Commit 1d6965c7 authored by Ken Giusti's avatar Ken Giusti Committed by GitHub

Merge pull request #12 from JAORMX/minimal-ssl

Add x-ssl option to attempt a minimal SSL connection
parents ee321eca 1c354ecc
......@@ -24,6 +24,7 @@ import heapq
import logging
import proton
import warnings
import ssl
from pyngus.endpoint import Endpoint
from pyngus.link import _Link
......@@ -169,6 +170,11 @@ class Connection(Endpoint):
this property is ignored if any of the other SASL related properties
are set.
x-ssl: boolean, Allows clients to connect using SSL setting a minimum
viable configuration (using the system's CA bundle to validate the
peer's certificate). This setting is overwritten if subsequent SSL
settings are found.
x-ssl-identity: tuple, contains identifying certificate information
which will be presented to the peer. The first item in the tuple is
the path to the certificate file (PEM format). The second item is the
......@@ -730,6 +736,9 @@ class Connection(Endpoint):
identity = properties.get('x-ssl-identity')
ca_file = properties.get('x-ssl-ca-file')
if properties.get('x-ssl') and not ca_file:
ca_file = ssl.get_default_verify_paths().cafile
if not identity and not ca_file:
return None # SSL not configured
......
......@@ -24,6 +24,7 @@ import subprocess
import tempfile
import time
from string import Template
import ssl
from proton import Condition
from proton import Message
......@@ -351,7 +352,9 @@ class APITest(common.Test):
server_password="server-password",
server_dns="some.server.com",
client_password=None,
client_dns=None):
client_dns=None,
verify_peer=True,
use_system_ca_bundle=False):
def _testpath(file):
""" Set the full path to the PEM files."""
......@@ -369,10 +372,18 @@ class APITest(common.Test):
server = self.container1.create_connection("server",
properties=s_props)
c_props = {"x-ssl-ca-file": _testpath("ca-certificate.pem"),
"x-ssl-verify-mode": "verify-peer",
"x-ssl-peer-name": server_dns}
c_props = {}
if use_system_ca_bundle:
c_props.update({"x-ssl": True})
# Overwrite the SSL_CERT_FILE which is used by OpenSSL to use as a
# CA bundle. This way we don't need a server certificate trusted by
# the system.
os.environ['SSL_CERT_FILE'] = _testpath("ca-certificate.pem")
else:
c_props.update({"x-ssl-ca-file": _testpath("ca-certificate.pem")})
if verify_peer:
c_props.update({"x-ssl-verify-mode": "verify-peer",
"x-ssl-peer-name": server_dns})
if client_password:
c_props['x-ssl-identity'] = (_testpath("client-certificate.pem"),
_testpath("client-private-key.pem"),
......@@ -390,6 +401,15 @@ class APITest(common.Test):
except SSLUnavailable:
raise common.Skipped("SSL not available.")
def test_ssl_ok_using_system_ca(self):
try:
if 'OpenSSL' in ssl.OPENSSL_VERSION:
self._test_ssl(use_system_ca_bundle=True)
else:
raise common.Skipped("OpenSSL not available.")
except SSLUnavailable:
raise common.Skipped("SSL not available.")
def test_ssl_pw_fail(self):
try:
self._test_ssl(server_password="bad-server-password")
......@@ -428,6 +448,12 @@ class APITest(common.Test):
# should fail to open the certificate
pass
def test_ssl_no_verify_peer(self):
try:
self._test_ssl(verify_peer=False)
except SSLUnavailable:
raise common.Skipped("SSL not available.")
def test_ssl_client_name_fail(self):
try:
self._test_ssl(client_password="client-password",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment