- Timestamp:
- 05/19/12 03:00:33 (13 years ago)
- Location:
- etherws/trunk
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
etherws/trunk/README.rst
r152 r156 51 51 # ifconfig eth0 mtu 1400 52 52 53 Tunnel Encryption 54 ================= 55 etherws supports SSL/TLS connection (but client does not verify server 56 certificates). 53 Using SSL/TLS 54 ============= 55 etherws supports SSL/TLS connection. 57 56 If you want to encrypt the tunnel, then you can use following options. 58 57 59 on *Hypervisor1* (options *keyfile* and *certfile* were specified)::58 on *Hypervisor1*:: 60 59 61 60 # etherws server --keyfile ssl.key --certfile ssl.crt 62 61 63 on *Hypervisor2* (option *uri*'s scheme was changed to *wss*):: 62 *ssl.key* is a server private key, and *ssl.crt* is a server certificate. 64 63 65 # etherws client --uri wss://<Hypervisor1's IP address>/ 66 67 You also can test by following command:: 64 Now you also can test SSL/TLS connection by following command:: 68 65 69 66 # openssl s_client -connect <Hypervisor1's IP address>:443 67 68 on *Hypervisor2*:: 69 70 # etherws client --uri wss://<Hypervisor1's IP address>/ --cacerts ssl.crt 71 72 Here, URI scheme was just changed to *wss*, and CA certificate to verify 73 server certificate was specified. 74 75 By the way, client verifies server certificate by default. 76 So, for example, client will die with error messages if your server uses 77 self-signed certificate and client uses another CA certificate. 78 79 If you want to just encrypt the tunnel and do not need to verify 80 certificate, then you can use following option:: 81 82 # etherws client --uri wss://<Hypervisor1's IP address>/ --insecure 83 84 Note: see `<http://docs.python.org/library/ssl.html#certificates>`_ 85 for more information about certificates. 70 86 71 87 Client Authentication -
etherws/trunk/etherws.py
r155 r156 43 43 import os 44 44 import sys 45 import ssl 45 46 import base64 46 47 import hashlib … … 222 223 if passwd.startswith('{SHA}'): 223 224 users[name] = passwd[5:] 225 if not users: 226 raise RuntimeError('no valid users found') 224 227 except TypeError: 225 228 pass … … 266 269 if args.debug: 267 270 websocket.enableTrace(True) 271 272 if not args.insecure: 273 websocket._SSLSocketWrapper = \ 274 lambda s: ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED, 275 ca_certs=args.cacerts) 268 276 269 277 passwd = None … … 308 316 parser_client = subparsers.add_parser('client') 309 317 parser_client.add_argument('--uri', action='store', required=True) 318 parser_client.add_argument('--insecure', action='store_true', default=False) 319 parser_client.add_argument('--cacerts', action='store') 310 320 parser_client.add_argument('--user', action='store') 311 321
Note: See TracChangeset
for help on using the changeset viewer.