[LON-CAPA-cvs] cvs: loncom / LondConnection.pm lond

foxr lon-capa-cvs@mail.lon-capa.org
Thu, 17 Jun 2004 11:02:26 -0000 

foxr		Thu Jun 17 07:02:26 2004 EDT

  Modified files:              
    /loncom	LondConnection.pm lond 
  Log:
  If the certificate files or host key are missing, than
  switch to insecure authentication if allowed.  The idea
  is this: After an upgrade to lond/lond ssl, you won't in general
  have your signed host certificate yet.  We want to support uninterrupted
  service until your certs are granted, so although the software is ssl
  capable, it must, in the interim, do insecure authentication, if permitted 
  by the administrators.
  
  One case not handled, and left not handled: if the lonCerts directory does not
  exist the init:local key exchange cannot work.  This case can be ignored because
  that diretory will be created as part of the update/upgrade.  If it does not exist
  it's a sign of some other serious problem that ought to be fixed IMHO.
  
  
  
  
Index: loncom/LondConnection.pm
diff -u loncom/LondConnection.pm:1.32 loncom/LondConnection.pm:1.33
--- loncom/LondConnection.pm:1.32	Thu Jun 17 06:15:46 2004
+++ loncom/LondConnection.pm	Thu Jun 17 07:02:25 2004
@@ -1,7 +1,7 @@
 #   This module defines and implements a class that represents
 #   a connection to a lond daemon.
 #
-# $Id: LondConnection.pm,v 1.32 2004/06/17 10:15:46 foxr Exp $
+# $Id: LondConnection.pm,v 1.33 2004/06/17 11:02:25 foxr Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -259,8 +259,8 @@
 	return undef;		# Inidicates the socket could not be made.
     }
     my $socket = $self->{Socket}; # For local use only.
-    #  If we are local, we'll first try local auth mode, otherwise, we'll try the 
-    #  ssl auth mode:
+    #  If we are local, we'll first try local auth mode, otherwise, we'll try
+    #  the ssl auth mode:
 
     Debug(8, "Connecting to $DnsName I am $LocalDns");
     my $key;
@@ -290,10 +290,29 @@
 	    return undef;
 	}
 
-    } 
+    }
     else {
-	$self->{AuthenticationMode} = "ssl";
-	$self->{TransactionRequest} = "init:ssl\n";
+	#  Remote peer:  I'd like to do ssl, but if my host key or certificates
+	#  are not all installed, my only choice is insecure, if that's 
+	#  allowed:
+
+	my ($ca, $cert) = lonssl::CertificateFile;
+	my $sslkeyfile  = lonssl::KeyFile;
+
+	if((defined $ca)  && (defined $cert) && (defined $sslkeyfile)) {
+
+	    $self->{AuthenticationMode} = "ssl";
+	    $self->{TransactionRequest} = "init:ssl\n";
+	} else {
+	    if($InsecureOk) {		# Allowed to do insecure:
+		$self->{AuthenticationMode} = "insecure";
+		$self->{TransactionRequest} = "init\n";
+	    }
+	    else {		# Not allowed to do insecure...
+		$socket->close;
+		return undef;
+	    }
+	}
     }
 
     #
Index: loncom/lond
diff -u loncom/lond:1.195 loncom/lond:1.196
--- loncom/lond:1.195	Thu Jun 17 06:15:46 2004
+++ loncom/lond	Thu Jun 17 07:02:25 2004
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.195 2004/06/17 10:15:46 foxr Exp $
+# $Id: lond,v 1.196 2004/06/17 11:02:25 foxr Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -51,12 +51,12 @@
 use LONCAPA::lonlocal;
 use LONCAPA::lonssl;
 
-my $DEBUG = 0;		       # Non zero to enable debug log entries.
+my $DEBUG = 11;		       # Non zero to enable debug log entries.
 
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.195 $'; #' stupid emacs
+my $VERSION='$Revision: 1.196 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid;
 my $currentdomainid;
@@ -1527,6 +1527,25 @@
 		#  If the remote is attempting a local init... give that a try:
 		#
 		my ($i, $inittype) = split(/:/, $remotereq);
+
+		# If the connection type is ssl, but I didn't get my
+		# certificate files yet, then I'll drop  back to 
+		# insecure (if allowed).
+		
+		if($inittype eq "ssl") {
+		    my ($ca, $cert) = lonssl::CertificateFile;
+		    my $kfile       = lonssl::KeyFile;
+		    if((!$ca)   || 
+		       (!$cert) || 
+		       (!$kfile)) {
+			$inittype = ""; # This forces insecure attempt.
+			&logthis("<font color=\"blue\"> Certificates not "
+				 ."installed -- trying insecure auth</font>");
+		    }
+		    else {	# SSL certificates are in place so
+		    }		# Leave the inittype alone.
+		}
+
 		if($inittype eq "local") {
 		    my $key = LocalConnection($client, $remotereq);
 		    if($key) {
@@ -1550,7 +1569,7 @@
 			my $cipherkey = pack("H32", $key);
 			$cipher       = new IDEA($cipherkey);
 			&logthis('<font color="green">'
-				 ."Successfull ssl authentication </font>");
+				 ."Successfull ssl authentication with $clientname </font>");
 	     
 		    } else {
 			$clientok = 0;
@@ -1562,7 +1581,7 @@
 		    if($ok) {
 			$clientok = 1;
 			&logthis('<font color="green">'
-				 ."Successful insecure authentication </font>");
+				 ."Successful insecure authentication with $clientname </font>");
 			print $client "ok\n";
 		    } else {
 			&logthis('<font color="yellow">'