From e51df7a73141c4d378d12e4a3ade12776e48ebff Mon Sep 17 00:00:00 2001 From: Marek 'marx' Grac Date: Wed, 5 Mar 2014 12:49:17 +0100 Subject: [PATCH] fencing: Add new options --ssl-secure and --ssl-insecure These new options extends current --ssl (same as --ssl-secure). Until now certificate of the fence device was not validated what can possibly lead to attack on infrastructe. With this patch, user can decide if certificate should (--ssl-secure) or should not (--ssl-insecure) be verified. --- fence/agents/cisco_ucs/fence_cisco_ucs.py | 10 ++++++- fence/agents/lib/fencing.py.py | 29 ++++++++++++++++++--- fence/agents/rhevm/fence_rhevm.py | 11 ++++++-- 4 files changed, 70 insertions(+), 14 deletions(-) diff --git a/fence/agents/cisco_ucs/fence_cisco_ucs.py b/fence/agents/cisco_ucs/fence_cisco_ucs.py index 71782cb..1e9d983 100644 --- a/fence/agents/cisco_ucs/fence_cisco_ucs.py +++ b/fence/agents/cisco_ucs/fence_cisco_ucs.py @@ -85,8 +85,14 @@ def send_command(opt, command, timeout): c.setopt(pycurl.POSTFIELDS, command) c.setopt(pycurl.WRITEFUNCTION, b.write) c.setopt(pycurl.TIMEOUT, timeout) - c.setopt(pycurl.SSL_VERIFYPEER, 0) - c.setopt(pycurl.SSL_VERIFYHOST, 0) + if opt.has_key("--ssl") or opt.has_key("--ssl-secure"): + c.setopt(pycurl.SSL_VERIFYPEER, 1) + c.setopt(pycurl.SSL_VERIFYHOST, 2) + + if opt.has_key("--ssl-insecure"): + c.setopt(pycurl.SSL_VERIFYPEER, 0) + c.setopt(pycurl.SSL_VERIFYHOST, 0) + c.perform() result = b.getvalue() diff --git a/fence/agents/lib/fencing.py.py b/fence/agents/lib/fencing.py.py index 2006f0d..e40cbb2 100644 --- a/fence/agents/lib/fencing.py.py +++ b/fence/agents/lib/fencing.py.py @@ -170,6 +170,20 @@ all_opt = { "required" : "0", "shortdesc" : "SSL connection", "order" : 1 }, + "ssl_insecure" : { + "getopt" : "9", + "longopt" : "ssl-insecure", + "help" : "--ssl-insecure Use ssl connection without verifying certificate", + "required" : "0", + "shortdesc" : "SSL connection without verifying fence device's certificate", + "order" : 1 }, + "ssl_secure" : { + "getopt" : "9", + "longopt" : "ssl-secure", + "help" : "--ssl-secure Use ssl connection with verifying certificate", + "required" : "0", + "shortdesc" : "SSL connection with verifying fence device's certificate", + "order" : 1 }, "notls" : { "getopt" : "t", "longopt" : "notls", @@ -370,6 +384,7 @@ DEPENDENCY_OPT = { "secure" : [ "identity_file", "ssh_options" ], "ipaddr" : [ "ipport", "inet4_only", "inet6_only" ], "port" : [ "separator" ], + "ssl" : [ "ssl_secure", "ssl_insecure" ], "community" : [ "snmp_auth_prot", "snmp_sec_level", "snmp_priv_prot", \ "snmp_priv_passwd", "snmp_priv_passwd_script" ] } @@ -645,7 +660,7 @@ def check_input(device_opt, opt): elif options.has_key("--ssh"): all_opt["ipport"]["default"] = 22 all_opt["ipport"]["help"] = "-u, --ipport=[port] TCP/UDP port to use (default 22)" - elif options.has_key("--ssl"): + elif options.has_key("--ssl") or options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"): all_opt["ipport"]["default"] = 443 all_opt["ipport"]["help"] = "-u, --ipport=[port] TCP/UDP port to use (default 443)" elif device_opt.count("web"): @@ -738,7 +753,7 @@ def check_input(device_opt, opt): if options.has_key("--ipport") == False: if options.has_key("--ssh"): options["--ipport"] = 22 - elif options.has_key("--ssl"): + elif options.has_key("--ssl") or options.has_key("--ssl-secure") or options.has_key("--ssl-insecure"): options["--ipport"] = 443 elif device_opt.count("web"): options["--ipport"] = 80 @@ -968,11 +983,17 @@ def fence_login(options, re_login_string = "(login\s*: )|(Login Name: )|(userna re_pass = re.compile("(password)|(pass phrase)", re.IGNORECASE) if options.has_key("--ssl"): - gnutls_opts="" + gnutls_opts = "" + ssl_opts = "" + if options.has_key("--notls"): gnutls_opts = "--priority \"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0:+VERS-SSL3.0\"" - command = '%s %s --insecure --crlf -p %s %s' % (SSL_PATH, gnutls_opts, options["--ipport"], options["--ip"]) + # --ssl is same as the --ssl-secure + if options.has_key("--ssl-insecure"): + ssl_opts = "--insecure" + + command = '%s %s %s --crlf -p %s %s' % (SSL_PATH, gnutls_opts, ssl_opts, options["--ipport"], options["--ip"]) try: conn = fspawn(options, command) except pexpect.ExceptionPexpect, ex: diff --git a/fence/agents/rhevm/fence_rhevm.py b/fence/agents/rhevm/fence_rhevm.py index ff3d19f..6098071 100644 --- a/fence/agents/rhevm/fence_rhevm.py +++ b/fence/agents/rhevm/fence_rhevm.py @@ -84,9 +84,14 @@ def send_command(opt, command, method = "GET"): c.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC) c.setopt(pycurl.USERPWD, opt["--username"] + ":" + opt["--password"]) c.setopt(pycurl.TIMEOUT, int(opt["--shell-timeout"])) - c.setopt(pycurl.SSL_VERIFYPEER, 0) - c.setopt(pycurl.SSL_VERIFYHOST, 0) - + if opt.has_key("--ssl") or opt.has_key("--ssl-secure"): + c.setopt(pycurl.SSL_VERIFYPEER, 1) + c.setopt(pycurl.SSL_VERIFYHOST, 2) + + if opt.has_key("--ssl-insecure"): + c.setopt(pycurl.SSL_VERIFYPEER, 0) + c.setopt(pycurl.SSL_VERIFYHOST, 0) + if (method == "POST"): c.setopt(pycurl.POSTFIELDS, "")