Commit 9179f383 authored by Helga Velroyen's avatar Helga Velroyen
Browse files

Check for SSL encoding inconsistencies



This fixes bug 853, which was rather subtle: When adding
nodes with a different openssl library than the master
node, the SSL server certificate could be encoded
differently from the master node. This caused
'gnt-cluster verify' to complain about differing
'server.pem' files although all certificates would
work and private keys could be matched sucessfully
to the public part of the certificate.

This patch does two things:
- It checks if the encoded versions of the certificate
  differ and if yes, an error is logged.
- It writes exactly the file to disk that it receives
  from the master node so that file inconsistency
  is prevented.
Signed-off-by: default avatarHelga Velroyen <helgav@google.com>
Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
parent 4f6727a6
...@@ -117,10 +117,18 @@ def _VerifyCertificate(cert_pem, _check_fn=utils.CheckNodeCertificate): ...@@ -117,10 +117,18 @@ def _VerifyCertificate(cert_pem, _check_fn=utils.CheckNodeCertificate):
# (no-op if that doesn't exist) # (no-op if that doesn't exist)
_check_fn(cert) _check_fn(cert)
key_encoded = OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key)
cert_encoded = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM,
cert)
complete_cert_encoded = key_encoded + cert_encoded
if not cert_pem == complete_cert_encoded:
logging.error("The certificate differs after being reencoded. Please"
" renew the certificates cluster-wide to prevent future"
" inconsistencies.")
# Format for storing on disk # Format for storing on disk
buf = StringIO() buf = StringIO()
buf.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key)) buf.write(cert_pem)
buf.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert))
return buf.getvalue() return buf.getvalue()
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment