* SSL/TLS support is disabled by default, as other server did.
* If "xend-relocation-server-ssl-key-file" and
"xend-relocation-server-ssl-cert-file" exist, SSL/TLS is enabled
automatically.
* "xend-relocation-tls" is used by relocation client only.
Signed-off-by: Zhigang Wang <zhigang.x.wang@oracle.com>
# is set.
#(xend-relocation-port 8002)
+# Whether to use tls when relocating.
+#(xend-relocation-tls no)
+
+# SSL key and certificate to use for the relocation interface.
+# Setting these will mean that this port serves only SSL connections as
+# opposed to plaintext ones.
+#(xend-relocation-server-ssl-key-file /etc/xen/xmlrpc.key)
+#(xend-relocation-server-ssl-cert-file /etc/xen/xmlrpc.crt)
+
# Address xend should listen on for HTTP connections, if xend-http-server is
# set.
# Specifying 'localhost' prevents remote connections.
import socket
import time
+from OpenSSL import SSL
+
import connection
from xen.xend.XendLogging import log
sock.close()
except:
pass
+
+class SSLTCPListener(TCPListener):
+
+ def __init__(self, protocol_class, port, interface, hosts_allow,
+ ssl_key_file = None, ssl_cert_file = None):
+ if not ssl_key_file or not ssl_cert_file:
+ raise ValueError("SSLXMLRPCServer requires ssl_key_file "
+ "and ssl_cert_file to be set.")
+
+ self.ssl_key_file = ssl_key_file
+ self.ssl_cert_file = ssl_cert_file
+
+ TCPListener.__init__(self, protocol_class, port, interface, hosts_allow)
+
+
+ def createSocket(self):
+ # make a SSL socket
+ ctx = SSL.Context(SSL.SSLv23_METHOD)
+ ctx.set_options(SSL.OP_NO_SSLv2)
+ ctx.use_privatekey_file (self.ssl_key_file)
+ ctx.use_certificate_file(self.ssl_cert_file)
+ sock = SSL.Connection(ctx,
+ socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+ sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+
+ # SO_REUSEADDR does not always ensure that we do not get an address
+ # in use error when restarted quickly
+ # we implement a timeout to try and avoid failing unnecessarily
+ timeout = time.time() + 30
+ while True:
+ try:
+ sock.bind((self.interface, self.port))
+ return sock
+ except socket.error, (_errno, strerrno):
+ if _errno == errno.EADDRINUSE and time.time() < timeout:
+ time.sleep(0.5)
+ else:
+ raise
+
if port == 0:
port = xoptions.get_xend_relocation_port()
+
try:
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ tls = xoptions.get_xend_relocation_tls()
+ if tls:
+ from OpenSSL import SSL
+ ctx = SSL.Context(SSL.SSLv23_METHOD)
+ sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+ sock.set_connect_state()
+ else:
+ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((dst, port))
except socket.error, err:
raise XendError("can't connect: %s" % err[1])
return self.get_config_bool("xend-relocation-server",
self.xend_relocation_server_default)
+ def get_xend_relocation_server_ssl_key_file(self):
+ return self.get_config_string("xend-relocation-server-ssl-key-file")
+
+ def get_xend_relocation_server_ssl_cert_file(self):
+ return self.get_config_string("xend-relocation-server-ssl-cert-file")
+
def get_xend_port(self):
"""Get the port xend listens at for its HTTP interface.
"""
return self.get_config_int('xend-relocation-port',
self.xend_relocation_port_default)
+ def get_xend_relocation_tls(self):
+ """Whether to use tls when relocating.
+ """
+ return self.get_config_bool('xend-relocation-tls', 'no')
+
def get_xend_relocation_hosts_allow(self):
return self.get_config_string("xend-relocation-hosts-allow",
self.xend_relocation_hosts_allow_default)
else:
hosts_allow = map(re.compile, hosts_allow.split(" "))
- tcp.TCPListener(RelocationProtocol, port, interface = interface,
- hosts_allow = hosts_allow)
+ ssl_key_file = xoptions.get_xend_relocation_server_ssl_key_file()
+ ssl_cert_file = xoptions.get_xend_relocation_server_ssl_cert_file()
+
+ if ssl_key_file and ssl_cert_file:
+ tcp.SSLTCPListener(RelocationProtocol, port, interface = interface,
+ hosts_allow = hosts_allow,
+ ssl_key_file = ssl_key_file,
+ ssl_cert_file = ssl_cert_file)
+ else:
+ tcp.TCPListener(RelocationProtocol, port, interface = interface,
+ hosts_allow = hosts_allow)
projects / xen.git / commitdiff