[LON-CAPA-cvs] cvs: loncom / LondConnection.pm loncnew lonssl.pm

raeburn raeburn at source.lon-capa.org
Mon Dec 10 12:34:22 EST 2018 

raeburn		Mon Dec 10 17:34:22 2018 EDT

  Modified files:              
    /loncom	loncnew LondConnection.pm lonssl.pm 
  Log:
  - Verification of CN when creating SSL tunnel on multi-domain servers.
    CN is default lonid, i.e., one listed last for the node's hostname in 
    hosts.tab and/or dns_hosts.tab. 
  
  
Index: loncom/loncnew
diff -u loncom/loncnew:1.106 loncom/loncnew:1.107
--- loncom/loncnew:1.106	Thu Dec  6 13:52:28 2018
+++ loncom/loncnew	Mon Dec 10 17:34:22 2018
@@ -2,7 +2,7 @@
 # The LearningOnline Network with CAPA
 # lonc maintains the connections to remote computers
 #
-# $Id: loncnew,v 1.106 2018/12/06 13:52:28 raeburn Exp $
+# $Id: loncnew,v 1.107 2018/12/10 17:34:22 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -94,8 +94,9 @@
 #
 #  The variables below are only used by the child processes.
 #
-my $RemoteHost;			# Name of host child is talking to.
-my $RemoteHostId;		# default lonid of host child is talking to.
+my $RemoteHost;			# Hostname of host child is talking to.
+my $RemoteHostId;		# lonid of host child is talking to.
+my $RemoteDefHostId;		# default lonhostID of host child is talking to.
 my @all_host_ids;
 my $UnixSocketDir= $perlvar{'lonSockDir'};
 my $IdleConnections = Stack->new(); # Set of idle connections
@@ -1248,7 +1249,8 @@
 
     my $Connection = LondConnection->new(&GetServerHost(),
 					 &GetServerPort(),
-					 &GetHostId());
+					 &GetHostId(),
+					 &GetDefHostId());
 
     if($Connection eq undef) {
 	Log("CRITICAL","Failed to make a connection with lond.");
@@ -1549,7 +1551,7 @@
 
 =pod
 
-=head2 GetServerId
+=head2 GetHostId
 
 Returns the hostid whose lond we talk with.
 
@@ -1561,6 +1563,18 @@
 
 =pod
 
+=head2 GetDefHostId
+
+Returns the default hostid for the node whose lond we talk with.
+
+=cut
+
+sub GetDefHostId {                      # Setup by the fork.
+    return $RemoteDefHostId;
+}
+
+=pod
+
 =head2 GetServerPort
 
 Returns the lond port number.
@@ -1822,7 +1836,7 @@
 #  Create a new child for host passed in:
 
 sub CreateChild {
-    my ($host, $hostid) = @_;
+    my ($host, $hostid, $defhostid) = @_;
 
     my $sigset = POSIX::SigSet->new(SIGINT);
     sigprocmask(SIG_BLOCK, $sigset);
@@ -1837,6 +1851,7 @@
 	undef(@all_host_ids);
     } else {			# child.
 	$RemoteHostId = $hostid;
+	$RemoteDefHostId = $defhostid;
 	ShowStatus("Connected to ".$RemoteHost);
 	$SIG{INT} = 'DEFAULT';
 	sigprocmask(SIG_UNBLOCK, $sigset);
@@ -1904,7 +1919,7 @@
     (my $hostname,my $lonid, at all_host_ids) = split(':',$data);
     $ChildHost{$hostname}++;
     if ($ChildHost{$hostname} == 1) {
-	&CreateChild($hostname,$lonid);
+	&CreateChild($hostname,$lonid,$all_host_ids[-1]);
     } else {
 	&Log('WARNING',"Request for a second child on $hostname");
     }
Index: loncom/LondConnection.pm
diff -u loncom/LondConnection.pm:1.58 loncom/LondConnection.pm:1.59
--- loncom/LondConnection.pm:1.58	Mon Dec  3 13:48:13 2018
+++ loncom/LondConnection.pm	Mon Dec 10 17:34:22 2018
@@ -1,7 +1,7 @@
 #   This module defines and implements a class that represents
 #   a connection to a lond daemon.
 #
-# $Id: LondConnection.pm,v 1.58 2018/12/03 13:48:13 raeburn Exp $
+# $Id: LondConnection.pm,v 1.59 2018/12/10 17:34:22 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -165,16 +165,24 @@
 
  port number the remote lond is listening on.
 
+=item lonid
+
+ lonid of the remote lond is listening on.
+
+=item deflonid
+
+ default lonhostID of the remote lond is listening on.
+
 =cut
 
 sub new {
-    my ($class, $DnsName, $Port, $lonid) = @_;
+    my ($class, $DnsName, $Port, $lonid, $deflonid) = @_;
 
     if (!$ConfigRead) {
 	ReadConfig();
 	$ConfigRead = 1;
     }
-    &Debug(4,$class."::new( ".$DnsName.",".$Port.",".$lonid.")\n");
+    &Debug(4,$class."::new( ".$DnsName.",".$Port.",".$lonid.",".$deflonid.")\n");
 
     my ($conntype,$gotconninfo,$allowinsecure);
     if ((ref($secureconf{'connto'}) eq 'HASH') &&
@@ -203,6 +211,7 @@
     # Now create the object...
     my $self     = { Host               => $DnsName,
                      LoncapaHim         => $lonid,
+                     LoncapaDefid       => $deflonid,
                      Port               => $Port,
                      State              => "Initialized",
 		     AuthenticationMode => "",
@@ -1057,6 +1066,7 @@
     my $self   = shift;
     my $socket = $self->{Socket};
     my $peer = $self->{LoncapaHim};
+    my $peerdef = $self->{LoncapaDefid};
 
     #  Get our signed certificate, the certificate authority's 
     #  certificate and our private key file.  All of these
@@ -1066,9 +1076,9 @@
 	$SSLCertificate) = lonssl::CertificateFile();
     my $SSLKey             = lonssl::KeyFile();
     my $CRLFile;
-    unless ($crlchecked{$peer}) {
+    unless ($crlchecked{$peerdef}) {
         $CRLFile = lonssl::CRLFile();
-        $crlchecked{$peer} = 1;
+        $crlchecked{$peerdef} = 1;
     }
     #  Promote our connection to ssl and read the key from lond.
 
@@ -1077,6 +1087,7 @@
 						$SSLCertificate,
 						$SSLKey,
                                                 $peer,
+                                                $peerdef, 
                                                 $CRLFile);
     if(defined $SSLSocket) {
 	my $key  = <$SSLSocket>;
Index: loncom/lonssl.pm
diff -u loncom/lonssl.pm:1.20 loncom/lonssl.pm:1.21
--- loncom/lonssl.pm:1.20	Mon Dec  3 03:40:39 2018
+++ loncom/lonssl.pm	Mon Dec 10 17:34:22 2018
@@ -1,5 +1,5 @@
 #
-# $Id: lonssl.pm,v 1.20 2018/12/03 03:40:39 raeburn Exp $
+# $Id: lonssl.pm,v 1.21 2018/12/10 17:34:22 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -112,11 +112,12 @@
 #               Socket	IO::Socket::INET   Original ordinary socket.
 #               CACert	string	           Full path name to the certificate 
 #                                          authority certificate file.
-#                MyCert	string	           Full path name to the certificate 
+#               MyCert	string	           Full path name to the certificate 
 #                                          issued to this host.
-#                KeyFile string    	   Full pathname to the host's private 
+#               KeyFile string    	   Full pathname to the host's private 
 #                                          key file for the certificate.
-#               peer    string             lonHostID of remote LON-CAPA server
+#               peer    string             lonid of remote LON-CAPA server
+#               peerdef string             default lonHostID of remote server
 #               CRLFile                    Full path name to the certificate
 #                                          revocation list file for the cluster
 #                                          to which server belongs (optional)
@@ -134,6 +135,7 @@
 	$MyCert,
 	$KeyFile,
         $peer,
+        $peerdef,
         $CRLFile) = @_;
 
     Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer\n");
@@ -158,12 +160,17 @@
     # Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to
     # SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01
     # used by CentOS/RHEL/Scientific Linux 5).
-    
+
+    my $verify_cn = $peerdef;
+    if ($verify_cn eq '') {
+        $verify_cn = $peer;
+    }
+
     my %sslargs = (SSL_use_cert      => 1,
                    SSL_key_file      => $KeyFile,
                    SSL_cert_file     => $MyCert,
                    SSL_ca_file       => $CACert,
-                   SSL_verifycn_name => $peer,
+                   SSL_verifycn_name => $verify_cn,
                    SSL_verify_mode   => Net::SSLeay::VERIFY_PEER());
     if (($CRLFile ne '') && (-e $CRLFile)) {
         $sslargs{SSL_check_crl} = 1;

More information about the LON-CAPA-cvs mailing list