[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] add ssl/tls support to relocation



hi, this patch add ssl/tls support to relocation:

 * SSL/TLS support is disabled by default, as other server did.

 * If "xend-relocation-server-ssl-key-file" and
   "xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled
   automatically.

 * "xend-relocation-tls" is used by relocation client only.

Signed-off-by: Zhigang Wang <zhigang.x.wang@xxxxxxxxxx>


Add SSL/TLS support to relocation

 * SSL/TLS support is disabled by default, as other server did.

 * If "xend-relocation-server-ssl-key-file" and
   "xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled
   automatically.

 * "xend-relocation-tls" is used by relocation client only.

Signed-off-by: Zhigang Wang <zhigang.x.wang@xxxxxxxxxx>

diff -Nura xen-unstable.orig/tools/examples/xend-config.sxp 
xen-unstable/tools/examples/xend-config.sxp
--- xen-unstable.orig/tools/examples/xend-config.sxp    2008-04-24 
18:26:58.000000000 +0800
+++ xen-unstable/tools/examples/xend-config.sxp 2008-04-24 18:55:56.000000000 
+0800
@@ -82,6 +82,15 @@
 # is set.
 #(xend-relocation-port 8002)
 
+# Whether to use tls when relocating.
+#(xend-relocation-tls no)
+
+# SSL key and certificate to use for the relocation interface.
+# Setting these will mean that this port serves only SSL connections as
+# opposed to plaintext ones.
+#(xend-relocation-server-ssl-key-file  /etc/xen/xmlrpc.key)
+#(xend-relocation-server-ssl-cert-file  /etc/xen/xmlrpc.crt)
+
 # Address xend should listen on for HTTP connections, if xend-http-server is
 # set.
 # Specifying 'localhost' prevents remote connections.
diff -Nura xen-unstable.orig/tools/python/xen/web/tcp.py 
xen-unstable/tools/python/xen/web/tcp.py
--- xen-unstable.orig/tools/python/xen/web/tcp.py       2008-04-24 
18:27:00.000000000 +0800
+++ xen-unstable/tools/python/xen/web/tcp.py    2008-04-24 18:55:56.000000000 
+0800
@@ -22,6 +22,8 @@
 import socket
 import time
 
+from OpenSSL import SSL
+
 import connection
 
 from xen.xend.XendLogging import log
@@ -64,3 +66,42 @@
                 sock.close()
             except:
                 pass
+
+class SSLTCPListener(TCPListener):
+
+    def __init__(self, protocol_class, port, interface, hosts_allow,
+                 ssl_key_file = None, ssl_cert_file = None):
+        if not ssl_key_file or not ssl_cert_file:
+            raise ValueError("SSLXMLRPCServer requires ssl_key_file "
+                             "and ssl_cert_file to be set.")
+
+        self.ssl_key_file = ssl_key_file
+        self.ssl_cert_file = ssl_cert_file
+
+        TCPListener.__init__(self, protocol_class, port, interface, 
hosts_allow)
+
+
+    def createSocket(self):
+        # make a SSL socket
+        ctx = SSL.Context(SSL.SSLv23_METHOD)
+        ctx.set_options(SSL.OP_NO_SSLv2)
+        ctx.use_privatekey_file (self.ssl_key_file)
+        ctx.use_certificate_file(self.ssl_cert_file)
+        sock = SSL.Connection(ctx,
+                              socket.socket(socket.AF_INET, 
socket.SOCK_STREAM))
+        sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+
+        # SO_REUSEADDR does not always ensure that we do not get an address
+        # in use error when restarted quickly
+        # we implement a timeout to try and avoid failing unnecessarily
+        timeout = time.time() + 30
+        while True:
+            try:
+                sock.bind((self.interface, self.port))
+                return sock
+            except socket.error, (_errno, strerrno):
+                if _errno == errno.EADDRINUSE and time.time() < timeout:
+                    time.sleep(0.5)
+                else:
+                    raise
+
diff -Nura xen-unstable.orig/tools/python/xen/xend/server/relocate.py 
xen-unstable/tools/python/xen/xend/server/relocate.py
--- xen-unstable.orig/tools/python/xen/xend/server/relocate.py  2008-04-24 
18:27:01.000000000 +0800
+++ xen-unstable/tools/python/xen/xend/server/relocate.py       2008-04-24 
18:55:56.000000000 +0800
@@ -132,5 +132,14 @@
         else:
             hosts_allow = map(re.compile, hosts_allow.split(" "))
 
-        tcp.TCPListener(RelocationProtocol, port, interface = interface,
-                        hosts_allow = hosts_allow)
+        ssl_key_file = xoptions.get_xend_relocation_server_ssl_key_file()
+        ssl_cert_file = xoptions.get_xend_relocation_server_ssl_cert_file()
+
+        if ssl_key_file and ssl_cert_file:
+            tcp.SSLTCPListener(RelocationProtocol, port, interface = interface,
+                               hosts_allow = hosts_allow,
+                               ssl_key_file = ssl_key_file,
+                               ssl_cert_file = ssl_cert_file)
+        else:
+            tcp.TCPListener(RelocationProtocol, port, interface = interface,
+                            hosts_allow = hosts_allow)
diff -Nura xen-unstable.orig/tools/python/xen/xend/XendOptions.py 
xen-unstable/tools/python/xen/xend/XendOptions.py
--- xen-unstable.orig/tools/python/xen/xend/XendOptions.py      2008-04-24 
18:27:01.000000000 +0800
+++ xen-unstable/tools/python/xen/xend/XendOptions.py   2008-04-24 
18:55:56.000000000 +0800
@@ -192,6 +192,12 @@
         return self.get_config_bool("xend-relocation-server",
                                     self.xend_relocation_server_default)
 
+    def get_xend_relocation_server_ssl_key_file(self):
+        return self.get_config_string("xend-relocation-server-ssl-key-file")
+
+    def get_xend_relocation_server_ssl_cert_file(self):
+        return self.get_config_string("xend-relocation-server-ssl-cert-file")
+
     def get_xend_port(self):
         """Get the port xend listens at for its HTTP interface.
         """
@@ -203,6 +209,11 @@
         return self.get_config_int('xend-relocation-port',
                                    self.xend_relocation_port_default)
 
+    def get_xend_relocation_tls(self):
+        """Whether to use tls when relocating.
+        """
+        return self.get_config_bool('xend-relocation-tls', 'no')
+
     def get_xend_relocation_hosts_allow(self):
         return self.get_config_string("xend-relocation-hosts-allow",
                                      self.xend_relocation_hosts_allow_default)
--- xen-unstable.orig/tools/python/xen/xend/XendDomain.py       2008-04-24 
18:27:01.000000000 +0800
+++ xen-unstable/tools/python/xen/xend/XendDomain.py    2008-04-28 
10:23:39.000000000 +0800
@@ -1293,8 +1293,16 @@
 
         if port == 0:
             port = xoptions.get_xend_relocation_port()
+
         try:
-            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            tls = xoptions.get_xend_relocation_tls()
+            if tls:
+                from OpenSSL import SSL
+                ctx = SSL.Context(SSL.SSLv23_METHOD)
+                sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, 
socket.SOCK_STREAM))
+                sock.set_connect_state()
+            else:
+                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
             sock.connect((dst, port))
         except socket.error, err:
             raise XendError("can't connect: %s" % err[1])

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.