Changeset 156

Timestamp:

05/19/12 03:00:33 (12 years ago)

Author:

atzm

Message:

• server cert verification support

Location:

etherws/trunk

Files:

• README.rst (modified) (1 diff)
• etherws.py (modified) (4 diffs)

etherws/trunk/README.rst

@@ -51 +51 @@
   # ifconfig eth0 mtu 1400
 
-Tunnel Encryption
-=================
-etherws supports SSL/TLS connection (but client does not verify server
-certificates).
+Using SSL/TLS
+=============
+etherws supports SSL/TLS connection.
 If you want to encrypt the tunnel, then you can use following options.
 
-on *Hypervisor1* (options *keyfile* and *certfile* were specified)::
+on *Hypervisor1*::
 
   # etherws server --keyfile ssl.key --certfile ssl.crt
 
-on *Hypervisor2* (option *uri*'s scheme was changed to *wss*)::
+*ssl.key* is a server private key, and *ssl.crt* is a server certificate.
 
-  # etherws client --uri wss://<Hypervisor1's IP address>/
-
-You also can test by following command::
+Now you also can test SSL/TLS connection by following command::
 
   # openssl s_client -connect <Hypervisor1's IP address>:443
+
+on *Hypervisor2*::
+
+  # etherws client --uri wss://<Hypervisor1's IP address>/ --cacerts ssl.crt
+
+Here, URI scheme was just changed to *wss*, and CA certificate to verify
+server certificate was specified.
+
+By the way, client verifies server certificate by default.
+So, for example, client will die with error messages if your server uses
+self-signed certificate and client uses another CA certificate.
+
+If you want to just encrypt the tunnel and do not need to verify
+certificate, then you can use following option::
+
+  # etherws client --uri wss://<Hypervisor1's IP address>/ --insecure
+
+Note: see `<http://docs.python.org/library/ssl.html#certificates>`_
+for more information about certificates.
 
 Client Authentication

etherws/trunk/etherws.py

@@ -43 +43 @@
 import os
 import sys
+import ssl
 import base64
 import hashlib
@@ -222 +223 @@
                         if passwd.startswith('{SHA}'):
                             users[name] = passwd[5:]
+            if not users:
+                raise RuntimeError('no valid users found')
         except TypeError:
             pass
@@ -266 +269 @@
     if args.debug:
         websocket.enableTrace(True)
+
+    if not args.insecure:
+        websocket._SSLSocketWrapper = \
+            lambda s: ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED,
+                                      ca_certs=args.cacerts)
 
     passwd = None
@@ -308 +316 @@
     parser_client = subparsers.add_parser('client')
     parser_client.add_argument('--uri', action='store', required=True)
+    parser_client.add_argument('--insecure', action='store_true', default=False)
+    parser_client.add_argument('--cacerts', action='store')
     parser_client.add_argument('--user', action='store')