # SO_REUSEADDR does not always ensure that we do not get an address
+        # in use error when restarted quickly
+        # we implement a timeout to try and avoid failing unnecessarily
+        timeout = time.time() + 30
+        while True:
+            try:
+                sock.bind((self.interface, self.port))
+                return sock
+            except socket.error, (_errno, strerrno):
+                if _errno == errno.EADDRINUSE and time.time() < timeout:
+                    time.sleep(0.5)
+                else:
+                    raise
+
diff -r 013a47065e8c -r 1e169f4e8e72 tools/python/xen/xend/XendDomain.py
--- a/tools/python/xen/xend/XendDomain.py       Thu May 01 09:45:44 2008 +0100
+++ b/tools/python/xen/xend/XendDomain.py       Thu May 01 09:50:16 2008 +0100
@@ -1293,8 +1293,16 @@ class XendDomain:
 
         if port == 0:
             port = xoptions.get_xend_relocation_port()
-        try:
-            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+        try:
+            tls = xoptions.get_xend_relocation_tls()
+            if tls:
+                from OpenSSL import SSL
+                ctx = SSL.Context(SSL.SSLv23_METHOD)
+                sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, 
socket.SOCK_STREAM))
+                sock.set_connect_state()
+            else:
+                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
             sock.connect((dst, port))
         except socket.error, err:
             raise XendError("can't connect: %s" % err[1])
diff -r 013a47065e8c -r 1e169f4e8e72 tools/python/xen/xend/XendOptions.py
--- a/tools/python/xen/xend/XendOptions.py      Thu May 01 09:45:44 2008 +0100
+++ b/tools/python/xen/xend/XendOptions.py      Thu May 01 09:50:16 2008 +0100
@@ -192,6 +192,12 @@ class XendOptions:
         return self.get_config_bool("xend-relocation-server",
                                     self.xend_relocation_server_default)
 
+    def get_xend_relocation_server_ssl_key_file(self):
+        return self.get_config_string("xend-relocation-server-ssl-key-file")
+
+    def get_xend_relocation_server_ssl_cert_file(self):
+        return self.get_config_string("xend-relocation-server-ssl-cert-file")
+
     def get_xend_port(self):
         """Get the port xend listens at for its HTTP interface.
         """
@@ -202,6 +208,11 @@ class XendOptions:
         """
         return self.get_config_int('xend-relocation-port',
                                    self.xend_relocation_port_default)
+
+    def get_xend_relocation_tls(self):
+        """Whether to use tls when relocating.
+        """
+        return self.get_config_bool('xend-relocation-tls', 'no')
 
     def get_xend_relocation_hosts_allow(self):
         return self.get_config_string("xend-relocation-hosts-allow",
diff -r 013a47065e8c -r 1e169f4e8e72 tools/python/xen/xend/server/relocate.py
--- a/tools/python/xen/xend/server/relocate.py  Thu May 01 09:45:44 2008 +0100
+++ b/tools/python/xen/xend/server/relocate.py  Thu May 01 09:50:16 2008 +0100
@@ -132,5 +132,14 @@ def listenRelocation():
         else:
             hosts_allow = map(re.compile, hosts_allow.split(" "))
 
-        tcp.TCPListener(RelocationProtocol, port, interface = interface,
-                        hosts_allow = hosts_allow)
+        ssl_key_file = xoptions.get_xend_relocation_server_ssl_key_file()
+        ssl_cert_file = xoptions.get_xend_relocation_server_ssl_cert_file()
+
+        if ssl_key_file and ssl_cert_file:
+            tcp.SSLTCPListener(RelocationProtocol, port, interface = interface,
+                               hosts_allow = hosts_allow,
+                               ssl_key_file = ssl_key_file,
+                               ssl_cert_file = ssl_cert_file)
+        else:
+            tcp.TCPListener(RelocationProtocol, port, interface = interface,
+                            hosts_allow = hosts_allow)

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.