clach04 avatar clach04 committed ab7fe47 Draft

Added optional checking of client SSL cert (by server).

Comments (0)

Files changed (2)

 The server needs both the certificate and key file. Note if the key file is
 protected by a pass phrase the server process will prompt on the console!
 For convenience, consider removing the pass phrase from the key file.
+
+Also the server can verify the client certificate too:
+
+    {
+        "use_ssl": true,
+        "ssl_server_certfile": "cert.pem",
+        "ssl_server_keyfile": "key.pem",
+        
+        "ssl_client_certfile": "cert.pem",
+        "ssl_client_keyfile": "key.pem",
+    }
+
+NOTE this example is using the same cert (and key) for both client and server.
                 logger.info('using SSL certificate file  %r' % ssl_server_certfile)
                 logger.info('using SSL key file  %r' % ssl_server_keyfile)
 
-                self.request = ssl.wrap_socket(self.request,
+                if config.get('ssl_client_certfile'):
+                    self.request = ssl.wrap_socket(self.request,
+                                    server_side=True,
+                                    certfile=ssl_server_certfile,
+                                    keyfile=ssl_server_keyfile,
+                                    ca_certs=config['ssl_client_certfile'],  # verify client
+                                    cert_reqs=ssl.CERT_REQUIRED,
+                                    ssl_version=SSL_VERSION)
+                else:
+                    self.request = ssl.wrap_socket(self.request,
                                     server_side=True,
                                     certfile=ssl_server_certfile,
                                     keyfile=ssl_server_keyfile,
     server.serve_forever()
 
 
-def client_start_sync(ip, port, server_path, client_path, sync_type=SKSYNC_PROTOCOL_TYPE_FROM_SERVER_USE_TIME, recursive=False, use_ssl=None, ssl_server_certfile=None):
+def client_start_sync(ip, port, server_path, client_path, sync_type=SKSYNC_PROTOCOL_TYPE_FROM_SERVER_USE_TIME, recursive=False, use_ssl=None, ssl_server_certfile=None, ssl_client_certfile=None, ssl_client_keyfile=None):
     """Implements SK Client, currently only supports:
        * direction =  "from server (use time)" ONLY
     """
             logger.info('Attempting SSL session')
             if ssl_server_certfile:
                 logger.info('using SSL certificate file  %r' % ssl_server_certfile)
-                s = ssl.wrap_socket(s,
+                if ssl_client_certfile:
+                    s = ssl.wrap_socket(s,
+                               ca_certs=ssl_server_certfile,
+                               cert_reqs=ssl.CERT_REQUIRED,
+                               certfile=ssl_client_certfile,
+                               keyfile=ssl_client_keyfile,
+                               ssl_version=SSL_VERSION)
+                else:
+                    # assume that if server is checking client cert, client will be checking server cert
+                    s = ssl.wrap_socket(s,
                                ca_certs=ssl_server_certfile,
                                cert_reqs=ssl.CERT_REQUIRED,
                                ssl_version=SSL_VERSION)
     server_path, client_path = client_config['server_path'], client_config['client_path']
     use_ssl = config.get('use_ssl')
     ssl_server_certfile = config.get('ssl_server_certfile')
-    client_start_sync(host, port, server_path, client_path, use_ssl=use_ssl, ssl_server_certfile=ssl_server_certfile)
+    
+    ssl_client_certfile = config.get('ssl_client_certfile')
+    ssl_client_keyfile = config.get('ssl_client_keyfile')
+    client_start_sync(host, port, server_path, client_path, use_ssl=use_ssl, ssl_server_certfile=ssl_server_certfile, ssl_client_certfile=ssl_client_certfile, ssl_client_keyfile=ssl_client_keyfile)
 
 
 def main(argv=None):
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.