[LON-CAPA-cvs] cvs: loncom / LondConnection.pm lond
foxr
lon-capa-cvs@mail.lon-capa.org
Thu, 17 Jun 2004 11:02:26 -0000
foxr Thu Jun 17 07:02:26 2004 EDT
Modified files:
/loncom LondConnection.pm lond
Log:
If the certificate files or host key are missing, than
switch to insecure authentication if allowed. The idea
is this: After an upgrade to lond/lond ssl, you won't in general
have your signed host certificate yet. We want to support uninterrupted
service until your certs are granted, so although the software is ssl
capable, it must, in the interim, do insecure authentication, if permitted
by the administrators.
One case not handled, and left not handled: if the lonCerts directory does not
exist the init:local key exchange cannot work. This case can be ignored because
that diretory will be created as part of the update/upgrade. If it does not exist
it's a sign of some other serious problem that ought to be fixed IMHO.
Index: loncom/LondConnection.pm
diff -u loncom/LondConnection.pm:1.32 loncom/LondConnection.pm:1.33
--- loncom/LondConnection.pm:1.32 Thu Jun 17 06:15:46 2004
+++ loncom/LondConnection.pm Thu Jun 17 07:02:25 2004
@@ -1,7 +1,7 @@
# This module defines and implements a class that represents
# a connection to a lond daemon.
#
-# $Id: LondConnection.pm,v 1.32 2004/06/17 10:15:46 foxr Exp $
+# $Id: LondConnection.pm,v 1.33 2004/06/17 11:02:25 foxr Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -259,8 +259,8 @@
return undef; # Inidicates the socket could not be made.
}
my $socket = $self->{Socket}; # For local use only.
- # If we are local, we'll first try local auth mode, otherwise, we'll try the
- # ssl auth mode:
+ # If we are local, we'll first try local auth mode, otherwise, we'll try
+ # the ssl auth mode:
Debug(8, "Connecting to $DnsName I am $LocalDns");
my $key;
@@ -290,10 +290,29 @@
return undef;
}
- }
+ }
else {
- $self->{AuthenticationMode} = "ssl";
- $self->{TransactionRequest} = "init:ssl\n";
+ # Remote peer: I'd like to do ssl, but if my host key or certificates
+ # are not all installed, my only choice is insecure, if that's
+ # allowed:
+
+ my ($ca, $cert) = lonssl::CertificateFile;
+ my $sslkeyfile = lonssl::KeyFile;
+
+ if((defined $ca) && (defined $cert) && (defined $sslkeyfile)) {
+
+ $self->{AuthenticationMode} = "ssl";
+ $self->{TransactionRequest} = "init:ssl\n";
+ } else {
+ if($InsecureOk) { # Allowed to do insecure:
+ $self->{AuthenticationMode} = "insecure";
+ $self->{TransactionRequest} = "init\n";
+ }
+ else { # Not allowed to do insecure...
+ $socket->close;
+ return undef;
+ }
+ }
}
#
Index: loncom/lond
diff -u loncom/lond:1.195 loncom/lond:1.196
--- loncom/lond:1.195 Thu Jun 17 06:15:46 2004
+++ loncom/lond Thu Jun 17 07:02:25 2004
@@ -2,7 +2,7 @@
# The LearningOnline Network
# lond "LON Daemon" Server (port "LOND" 5663)
#
-# $Id: lond,v 1.195 2004/06/17 10:15:46 foxr Exp $
+# $Id: lond,v 1.196 2004/06/17 11:02:25 foxr Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -51,12 +51,12 @@
use LONCAPA::lonlocal;
use LONCAPA::lonssl;
-my $DEBUG = 0; # Non zero to enable debug log entries.
+my $DEBUG = 11; # Non zero to enable debug log entries.
my $status='';
my $lastlog='';
-my $VERSION='$Revision: 1.195 $'; #' stupid emacs
+my $VERSION='$Revision: 1.196 $'; #' stupid emacs
my $remoteVERSION;
my $currenthostid;
my $currentdomainid;
@@ -1527,6 +1527,25 @@
# If the remote is attempting a local init... give that a try:
#
my ($i, $inittype) = split(/:/, $remotereq);
+
+ # If the connection type is ssl, but I didn't get my
+ # certificate files yet, then I'll drop back to
+ # insecure (if allowed).
+
+ if($inittype eq "ssl") {
+ my ($ca, $cert) = lonssl::CertificateFile;
+ my $kfile = lonssl::KeyFile;
+ if((!$ca) ||
+ (!$cert) ||
+ (!$kfile)) {
+ $inittype = ""; # This forces insecure attempt.
+ &logthis("<font color=\"blue\"> Certificates not "
+ ."installed -- trying insecure auth</font>");
+ }
+ else { # SSL certificates are in place so
+ } # Leave the inittype alone.
+ }
+
if($inittype eq "local") {
my $key = LocalConnection($client, $remotereq);
if($key) {
@@ -1550,7 +1569,7 @@
my $cipherkey = pack("H32", $key);
$cipher = new IDEA($cipherkey);
&logthis('<font color="green">'
- ."Successfull ssl authentication </font>");
+ ."Successfull ssl authentication with $clientname </font>");
} else {
$clientok = 0;
@@ -1562,7 +1581,7 @@
if($ok) {
$clientok = 1;
&logthis('<font color="green">'
- ."Successful insecure authentication </font>");
+ ."Successful insecure authentication with $clientname </font>");
print $client "ok\n";
} else {
&logthis('<font color="yellow">'