From: Zhigang Wang <zhigang.x.wang@oracle.com>
To: xen-devel <xen-devel@lists.xensource.com>
Subject: [PATCH] add ssl/tls support to relocation
Date: Mon, 28 Apr 2008 10:49:58 +0800 [thread overview]
Message-ID: <48153B56.5070201@oracle.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 370 bytes --]
hi, this patch add ssl/tls support to relocation:
* SSL/TLS support is disabled by default, as other server did.
* If "xend-relocation-server-ssl-key-file" and
"xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled
automatically.
* "xend-relocation-tls" is used by relocation client only.
Signed-off-by: Zhigang Wang <zhigang.x.wang@oracle.com>
[-- Attachment #2: xen-unstable-relocation-ssl.patch --]
[-- Type: text/x-patch, Size: 6661 bytes --]
Add SSL/TLS support to relocation
* SSL/TLS support is disabled by default, as other server did.
* If "xend-relocation-server-ssl-key-file" and
"xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled
automatically.
* "xend-relocation-tls" is used by relocation client only.
Signed-off-by: Zhigang Wang <zhigang.x.wang@oracle.com>
diff -Nura xen-unstable.orig/tools/examples/xend-config.sxp xen-unstable/tools/examples/xend-config.sxp
--- xen-unstable.orig/tools/examples/xend-config.sxp 2008-04-24 18:26:58.000000000 +0800
+++ xen-unstable/tools/examples/xend-config.sxp 2008-04-24 18:55:56.000000000 +0800
@@ -82,6 +82,15 @@
# is set.
#(xend-relocation-port 8002)
+# Whether to use tls when relocating.
+#(xend-relocation-tls no)
+
+# SSL key and certificate to use for the relocation interface.
+# Setting these will mean that this port serves only SSL connections as
+# opposed to plaintext ones.
+#(xend-relocation-server-ssl-key-file /etc/xen/xmlrpc.key)
+#(xend-relocation-server-ssl-cert-file /etc/xen/xmlrpc.crt)
+
# Address xend should listen on for HTTP connections, if xend-http-server is
# set.
# Specifying 'localhost' prevents remote connections.
diff -Nura xen-unstable.orig/tools/python/xen/web/tcp.py xen-unstable/tools/python/xen/web/tcp.py
--- xen-unstable.orig/tools/python/xen/web/tcp.py 2008-04-24 18:27:00.000000000 +0800
+++ xen-unstable/tools/python/xen/web/tcp.py 2008-04-24 18:55:56.000000000 +0800
@@ -22,6 +22,8 @@
import socket
import time
+from OpenSSL import SSL
+
import connection
from xen.xend.XendLogging import log
@@ -64,3 +66,42 @@
sock.close()
except:
pass
+
+class SSLTCPListener(TCPListener):
+
+ def __init__(self, protocol_class, port, interface, hosts_allow,
+ ssl_key_file = None, ssl_cert_file = None):
+ if not ssl_key_file or not ssl_cert_file:
+ raise ValueError("SSLXMLRPCServer requires ssl_key_file "
+ "and ssl_cert_file to be set.")
+
+ self.ssl_key_file = ssl_key_file
+ self.ssl_cert_file = ssl_cert_file
+
+ TCPListener.__init__(self, protocol_class, port, interface, hosts_allow)
+
+
+ def createSocket(self):
+ # make a SSL socket
+ ctx = SSL.Context(SSL.SSLv23_METHOD)
+ ctx.set_options(SSL.OP_NO_SSLv2)
+ ctx.use_privatekey_file (self.ssl_key_file)
+ ctx.use_certificate_file(self.ssl_cert_file)
+ sock = SSL.Connection(ctx,
+ socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+ sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+
+ # SO_REUSEADDR does not always ensure that we do not get an address
+ # in use error when restarted quickly
+ # we implement a timeout to try and avoid failing unnecessarily
+ timeout = time.time() + 30
+ while True:
+ try:
+ sock.bind((self.interface, self.port))
+ return sock
+ except socket.error, (_errno, strerrno):
+ if _errno == errno.EADDRINUSE and time.time() < timeout:
+ time.sleep(0.5)
+ else:
+ raise
+
diff -Nura xen-unstable.orig/tools/python/xen/xend/server/relocate.py xen-unstable/tools/python/xen/xend/server/relocate.py
--- xen-unstable.orig/tools/python/xen/xend/server/relocate.py 2008-04-24 18:27:01.000000000 +0800
+++ xen-unstable/tools/python/xen/xend/server/relocate.py 2008-04-24 18:55:56.000000000 +0800
@@ -132,5 +132,14 @@
else:
hosts_allow = map(re.compile, hosts_allow.split(" "))
- tcp.TCPListener(RelocationProtocol, port, interface = interface,
- hosts_allow = hosts_allow)
+ ssl_key_file = xoptions.get_xend_relocation_server_ssl_key_file()
+ ssl_cert_file = xoptions.get_xend_relocation_server_ssl_cert_file()
+
+ if ssl_key_file and ssl_cert_file:
+ tcp.SSLTCPListener(RelocationProtocol, port, interface = interface,
+ hosts_allow = hosts_allow,
+ ssl_key_file = ssl_key_file,
+ ssl_cert_file = ssl_cert_file)
+ else:
+ tcp.TCPListener(RelocationProtocol, port, interface = interface,
+ hosts_allow = hosts_allow)
diff -Nura xen-unstable.orig/tools/python/xen/xend/XendOptions.py xen-unstable/tools/python/xen/xend/XendOptions.py
--- xen-unstable.orig/tools/python/xen/xend/XendOptions.py 2008-04-24 18:27:01.000000000 +0800
+++ xen-unstable/tools/python/xen/xend/XendOptions.py 2008-04-24 18:55:56.000000000 +0800
@@ -192,6 +192,12 @@
return self.get_config_bool("xend-relocation-server",
self.xend_relocation_server_default)
+ def get_xend_relocation_server_ssl_key_file(self):
+ return self.get_config_string("xend-relocation-server-ssl-key-file")
+
+ def get_xend_relocation_server_ssl_cert_file(self):
+ return self.get_config_string("xend-relocation-server-ssl-cert-file")
+
def get_xend_port(self):
"""Get the port xend listens at for its HTTP interface.
"""
@@ -203,6 +209,11 @@
return self.get_config_int('xend-relocation-port',
self.xend_relocation_port_default)
+ def get_xend_relocation_tls(self):
+ """Whether to use tls when relocating.
+ """
+ return self.get_config_bool('xend-relocation-tls', 'no')
+
def get_xend_relocation_hosts_allow(self):
return self.get_config_string("xend-relocation-hosts-allow",
self.xend_relocation_hosts_allow_default)
--- xen-unstable.orig/tools/python/xen/xend/XendDomain.py 2008-04-24 18:27:01.000000000 +0800
+++ xen-unstable/tools/python/xen/xend/XendDomain.py 2008-04-28 10:23:39.000000000 +0800
@@ -1293,8 +1293,16 @@
if port == 0:
port = xoptions.get_xend_relocation_port()
+
try:
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ tls = xoptions.get_xend_relocation_tls()
+ if tls:
+ from OpenSSL import SSL
+ ctx = SSL.Context(SSL.SSLv23_METHOD)
+ sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+ sock.set_connect_state()
+ else:
+ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((dst, port))
except socket.error, err:
raise XendError("can't connect: %s" % err[1])
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
next reply other threads:[~2008-04-28 2:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-28 2:49 Zhigang Wang [this message]
2008-05-02 17:47 ` [PATCH] add ssl/tls support to relocation Carb, Brian A
2008-05-02 18:11 ` Zhigang Wang
2008-05-05 15:43 ` Carb, Brian A
2008-05-08 12:55 ` Zhigang Wang
2008-05-08 13:29 ` Keir Fraser
2008-05-13 7:56 ` Zhigang Wang
2008-05-13 8:16 ` Zhigang Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48153B56.5070201@oracle.com \
--to=zhigang.x.wang@oracle.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.