I got the following patches from Eric J. Barkie.
Purpose:
The main purpose of the client-side certificate patch is for restricting
access to repositories when dealing with licensed RPMS/distributions,
ie: RHEL. The typical use would be to generate a CA and then with that
CA issue a certificate to each machine that will be running yum. The
main repository would be hosted with Apache under mod_ssl with the
SSLCACertificateFile set to your CA and SSLVerifyClient set to
"require". By doing this Apache takes care of the authentication and we
can ensure that the yum repository can only be accessed by the intended
clients.
Take a look and let me know what you think.
Tim
--- urlgrabber-3.1.0/urlgrabber/grabber.py.orig 2006-12-26 13:48:26.000000000 -0500
+++ urlgrabber-3.1.0/urlgrabber/grabber.py 2006-12-26 13:49:02.000000000 -0500
@@ -809,6 +809,7 @@
self.urlparser = URLParser()
self.quote = None
self.ssl_ca_cert = None
+ self.ssl_client_cert = None
self.ssl_context = None
class URLGrabber:
@@ -1045,7 +1046,7 @@
# -------------------------------------------------------
ssl_factory = sslfactory.get_factory(self.opts.ssl_ca_cert,
- self.opts.ssl_context)
+ self.opts.ssl_client_cert, self.opts.ssl_context)
if need_keepalive_handler:
handlers.append(HTTPHandler())
--- urlgrabber-3.1.0/urlgrabber/sslfactory.py.orig 2006-12-26 13:33:48.000000000 -0500
+++ urlgrabber-3.1.0/urlgrabber/sslfactory.py 2006-12-26 14:51:13.000000000 -0500
@@ -34,21 +34,24 @@
class M2SSLFactory:
- def __init__(self, ssl_ca_cert, ssl_context):
- self.ssl_context = self._get_ssl_context(ssl_ca_cert, ssl_context)
+ def __init__(self, ssl_ca_cert, ssl_client_cert, ssl_context):
+ self.ssl_context = self._get_ssl_context(ssl_ca_cert, ssl_client_cert, ssl_context)
- def _get_ssl_context(self, ssl_ca_cert, ssl_context):
+ def _get_ssl_context(self, ssl_ca_cert, ssl_client_cert, ssl_context):
"""
- Create an ssl context using the CA cert file or ssl context.
+ Create a ssl context using the CA cert file and/or the client cert file or ssl context.
- The CA cert is used first if it was passed as an option. If not,
- then the supplied ssl context is used. If no ssl context was supplied,
+ The CA cert and client cert are used first if either or both are passed as an options.
+ If not, then the supplied ssl context is used. If no ssl context was supplied,
None is returned.
"""
- if ssl_ca_cert:
+ if ssl_ca_cert or ssl_client_cert:
context = SSL.Context()
- context.load_verify_locations(ssl_ca_cert)
- context.set_verify(SSL.verify_peer, -1)
+ if ssl_ca_cert:
+ context.load_verify_locations(ssl_ca_cert)
+ context.set_verify(SSL.verify_peer, -1)
+ if ssl_client_cert:
+ context.load_cert(ssl_client_cert)
return context
else:
return ssl_context
@@ -76,10 +79,10 @@
-def get_factory(ssl_ca_cert = None, ssl_context = None):
+def get_factory(ssl_ca_cert = None, ssl_client_cert = None, ssl_context = None):
""" Return an SSLFactory, based on if M2Crypto is available. """
if have_m2crypto:
- return M2SSLFactory(ssl_ca_cert, ssl_context)
+ return M2SSLFactory(ssl_ca_cert, ssl_client_cert, ssl_context)
else:
# Log here if someone provides the args but we don't use them.
if ssl_ca_cert or ssl_context:
_______________________________________________
Yum-devel mailing list
Yum-devel@linux.duke.edu
https://lists.dulug.duke.edu/mailman/listinfo/yum-devel