Commit 600535f0 authored by Manuel Franceschini's avatar Manuel Franceschini

Always set commonName in X509 certificates

Due to the current switch of the RPC client to PycURL, a bug with newer
versions of libcurl surfaced. When the 'Subject' or 'Issuer' of
'server.pem' were empty, SSL handshake failed.

This patch changes the certificate generation functions such that they
always use "ganeti.example.com" as commonName (CN) for 'Subject' and
'Issuer'.
Signed-off-by: default avatarManuel Franceschini <livewire@google.com>
Reviewed-by: default avatarIustin Pop <iustin@google.com>
parent 05cd934d
# #
# #
# Copyright (C) 2006, 2007, 2008 Google Inc. # Copyright (C) 2006, 2007, 2008, 2010 Google Inc.
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
...@@ -149,7 +149,10 @@ def _InitGanetiServerSetup(master_name): ...@@ -149,7 +149,10 @@ def _InitGanetiServerSetup(master_name):
"""Setup the necessary configuration for the initial node daemon. """Setup the necessary configuration for the initial node daemon.
This creates the nodepass file containing the shared password for This creates the nodepass file containing the shared password for
the cluster and also generates the SSL certificate. the cluster, generates the SSL certificate and starts the node daemon.
@type master_name: str
@param master_name: Name of the master node
""" """
# Generate cluster secrets # Generate cluster secrets
...@@ -322,7 +325,7 @@ def InitCluster(cluster_name, mac_prefix, ...@@ -322,7 +325,7 @@ def InitCluster(cluster_name, mac_prefix,
hv_class = hypervisor.GetHypervisor(hv_name) hv_class = hypervisor.GetHypervisor(hv_name)
hv_class.CheckParameterSyntax(hv_params) hv_class.CheckParameterSyntax(hv_params)
# set up the inter-node password and certificate # set up the inter-node password and certificate, start noded
_InitGanetiServerSetup(hostname.name) _InitGanetiServerSetup(hostname.name)
# set up ssh config and /etc/hosts # set up ssh config and /etc/hosts
......
...@@ -222,6 +222,12 @@ OPENSSL_CIPHERS = "HIGH:-DES:-3DES:-EXPORT:-ADH" ...@@ -222,6 +222,12 @@ OPENSSL_CIPHERS = "HIGH:-DES:-3DES:-EXPORT:-ADH"
# Digest used to sign certificates ("openssl x509" uses SHA1 by default) # Digest used to sign certificates ("openssl x509" uses SHA1 by default)
X509_CERT_SIGN_DIGEST = "SHA1" X509_CERT_SIGN_DIGEST = "SHA1"
# Default validity of certificates in days
X509_CERT_DEFAULT_VALIDITY = 365 * 5
# commonName (CN) used in certificates
X509_CERT_CN = "ganeti.example.com"
X509_CERT_SIGNATURE_HEADER = "X-Ganeti-Signature" X509_CERT_SIGNATURE_HEADER = "X-Ganeti-Signature"
IMPORT_EXPORT_DAEMON = _autoconf.PKGLIBDIR + "/import-export" IMPORT_EXPORT_DAEMON = _autoconf.PKGLIBDIR + "/import-export"
......
# #
# #
# Copyright (C) 2006, 2007 Google Inc. # Copyright (C) 2006, 2007, 2010 Google Inc.
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
...@@ -3365,11 +3365,22 @@ def GenerateSelfSignedX509Cert(common_name, validity): ...@@ -3365,11 +3365,22 @@ def GenerateSelfSignedX509Cert(common_name, validity):
return (key_pem, cert_pem) return (key_pem, cert_pem)
def GenerateSelfSignedSslCert(filename, validity=(5 * 365)): def GenerateSelfSignedSslCert(filename, common_name=constants.X509_CERT_CN,
validity=constants.X509_CERT_DEFAULT_VALIDITY):
"""Legacy function to generate self-signed X509 certificate. """Legacy function to generate self-signed X509 certificate.
@type filename = str
@param filename = path to write certificate to
@type common_name: string
@param common_name: commonName value
@type validity: int
@param validity: validity of certificate in number of days
""" """
(key_pem, cert_pem) = GenerateSelfSignedX509Cert(None, # TODO: Investigate using the cluster name instead of X505_CERT_CN for
# common_name, as cluster-renames are very seldom, and it'd be nice if RAPI
# and node daemon certificates have the proper Subject/Issuer.
(key_pem, cert_pem) = GenerateSelfSignedX509Cert(common_name,
validity * 24 * 60 * 60) validity * 24 * 60 * 60)
WriteFile(filename, mode=0400, data=key_pem + cert_pem) WriteFile(filename, mode=0400, data=key_pem + cert_pem)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment