|
 |
182b9e |
From e51df7a73141c4d378d12e4a3ade12776e48ebff Mon Sep 17 00:00:00 2001
|
|
|
182b9e |
From: Marek 'marx' Grac <mgrac@redhat.com>
|
|
|
182b9e |
Date: Wed, 5 Mar 2014 12:49:17 +0100
|
|
|
182b9e |
Subject: [PATCH] fencing: Add new options --ssl-secure and --ssl-insecure
|
|
|
182b9e |
|
|
|
182b9e |
These new options extends current --ssl (same as --ssl-secure). Until now certificate of the fence device
|
|
|
182b9e |
was not validated what can possibly lead to attack on infrastructe. With this patch, user can decide
|
|
|
182b9e |
if certificate should (--ssl-secure) or should not (--ssl-insecure) be verified.
|
|
|
182b9e |
---
|
|
|
182b9e |
fence/agents/cisco_ucs/fence_cisco_ucs.py | 10 ++++++-
|
|
|
182b9e |
fence/agents/lib/fencing.py.py | 29 ++++++++++++++++++---
|
|
|
182b9e |
fence/agents/rhevm/fence_rhevm.py | 11 ++++++--
|
|
|
182b9e |
4 files changed, 70 insertions(+), 14 deletions(-)
|
|
|
182b9e |
|
|
|
182b9e |
diff --git a/fence/agents/cisco_ucs/fence_cisco_ucs.py b/fence/agents/cisco_ucs/fence_cisco_ucs.py
|
|
|
182b9e |
index 71782cb..1e9d983 100644
|
|
|
182b9e |
--- a/fence/agents/cisco_ucs/fence_cisco_ucs.py
|
|
|
182b9e |
+++ b/fence/agents/cisco_ucs/fence_cisco_ucs.py
|
|
|
182b9e |
@@ -85,8 +85,14 @@ def send_command(opt, command, timeout):
|
|
|
182b9e |
c.setopt(pycurl.POSTFIELDS, command)
|
|
|
182b9e |
c.setopt(pycurl.WRITEFUNCTION, b.write)
|
|
|
182b9e |
c.setopt(pycurl.TIMEOUT, timeout)
|
|
|
182b9e |
- c.setopt(pycurl.SSL_VERIFYPEER, 0)
|
|
|
182b9e |
- c.setopt(pycurl.SSL_VERIFYHOST, 0)
|
|
|
182b9e |
+ if opt.has_key("--ssl") or opt.has_key("--ssl-secure"):
|
|
|
182b9e |
+ c.setopt(pycurl.SSL_VERIFYPEER, 1)
|
|
|
182b9e |
+ c.setopt(pycurl.SSL_VERIFYHOST, 2)
|
|
|
182b9e |
+
|
|
|
182b9e |
+ if opt.has_key("--ssl-insecure"):
|
|
|
182b9e |
+ c.setopt(pycurl.SSL_VERIFYPEER, 0)
|
|
|
182b9e |
+ c.setopt(pycurl.SSL_VERIFYHOST, 0)
|
|
|
182b9e |
+
|
|
|
182b9e |
c.perform()
|
|
|
182b9e |
result = b.getvalue()
|
|
|
182b9e |
|
|
|
182b9e |
diff --git a/fence/agents/lib/fencing.py.py b/fence/agents/lib/fencing.py.py
|
|
|
182b9e |
index 2006f0d..e40cbb2 100644
|
|
|
182b9e |
--- a/fence/agents/lib/fencing.py.py
|
|
|
182b9e |
+++ b/fence/agents/lib/fencing.py.py
|
|
|
182b9e |
@@ -170,6 +170,20 @@ all_opt = {
|
|
|
182b9e |
"required" : "0",
|
|
|
182b9e |
"shortdesc" : "SSL connection",
|
|
|
182b9e |
"order" : 1 },
|
|
|
182b9e |
+ "ssl_insecure" : {
|
|
|
182b9e |
+ "getopt" : "9",
|
|
|
182b9e |
+ "longopt" : "ssl-insecure",
|
|
|
182b9e |
+ "help" : "--ssl-insecure Use ssl connection without verifying certificate",
|
|
|
182b9e |
+ "required" : "0",
|
|
|
182b9e |
+ "shortdesc" : "SSL connection without verifying fence device's certificate",
|
|
|
182b9e |
+ "order" : 1 },
|
|
|
182b9e |
+ "ssl_secure" : {
|
|
|
182b9e |
+ "getopt" : "9",
|
|
|
182b9e |
+ "longopt" : "ssl-secure",
|
|
|
182b9e |
+ "help" : "--ssl-secure Use ssl connection with verifying certificate",
|
|
|
182b9e |
+ "required" : "0",
|
|
|
182b9e |
+ "shortdesc" : "SSL connection with verifying fence device's certificate",
|
|
|
182b9e |
+ "order" : 1 },
|
|
|
182b9e |
"notls" : {
|
|
|
182b9e |
"getopt" : "t",
|
|
|
182b9e |
"longopt" : "notls",
|
|
|
182b9e |
@@ -370,6 +384,7 @@ DEPENDENCY_OPT = {
|
|
|
182b9e |
"secure" : [ "identity_file", "ssh_options" ],
|
|
|
182b9e |
"ipaddr" : [ "ipport", "inet4_only", "inet6_only" ],
|
|
|
182b9e |
"port" : [ "separator" ],
|
|
|
182b9e |
+ "ssl" : [ "ssl_secure", "ssl_insecure" ],
|
|
|
182b9e |
"community" : [ "snmp_auth_prot", "snmp_sec_level", "snmp_priv_prot", \
|
|
|
182b9e |
"snmp_priv_passwd", "snmp_priv_passwd_script" ]
|
|
|
182b9e |
}
|
|
|
182b9e |
@@ -645,7 +660,7 @@ def check_input(device_opt, opt):
|
|
|
182b9e |
elif options.has_key("--ssh"):
|
|
|
182b9e |
all_opt["ipport"]["default"] = 22
|
|
|
182b9e |
all_opt["ipport"]["help"] = "-u, --ipport=[port] TCP/UDP port to use (default 22)"
|
|
|
182b9e |
- elif options.has_key("--ssl"):
|
|
|
182b9e |
+ elif options.has_key("--ssl") or options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"):
|
|
|
182b9e |
all_opt["ipport"]["default"] = 443
|
|
|
182b9e |
all_opt["ipport"]["help"] = "-u, --ipport=[port] TCP/UDP port to use (default 443)"
|
|
|
182b9e |
elif device_opt.count("web"):
|
|
|
182b9e |
@@ -738,7 +753,7 @@ def check_input(device_opt, opt):
|
|
|
182b9e |
if options.has_key("--ipport") == False:
|
|
|
182b9e |
if options.has_key("--ssh"):
|
|
|
182b9e |
options["--ipport"] = 22
|
|
|
182b9e |
- elif options.has_key("--ssl"):
|
|
|
182b9e |
+ elif options.has_key("--ssl") or options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"):
|
|
|
182b9e |
options["--ipport"] = 443
|
|
|
182b9e |
elif device_opt.count("web"):
|
|
|
182b9e |
options["--ipport"] = 80
|
|
|
182b9e |
@@ -968,11 +983,17 @@ def fence_login(options, re_login_string = "(login\s*: )|(Login Name: )|(userna
|
|
|
182b9e |
re_pass = re.compile("(password)|(pass phrase)", re.IGNORECASE)
|
|
|
182b9e |
|
|
|
182b9e |
if options.has_key("--ssl"):
|
|
|
182b9e |
- gnutls_opts=""
|
|
|
182b9e |
+ gnutls_opts = ""
|
|
|
182b9e |
+ ssl_opts = ""
|
|
|
182b9e |
+
|
|
|
182b9e |
if options.has_key("--notls"):
|
|
|
182b9e |
gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0\""
|
|
|
182b9e |
|
|
|
182b9e |
- command = '%s %s --insecure --crlf -p %s %s' % (SSL_PATH, gnutls_opts, options["--ipport"], options["--ip"])
|
|
|
182b9e |
+ # --ssl is same as the --ssl-secure
|
|
|
182b9e |
+ if options.has_key("--ssl-insecure"):
|
|
|
182b9e |
+ ssl_opts = "--insecure"
|
|
|
182b9e |
+
|
|
|
182b9e |
+ command = '%s %s %s --crlf -p %s %s' % (SSL_PATH, gnutls_opts, ssl_opts, options["--ipport"], options["--ip"])
|
|
|
182b9e |
try:
|
|
|
182b9e |
conn = fspawn(options, command)
|
|
|
182b9e |
except pexpect.ExceptionPexpect, ex:
|
|
|
182b9e |
diff --git a/fence/agents/rhevm/fence_rhevm.py b/fence/agents/rhevm/fence_rhevm.py
|
|
|
182b9e |
index ff3d19f..6098071 100644
|
|
|
182b9e |
--- a/fence/agents/rhevm/fence_rhevm.py
|
|
|
182b9e |
+++ b/fence/agents/rhevm/fence_rhevm.py
|
|
|
182b9e |
@@ -84,9 +84,14 @@ def send_command(opt, command, method = "GET"):
|
|
|
182b9e |
c.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC)
|
|
|
182b9e |
c.setopt(pycurl.USERPWD, opt["--username"] + ":" + opt["--password"])
|
|
|
182b9e |
c.setopt(pycurl.TIMEOUT, int(opt["--shell-timeout"]))
|
|
|
182b9e |
- c.setopt(pycurl.SSL_VERIFYPEER, 0)
|
|
|
182b9e |
- c.setopt(pycurl.SSL_VERIFYHOST, 0)
|
|
|
182b9e |
-
|
|
|
182b9e |
+ if opt.has_key("--ssl") or opt.has_key("--ssl-secure"):
|
|
|
182b9e |
+ c.setopt(pycurl.SSL_VERIFYPEER, 1)
|
|
|
182b9e |
+ c.setopt(pycurl.SSL_VERIFYHOST, 2)
|
|
|
182b9e |
+
|
|
|
182b9e |
+ if opt.has_key("--ssl-insecure"):
|
|
|
182b9e |
+ c.setopt(pycurl.SSL_VERIFYPEER, 0)
|
|
|
182b9e |
+ c.setopt(pycurl.SSL_VERIFYHOST, 0)
|
|
|
182b9e |
+
|
|
|
182b9e |
if (method == "POST"):
|
|
|
182b9e |
c.setopt(pycurl.POSTFIELDS, "<action />")
|
|
|
182b9e |
|