1. 13 Oct, 2010 2 commits
  2. 12 Oct, 2010 2 commits
    • Apollon Oikonomopoulos's avatar
      Set list of trusted SSL CAs for client to verify · 2d93a6a7
      Apollon Oikonomopoulos authored
      As per SSL_CTX_set_client_CA_list(3SSL), set the list of acceptable CAs
      advertised to SSL clients to include the server's own certificate. This
      evidently fixes the pycurl/gnutls RPC client.
      
      During the TLS Handshake, when client verification is requested, the
      Server sends a CertificateRequest message which states that the client
      should send a valid certificate as a response. The CertificateRequest
      message contains a section called "certificate_authorities", which,
      according to the standard, is a list of the Distinguished Names (DNs) of
      acceptable certification authorities. The client uses this list to send
      a certificate signed by one of the acceptable CAs.
      
      Under OpenSSL's server implementation, this list must be set manually
      using some appropriate call, otherwise the list is empty. TLS 1.0[1]
      does not state whether the list may be left blank, whereas TLS 1.1[2]
      and 1.2[3] state that in case the list is blank, then the client *may*
      send any certificate of a valid type (valid types are specified
      elsewhere in the handshake).
      
      OpenSSL clients seem to obey the behaviour specified in TLS 1.1+,
      whereas at least curl+GnuTLS does not send any certificates if the list
      is empty (which is not wrong per the spec, but also evidently not
      configurable).
      
      [1] http://tools.ietf.org/html/rfc2246
      [2] http://tools.ietf.org/html/rfc4346
      [3] http://tools.ietf.org/html/rfc5246
      
      Signed-off-by: default avatarApollon Oikonomopoulos <apollon@noc.grnet.gr>
      Reviewed-by: default avatarMichael Hanselmann <hansmi@google.com>
      Reviewed-by: default avatarGuido Trotter <ultrotter@google.com>
      2d93a6a7
    • Guido Trotter's avatar
      Require aclocal 1.11.1 or above for autogen.sh · dbc4dda7
      Guido Trotter authored
      
      
      1.11.1 is the version in squeeze and lucid, and we know it works. We
      also know that 1.10.1 in hardy and lenny doesn't, nor do 1.10 in etch
      and 1.9.6 in dapper. We haven't tested any other version.
      
      With older versions python.m4 is buggy, and results in the package being
      built not working on python 2.6 (which uses dist-packages rather than
      site-packages as a module directory).
      
      The autogen.sh interpreter is changed to bash, as we need to use the [[
      builtin to compare versions with "<". [ doesn't have that functionality,
      and we can't of course rely on dpkg, which won't be installed on all
      distributions.
      Signed-off-by: default avatarGuido Trotter <ultrotter@google.com>
      Reviewed-by: default avatarIustin Pop <iustin@google.com>
      dbc4dda7
  3. 08 Oct, 2010 2 commits
  4. 07 Oct, 2010 2 commits
  5. 06 Oct, 2010 1 commit
    • Iustin Pop's avatar
      QA: Fix instance move tests · 677e16eb
      Iustin Pop authored
      
      
      The instance move tests were moving the instance from node pair (A,_) to
      (B, A), and left it there. This patch makes sure that the first step
      moves the instance to (B,A) but the second one back to (A,B), so that
      the instance is left on the same primary node.
      
      The original secondary node is lost though, if I read the code
      correctly.
      Signed-off-by: default avatarIustin Pop <iustin@google.com>
      Reviewed-by: default avatarMichael Hanselmann <hansmi@google.com>
      677e16eb
  6. 05 Oct, 2010 11 commits
  7. 04 Oct, 2010 5 commits
  8. 30 Sep, 2010 14 commits
  9. 22 Sep, 2010 1 commit