[LON-CAPA-cvs] cvs: loncom / LondConnection.pm loncnew lonssl.pm
raeburn
raeburn at source.lon-capa.org
Thu Dec 13 21:05:38 EST 2018
raeburn Fri Dec 14 02:05:38 2018 EDT
Modified files:
/loncom loncnew lonssl.pm LondConnection.pm
Log:
- Include verification of common name when creating SSL tunnel unless
connecting to/from pre-2.12 node.
- $IO::Socket::SSL::DEBUG is set to current $DEBUG value so debugging
from IO/Socket/SSL.pm is written to lond_errors or lonc_errors.
Index: loncom/loncnew
diff -u loncom/loncnew:1.107 loncom/loncnew:1.108
--- loncom/loncnew:1.107 Mon Dec 10 17:34:22 2018
+++ loncom/loncnew Fri Dec 14 02:05:38 2018
@@ -2,7 +2,7 @@
# The LearningOnline Network with CAPA
# lonc maintains the connections to remote computers
#
-# $Id: loncnew,v 1.107 2018/12/10 17:34:22 raeburn Exp $
+# $Id: loncnew,v 1.108 2018/12/14 02:05:38 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -97,6 +97,7 @@
my $RemoteHost; # Hostname of host child is talking to.
my $RemoteHostId; # lonid of host child is talking to.
my $RemoteDefHostId; # default lonhostID of host child is talking to.
+my $RemoteLoncapaRev; # LON-CAPA version of host child is talking to.
my @all_host_ids;
my $UnixSocketDir= $perlvar{'lonSockDir'};
my $IdleConnections = Stack->new(); # Set of idle connections
@@ -671,7 +672,6 @@
=item client
The LondTransaction we are failing.
-
=cut
@@ -1250,7 +1250,8 @@
my $Connection = LondConnection->new(&GetServerHost(),
&GetServerPort(),
&GetHostId(),
- &GetDefHostId());
+ &GetDefHostId(),
+ &GetLoncapaRev());
if($Connection eq undef) {
Log("CRITICAL","Failed to make a connection with lond.");
@@ -1575,6 +1576,18 @@
=pod
+=head2 GetLoncapaRev
+
+Returns the LON-CAPA version for the node whose lond we talk with.
+
+=cut
+
+sub GetLoncapaRev {
+ return $RemoteLoncapaRev; # Setup by the fork.
+}
+
+=pod
+
=head2 GetServerPort
Returns the lond port number.
@@ -1836,7 +1849,7 @@
# Create a new child for host passed in:
sub CreateChild {
- my ($host, $hostid, $defhostid) = @_;
+ my ($host, $hostid, $defhostid, $loncaparev) = @_;
my $sigset = POSIX::SigSet->new(SIGINT);
sigprocmask(SIG_BLOCK, $sigset);
@@ -1852,6 +1865,7 @@
} else { # child.
$RemoteHostId = $hostid;
$RemoteDefHostId = $defhostid;
+ $RemoteLoncapaRev = $loncaparev;
ShowStatus("Connected to ".$RemoteHost);
$SIG{INT} = 'DEFAULT';
sigprocmask(SIG_UNBLOCK, $sigset);
Index: loncom/lonssl.pm
diff -u loncom/lonssl.pm:1.23 loncom/lonssl.pm:1.24
--- loncom/lonssl.pm:1.23 Tue Dec 11 15:15:26 2018
+++ loncom/lonssl.pm Fri Dec 14 02:05:38 2018
@@ -1,5 +1,5 @@
#
-# $Id: lonssl.pm,v 1.23 2018/12/11 15:15:26 raeburn Exp $
+# $Id: lonssl.pm,v 1.24 2018/12/14 02:05:38 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -121,6 +121,8 @@
# CRLFile Full path name to the certificate
# revocation list file for the cluster
# to which server belongs (optional)
+# serverversion LON-CAPA version running on remote
+# server.
# Returns
# - Reference to an SSL socket on success
@@ -136,9 +138,10 @@
$KeyFile,
$peer,
$peerdef,
- $CRLFile) = @_;
+ $CRLFile,
+ $serverversion) = @_;
- Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer, RemoteDefHost: $peerdef\n");
+ Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer, RemoteDefHost: $peerdef, RemoteLCVersion: $serverversion\n");
# To create the ssl socket we need to duplicate the existing
# socket. Otherwise closing the ssl socket will close the plaintext socket
@@ -169,14 +172,24 @@
my %sslargs = (SSL_use_cert => 1,
SSL_key_file => $KeyFile,
SSL_cert_file => $MyCert,
- SSL_ca_file => $CACert,
- SSL_verifycn_name => $verify_cn,
- SSL_verify_mode => Net::SSLeay::VERIFY_PEER());
- if (($CRLFile ne '') && (-e $CRLFile)) {
- $sslargs{SSL_check_crl} = 1;
- $sslargs{SSL_crl_file} = $CRLFile;
+ SSL_ca_file => $CACert);
+ my ($major,$minor) = split(/\./,$serverversion);
+ if (($major < 2) || ($major == 2 && $minor < 12)) {
+ $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE();
+ } else {
+ $sslargs{SSL_verifycn_scheme} = 'http',
+ $sslargs{SSL_verifycn_name} = $verify_cn,
+ $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER();
+ if (($CRLFile ne '') && (-e $CRLFile)) {
+ $sslargs{SSL_check_crl} = 1;
+ $sslargs{SSL_crl_file} = $CRLFile;
+ }
}
+# Uncomment next two $IO::Socket::SSL::DEBUG lines, for debugging
+# $IO::Socket::SSL::DEBUG = 0; # Set to integer >0 and <4
+# # to write debugging to lonc_errors
my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
+# $IO::Socket::SSL::DEBUG = 0; # Do not change
if(!$client) {
if ($IO::Socket::SSL::SSL_ERROR == -1) {
$lasterror = -1;
@@ -241,6 +254,7 @@
if (($major < 2) || ($major == 2 && $minor < 12)) {
$sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE();
} else {
+ $sslargs{SSL_verifycn_scheme} = 'http';
$sslargs{SSL_verifycn_name} = $peer;
$sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER();
if (($CRLFile ne '') && (-e $CRLFile)) {
@@ -248,7 +262,11 @@
$sslargs{SSL_crl_file} = $CRLFile;
}
}
+# Uncomment next two $IO::Socket::SSL::DEBUG lines, for debugging
+# $IO::Socket::SSL::DEBUG = 0; # Set to integer >0 and <4
+# # to write debugging to lond_errors
my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
+# $IO::Socket::SSL::DEBUG = 0; # Do not change
if(!$client) {
if ($IO::Socket::SSL::SSL_ERROR == -1) {
$lasterror = -1;
Index: loncom/LondConnection.pm
diff -u loncom/LondConnection.pm:1.61 loncom/LondConnection.pm:1.62
--- loncom/LondConnection.pm:1.61 Tue Dec 11 20:51:08 2018
+++ loncom/LondConnection.pm Fri Dec 14 02:05:38 2018
@@ -1,7 +1,7 @@
# This module defines and implements a class that represents
# a connection to a lond daemon.
#
-# $Id: LondConnection.pm,v 1.61 2018/12/11 20:51:08 raeburn Exp $
+# $Id: LondConnection.pm,v 1.62 2018/12/14 02:05:38 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -176,13 +176,13 @@
=cut
sub new {
- my ($class, $DnsName, $Port, $lonid, $deflonid) = @_;
+ my ($class, $DnsName, $Port, $lonid, $deflonid, $loncaparev) = @_;
if (!$ConfigRead) {
ReadConfig();
$ConfigRead = 1;
}
- &Debug(4,$class."::new( ".$DnsName.",".$Port.",".$lonid.",".$deflonid.")\n");
+ &Debug(4,$class."::new( ".$DnsName.",".$Port.",".$lonid.",".$deflonid.",".$loncaparev.")\n");
my ($conntype,$gotconninfo,$allowinsecure);
if ((ref($secureconf{'connto'}) eq 'HASH') &&
@@ -212,6 +212,7 @@
my $self = { Host => $DnsName,
LoncapaHim => $lonid,
LoncapaDefid => $deflonid,
+ LoncapaRev => $loncaparev,
Port => $Port,
State => "Initialized",
AuthenticationMode => "",
@@ -1068,6 +1069,7 @@
my $socket = $self->{Socket};
my $peer = $self->{LoncapaHim};
my $peerdef = $self->{LoncapaDefid};
+ my $loncaparev = $self->{LoncapaRev};
# Get our signed certificate, the certificate authority's
# certificate and our private key file. All of these
@@ -1089,7 +1091,8 @@
$SSLKey,
$peer,
$peerdef,
- $CRLFile);
+ $CRLFile,
+ $loncaparev);
if(defined $SSLSocket) {
my $key = <$SSLSocket>;
lonssl::Close($SSLSocket);
More information about the LON-CAPA-cvs
mailing list