[LON-CAPA-cvs] cvs: loncom / lond lonssl.pm

[raeburn]

raeburn		Thu Aug  9 13:27:56 2018 EDT

  Modified files:              
    /loncom	lond lonssl.pm 
  Log:
  - Compatibility with pre-2.12 LON-CAPA versions of loncnew.   
  
  
Index: loncom/lond
diff -u loncom/lond:1.545 loncom/lond:1.546
--- loncom/lond:1.545	Tue Aug  7 17:12:09 2018
+++ loncom/lond	Thu Aug  9 13:27:55 2018
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.545 2018/08/07 17:12:09 raeburn Exp $
+# $Id: lond,v 1.546 2018/08/09 13:27:55 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -65,7 +65,7 @@
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.545 $'; #' stupid emacs
+my $VERSION='$Revision: 1.546 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid="default";
 my $currentdomainid;
@@ -435,7 +435,8 @@
 						$Certificate,
 						$KeyFile,
 						$clientname,
-                                                $CRLFile);
+                                                $CRLFile,
+                                                $clientversion);
     if(! ($SSLSocket) ) {	# SSL socket promotion failed.
 	my $err = lonssl::LastError();
 	&logthis("<font color=\"red\"> CRITICAL "
Index: loncom/lonssl.pm
diff -u loncom/lonssl.pm:1.17 loncom/lonssl.pm:1.18
--- loncom/lonssl.pm:1.17	Tue Aug  7 17:12:08 2018
+++ loncom/lonssl.pm	Thu Aug  9 13:27:55 2018
@@ -1,5 +1,5 @@
 #
-# $Id: lonssl.pm,v 1.17 2018/08/07 17:12:08 raeburn Exp $
+# $Id: lonssl.pm,v 1.18 2018/08/09 13:27:55 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -134,9 +134,8 @@
 	$MyCert,
 	$KeyFile,
         $peer,
-        $CRLFile)          = @_;
-    
-    
+        $CRLFile) = @_;
+
     Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer\n");
 
     # To create the ssl socket we need to duplicate the existing
@@ -196,6 +195,8 @@
 #               CRLFile                    Full path name to the certificate
 #                                          revocation list file for the cluster
 #                                          to which server belongs (optional)
+#               clientversion              LON-CAPA version running on remote
+#                                          client
 # Returns
 #	-	Reference to an SSL socket on success
 #       -	undef on failure.  Reason for failure can be interrogated from 
@@ -209,9 +210,8 @@
 	$MyCert,
 	$KeyFile,
         $peer,
-        $CRLFile)          = @_;
-
-
+        $CRLFile,
+        $clientversion) = @_;
 
     # To create the ssl socket we need to duplicate the existing
     # socket.  Otherwise closing the ssl socket will close the plaintext socket
@@ -229,12 +229,17 @@
                    SSL_use_cert      => 1,
                    SSL_key_file      => $KeyFile,
                    SSL_cert_file     => $MyCert,
-                   SSL_ca_file       => $CACert,
-                   SSL_verifycn_name => $peer,
-                   SSL_verify_mode   => Net::SSLeay::VERIFY_PEER()); 
-    if (($CRLFile ne '') && (-e $CRLFile)) {
-        $sslargs{SSL_check_crl} = 1;
-        $sslargs{SSL_crl_file} = $CRLFile; 
+                   SSL_ca_file       => $CACert);
+    my ($major,$minor) = split(/\./,$clientversion);
+    if (($major < 2) || ($major == 2 && $minor < 12)) {
+        $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE();
+    } else {
+        $sslargs{SSL_verifycn_name} = $peer;
+        $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER();
+        if (($CRLFile ne '') && (-e $CRLFile)) {
+            $sslargs{SSL_check_crl} = 1;
+            $sslargs{SSL_crl_file} = $CRLFile; 
+        }
     }
     my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
     if(!$client) {