From ebc9e7d3ac06e9d02adeccdde618bff30d2dce79 Mon Sep 17 00:00:00 2001 From: Mike Bonnet Date: Wed, 7 Jul 2010 15:22:29 -0400 Subject: [PATCH] append "/ssllogin" to the hub URL when logging in via SSL, so we only need to require client certificates on that specific URL --- hub/httpd.conf | 7 +++---- koji/__init__.py | 3 ++- www/conf/kojiweb.conf | 5 ++--- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/hub/httpd.conf b/hub/httpd.conf index 5a5f01e0..3e9d8e81 100644 --- a/hub/httpd.conf +++ b/hub/httpd.conf @@ -16,9 +16,8 @@ Alias /kojihub "/usr/share/koji-hub/XMLRPC" # uncomment this to enable authentication via SSL client certificates -# +# +# SSLVerifyClient require +# SSLVerifyDepth 10 # SSLOptions +StdEnvVars # -# these options must be enabled globally (in ssl.conf) -# SSLVerifyClient require -# SSLVerifyDepth 10 diff --git a/koji/__init__.py b/koji/__init__.py index 490ffa49..dca39e2e 100644 --- a/koji/__init__.py +++ b/koji/__init__.py @@ -1620,7 +1620,8 @@ class ClientSession(object): certs['peer_ca_cert'] = serverca # 60 second timeout during login - self.proxy = ssl.XMLRPCServerProxy.PlgXMLRPCServerProxy(self.baseurl, certs, timeout=60, **self.proxyOpts) + # Append /login to the URL so we can only require client certs to be sent on login requests + self.proxy = ssl.XMLRPCServerProxy.PlgXMLRPCServerProxy(self.baseurl + '/ssllogin', certs, timeout=60, **self.proxyOpts) sinfo = self.callMethod('sslLogin', proxyuser) if not sinfo: raise AuthError, 'unable to obtain a session' diff --git a/www/conf/kojiweb.conf b/www/conf/kojiweb.conf index 478ce691..64573f26 100644 --- a/www/conf/kojiweb.conf +++ b/www/conf/kojiweb.conf @@ -44,11 +44,10 @@ Alias /koji "/usr/share/koji-web/scripts/" # uncomment this to enable authentication via SSL client certificates # +# SSLVerifyClient require +# SSLVerifyDepth 10 # SSLOptions +StdEnvVars # -# these options must be enabled globally (in ssl.conf) -# SSLVerifyClient require -# SSLVerifyDepth 10 Alias /koji-static/ "/usr/share/koji-web/static/"