[Inteproxy-commits] r363 - in trunk: . inteproxy
scm-commit at wald.intevation.org
scm-commit at wald.intevation.org
Wed Mar 28 15:49:01 CEST 2012
Author: aheinecke
Date: 2012-03-28 15:49:01 +0200 (Wed, 28 Mar 2012)
New Revision: 363
Modified:
trunk/ChangeLog
trunk/inteproxy.cfg
trunk/inteproxy/config.py
trunk/inteproxy/main.py
trunk/inteproxy/proxycore.py
Log:
Make certificate validation configurable
To stay compatible with the behavior when used with python < 2.6
the certificate validation should be disabled by default.
This is now the default, a configuration option "do_certificate_validation"
is added to make it possible to explicitly enable the validation
when using python >= 2.6
Modified: trunk/ChangeLog
===================================================================
--- trunk/ChangeLog 2012-03-15 16:07:35 UTC (rev 362)
+++ trunk/ChangeLog 2012-03-28 13:49:01 UTC (rev 363)
@@ -1,3 +1,12 @@
+2012-03-28 Andre Heinecke <aheinecke at intevation.de>
+ * M inteproxy/proxycore.py,
+ M inteproxy/config.py,
+ M inteproxy/main.py,
+ M inteproxy.cfg:
+ Add configuration option do_certificate_validation to
+ explicitly enable SSL Certificate validation.
+ Default is not to validate the certificates.
+
2012-03-02 Andre Heinecke <aheinecke at intevation.de>
* A test/decompressstream.py:
Added test for decompressed reading
Modified: trunk/inteproxy/config.py
===================================================================
--- trunk/inteproxy/config.py 2012-03-15 16:07:35 UTC (rev 362)
+++ trunk/inteproxy/config.py 2012-03-28 13:49:01 UTC (rev 363)
@@ -108,7 +108,9 @@
Option("https_proxy", default=None),
Option("show_terms_dialog", converter=convert_bool,
default=1),
- Option("cacerts", default=None)]
+ Option("cacerts", default=None),
+ Option("do_certificate_validation", converter=convert_bool,
+ default=0)]
proxy_desc = [Option("host"),
Option("port", default=80, converter=int),
Modified: trunk/inteproxy/main.py
===================================================================
--- trunk/inteproxy/main.py 2012-03-15 16:07:35 UTC (rev 362)
+++ trunk/inteproxy/main.py 2012-03-28 13:49:01 UTC (rev 363)
@@ -189,7 +189,8 @@
transcoder_map=transcoder_map,
rewrite_urls=opts.rewrite_urls,
show_terms_dialog=config.show_terms_dialog,
- cacert_path=config.cacerts)
+ cacert_path=config.cacerts,
+ validate_cert=config.do_certificate_validation)
# import the gtkapp here instead of at top-level to avoid loading
# the gtk module. The gtk module requires an Xserver connection
Modified: trunk/inteproxy/proxycore.py
===================================================================
--- trunk/inteproxy/proxycore.py 2012-03-15 16:07:35 UTC (rev 362)
+++ trunk/inteproxy/proxycore.py 2012-03-28 13:49:01 UTC (rev 363)
@@ -135,15 +135,19 @@
"""Open a HTTPS connection to remote_address and validate the server
certificate
- The server certificate is validated if python >= 2.6. If the validation
- failed, a popup dialog with technical details of the failure is shown.
+ If the configuration option do_certificate_validation is set to
+ true and if python >= 2.6 the server certificate is validated.
+ If the validation failed, a popup dialog with technical details
+ of the failure is shown.
The user has the choice to trust or reject the connection. Rejecting the
- connection will result in a HTTP-502. If python < 2.6 is installed, the
- certificate is not validated but an ssl connection is used as well to
- encrypt the data."""
+ connection will result in a HTTP-502. If python < 2.6 is installed or
+ if the configuration option do_certificate_validation is not set to
+ true, the certificate is not validated.
+ An ssl connection is used in both cases to encrypt the data."""
if ssl is not None:
try:
- return self.open_https_connection(remote_address)
+ return self.open_https_connection(remote_address,
+ self.server.validate_cert)
except ssl.SSLError:
self.log_debug("SSL certificate validation failed.")
if handle_certificate_validation_error(remote_address[0]):
@@ -512,7 +516,8 @@
def __init__(self, server_address, RequestHandlerClass, num_workers,
http_proxy, https_proxy, transcoder_map,
- rewrite_urls=False, show_terms_dialog=True, cacert_path=None):
+ rewrite_urls=False, show_terms_dialog=True, cacert_path=None,
+ validate_cert=False):
HTTPServer.__init__(self, server_address, RequestHandlerClass)
self.http_proxy = http_proxy
self.https_proxy = https_proxy
@@ -520,6 +525,7 @@
self.rewrite_urls = rewrite_urls
self.show_terms_dialog = show_terms_dialog
self.cacert_path = cacert_path
+ self.validate_cert = validate_cert
self.thread_pool = ThreadPool(num_workers, lambda f: f())
sys.stderr.write("[%s] starting %d worker threads\n" \
% (log_date_time_string(), num_workers))
Modified: trunk/inteproxy.cfg
===================================================================
--- trunk/inteproxy.cfg 2012-03-15 16:07:35 UTC (rev 362)
+++ trunk/inteproxy.cfg 2012-03-28 13:49:01 UTC (rev 363)
@@ -34,6 +34,14 @@
#
# show_terms_dialog=false
+# Uncomment the following line to validate the servers SSL certificate.
+# Allowed values for do_certificate_validation
+# option are "false", "no" and "0" to disable validation, "true",
+# "yes" and "1" to enable validation. The default is "false".
+# This feature will only work when using Python Version 2.6 or later.
+#
+# do_certificate_validation=True
+#
# The path to a file that contains certification authority certificates which
# are used to validate certificates passed from the remote server.
# cacerts=/path/to/cacerts.crt
More information about the Inteproxy-commits
mailing list