Changeset 156


Ignore:
Timestamp:
05/19/12 03:00:33 (13 years ago)
Author:
atzm
Message:
  • server cert verification support
Location:
etherws/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • etherws/trunk/README.rst

    r152 r156  
    5151  # ifconfig eth0 mtu 1400 
    5252 
    53 Tunnel Encryption 
    54 ================= 
    55 etherws supports SSL/TLS connection (but client does not verify server 
    56 certificates). 
     53Using SSL/TLS 
     54============= 
     55etherws supports SSL/TLS connection. 
    5756If you want to encrypt the tunnel, then you can use following options. 
    5857 
    59 on *Hypervisor1* (options *keyfile* and *certfile* were specified):: 
     58on *Hypervisor1*:: 
    6059 
    6160  # etherws server --keyfile ssl.key --certfile ssl.crt 
    6261 
    63 on *Hypervisor2* (option *uri*'s scheme was changed to *wss*):: 
     62*ssl.key* is a server private key, and *ssl.crt* is a server certificate. 
    6463 
    65   # etherws client --uri wss://<Hypervisor1's IP address>/ 
    66  
    67 You also can test by following command:: 
     64Now you also can test SSL/TLS connection by following command:: 
    6865 
    6966  # openssl s_client -connect <Hypervisor1's IP address>:443 
     67 
     68on *Hypervisor2*:: 
     69 
     70  # etherws client --uri wss://<Hypervisor1's IP address>/ --cacerts ssl.crt 
     71 
     72Here, URI scheme was just changed to *wss*, and CA certificate to verify 
     73server certificate was specified. 
     74 
     75By the way, client verifies server certificate by default. 
     76So, for example, client will die with error messages if your server uses 
     77self-signed certificate and client uses another CA certificate. 
     78 
     79If you want to just encrypt the tunnel and do not need to verify 
     80certificate, then you can use following option:: 
     81 
     82  # etherws client --uri wss://<Hypervisor1's IP address>/ --insecure 
     83 
     84Note: see `<http://docs.python.org/library/ssl.html#certificates>`_ 
     85for more information about certificates. 
    7086 
    7187Client Authentication 
  • etherws/trunk/etherws.py

    r155 r156  
    4343import os 
    4444import sys 
     45import ssl 
    4546import base64 
    4647import hashlib 
     
    222223                        if passwd.startswith('{SHA}'): 
    223224                            users[name] = passwd[5:] 
     225            if not users: 
     226                raise RuntimeError('no valid users found') 
    224227        except TypeError: 
    225228            pass 
     
    266269    if args.debug: 
    267270        websocket.enableTrace(True) 
     271 
     272    if not args.insecure: 
     273        websocket._SSLSocketWrapper = \ 
     274            lambda s: ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED, 
     275                                      ca_certs=args.cacerts) 
    268276 
    269277    passwd = None 
     
    308316    parser_client = subparsers.add_parser('client') 
    309317    parser_client.add_argument('--uri', action='store', required=True) 
     318    parser_client.add_argument('--insecure', action='store_true', default=False) 
     319    parser_client.add_argument('--cacerts', action='store') 
    310320    parser_client.add_argument('--user', action='store') 
    311321 
Note: See TracChangeset for help on using the changeset viewer.