diff --git a/builder/kojid b/builder/kojid index 33bf9409..9c594cab 100755 --- a/builder/kojid +++ b/builder/kojid @@ -4543,7 +4543,7 @@ def get_options(): 'failed_buildroot_lifetime' : 3600 * 4, 'rpmbuild_timeout' : 3600 * 24, 'cert': '/etc/kojid/client.crt', - 'ca': '/etc/kojid/clientca.crt', + 'ca': '', # FIXME: Unused, remove in next major release 'serverca': '/etc/kojid/serverca.crt'} if config.has_section('kojid'): for name, value in config.items('kojid'): @@ -4642,7 +4642,7 @@ if __name__ == "__main__": if os.path.isfile(options.cert): try: # authenticate using SSL client certificates - session.ssl_login(options.cert, options.ca, + session.ssl_login(options.cert, None, options.serverca) except koji.AuthError, e: quit("Error: Unable to log in: %s" % e) diff --git a/builder/kojid.conf b/builder/kojid.conf index 5f0aaec3..8f2a811d 100644 --- a/builder/kojid.conf +++ b/builder/kojid.conf @@ -81,8 +81,5 @@ from_addr=Koji Build System ;client certificate ;cert = /etc/kojid/client.crt -;certificate of the CA that issued the client certificate -;ca = /etc/kojid/clientca.crt - ;certificate of the CA that issued the HTTP server certificate ;serverca = /etc/kojid/serverca.crt diff --git a/cli/koji b/cli/koji index 94ee4afb..f383c6fa 100755 --- a/cli/koji +++ b/cli/koji @@ -211,7 +211,7 @@ def get_options(): 'poll_interval': 5, 'krbservice': 'host', 'cert': '~/.koji/client.crt', - 'ca': '~/.koji/clientca.crt', + 'ca': '', # FIXME: remove in next major release 'serverca': '~/.koji/serverca.crt', 'authtype': None } @@ -265,7 +265,7 @@ def get_options(): for name, value in defaults.iteritems(): if getattr(options, name, None) is None: setattr(options, name, value) - dir_opts = ('topdir', 'cert', 'ca', 'serverca') + dir_opts = ('topdir', 'cert', 'serverca') for name in dir_opts: # expand paths here, so we don't have to worry about it later value = os.path.expanduser(getattr(options, name)) @@ -6831,7 +6831,7 @@ def activate_session(session): pass elif options.authtype == "ssl" or os.path.isfile(options.cert) and options.authtype is None: # authenticate using SSL client cert - session.ssl_login(options.cert, options.ca, options.serverca, proxyuser=options.runas) + session.ssl_login(options.cert, None, options.serverca, proxyuser=options.runas) elif options.authtype == "password" or options.user and options.authtype is None: # authenticate using user/password session.login() diff --git a/cli/koji.conf b/cli/koji.conf index 01ac7ee1..42946036 100644 --- a/cli/koji.conf +++ b/cli/koji.conf @@ -24,8 +24,5 @@ ;client certificate ;cert = ~/.koji/client.crt -;certificate of the CA that issued the client certificate -;ca = ~/.koji/clientca.crt - ;certificate of the CA that issued the HTTP server certificate ;serverca = ~/.koji/serverca.crt diff --git a/koji/__init__.py b/koji/__init__.py index 8e297dc6..2406a027 100644 --- a/koji/__init__.py +++ b/koji/__init__.py @@ -1745,8 +1745,9 @@ class ClientSession(object): def ssl_login(self, cert, ca, serverca, proxyuser=None): certs = {} certs['key_and_cert'] = cert - certs['ca_cert'] = ca certs['peer_ca_cert'] = serverca + # FIXME: ca is not useful here and therefore ignored, can be removed + # when API is changed ctx = ssl.SSLCommon.CreateSSLContext(certs) self._cnxOpts = {'ssl_context' : ctx} diff --git a/koji/ssl/SSLCommon.py b/koji/ssl/SSLCommon.py index 0d3fb947..5a9a5e40 100644 --- a/koji/ssl/SSLCommon.py +++ b/koji/ssl/SSLCommon.py @@ -31,16 +31,14 @@ def our_verify(connection, x509, errNum, errDepth, preverifyOK): def CreateSSLContext(certs): key_and_cert = certs['key_and_cert'] - ca_cert = certs['ca_cert'] peer_ca_cert = certs['peer_ca_cert'] - for f in key_and_cert, ca_cert, peer_ca_cert: + for f in key_and_cert, peer_ca_cert: if f and not os.access(f, os.R_OK): raise StandardError, "%s does not exist or is not readable" % f ctx = SSL.Context(SSL.SSLv23_METHOD) # Use best possible TLS Method ctx.use_certificate_file(key_and_cert) ctx.use_privatekey_file(key_and_cert) - ctx.load_client_ca(ca_cert) ctx.load_verify_locations(peer_ca_cert) verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT ctx.set_verify(verify, our_verify) diff --git a/koji/ssl/XMLRPCServerProxy.py b/koji/ssl/XMLRPCServerProxy.py index 16de6195..78273c81 100644 --- a/koji/ssl/XMLRPCServerProxy.py +++ b/koji/ssl/XMLRPCServerProxy.py @@ -146,12 +146,11 @@ class TimeoutCounter: if __name__ == '__main__': if len(sys.argv) < 4: - print "Usage: python XMLRPCServerProxy.py key_and_cert ca_cert peer_ca_cert" + print "Usage: python XMLRPCServerProxy.py key_and_cert peer_ca_cert" sys.exit(1) certs = {} certs['key_and_cert'] = sys.argv[1] - certs['ca_cert'] = sys.argv[2] certs['peer_ca_cert'] = sys.argv[3] tm = TimeoutCounter() diff --git a/util/koji-gc b/util/koji-gc index 2d61aa49..6678f387 100755 --- a/util/koji-gc +++ b/util/koji-gc @@ -91,8 +91,8 @@ def get_options(): help=_("enable hackish workaround for broken networks")) parser.add_option("--cert", default='/etc/koji-gc/client.crt', help=_("Client SSL certificate file for authentication")) - parser.add_option("--ca", default='/etc/koji-gc/clientca.crt', - help=_("CA cert file that issued the client certificate")) + parser.add_option("--ca", default='', + help=_("ignored")) # FIXME: remove in next major release parser.add_option("--serverca", default='/etc/koji-gc/serverca.crt', help=_("CA cert file that issued the hub certificate")) parser.add_option("-n", "--test", action="store_true", default=False, @@ -165,7 +165,7 @@ def get_options(): ['password', None, 'string'], ['noauth', None, 'boolean'], ['cert', None, 'string'], - ['ca', None, 'string'], + ['ca', None, 'string'], # FIXME: remove in next major release ['serverca', None, 'string'], ['server', None, 'string'], ['weburl', None, 'string'], @@ -373,7 +373,7 @@ def activate_session(session): pass elif os.path.isfile(options.cert): # authenticate using SSL client cert - session.ssl_login(options.cert, options.ca, options.serverca, proxyuser=options.runas) + session.ssl_login(options.cert, None, options.serverca, proxyuser=options.runas) elif options.user: #authenticate using user/password session.login() diff --git a/util/kojira b/util/kojira index c18f63b6..006b10f4 100755 --- a/util/kojira +++ b/util/kojira @@ -727,7 +727,7 @@ def get_options(): #XXX should really be called expired_repo_lifetime 'sleeptime' : 15, 'cert': '/etc/kojira/client.crt', - 'ca': '/etc/kojira/clientca.crt', + 'ca': '', # FIXME: unused, remove in next major release 'serverca': '/etc/kojira/serverca.crt' } if config.has_section(section): @@ -735,7 +735,7 @@ def get_options(): 'retry_interval', 'max_retries', 'offline_retry_interval', 'max_delete_processes', 'max_repo_tasks_maven', 'delete_batch_size', ) str_opts = ('topdir', 'server', 'user', 'password', 'logfile', 'principal', 'keytab', 'krbservice', - 'cert', 'ca', 'serverca', 'debuginfo_tags', 'source_tags') + 'cert', 'ca', 'serverca', 'debuginfo_tags', 'source_tags') # FIXME: remove ca here bool_opts = ('with_src','verbose','debug','ignore_stray_repos', 'offline_retry') for name in config.options(section): if name in int_opts: @@ -797,7 +797,7 @@ if __name__ == "__main__": session = koji.ClientSession(options.server,session_opts) if os.path.isfile(options.cert): # authenticate using SSL client certificates - session.ssl_login(options.cert, options.ca, options.serverca) + session.ssl_login(options.cert, None, options.serverca) elif options.user: # authenticate using user/password session.login() diff --git a/util/kojira.conf b/util/kojira.conf index a79dc823..def53700 100644 --- a/util/kojira.conf +++ b/util/kojira.conf @@ -37,8 +37,5 @@ with_src=no ;client certificate ;cert = /etc/kojira/client.crt -;certificate of the CA that issued the client certificate -;ca = /etc/kojira/clientca.crt - ;certificate of the CA that issued the HTTP server certificate ;serverca = /etc/kojira/serverca.crt diff --git a/vm/kojivmd b/vm/kojivmd index cf44f0c4..40e88af2 100755 --- a/vm/kojivmd +++ b/vm/kojivmd @@ -130,7 +130,7 @@ def get_options(): 'offline_retry_interval': 120, 'allowed_scms': '', 'cert': '/etc/kojivmd/client.crt', - 'ca': '/etc/kojivmd/clientca.crt', + 'ca': '', # FIXME: Remove in next major release 'serverca': '/etc/kojivmd/serverca.crt'} if config.has_section('kojivmd'): for name, value in config.items('kojivmd'): @@ -1066,7 +1066,7 @@ if __name__ == "__main__": if os.path.isfile(options.cert): try: # authenticate using SSL client certificates - session.ssl_login(options.cert, options.ca, + session.ssl_login(options.cert, None, options.serverca) except koji.AuthError, e: quit("Error: Unable to log in: %s" % e) diff --git a/vm/kojivmd.conf b/vm/kojivmd.conf index 82c61f26..2b431b28 100644 --- a/vm/kojivmd.conf +++ b/vm/kojivmd.conf @@ -50,8 +50,5 @@ from_addr=Koji Build System ;client certificate ;cert = /etc/kojivmd/client.crt -;certificate of the CA that issued the client certificate -;ca = /etc/kojivmd/clientca.crt - ;certificate of the CA that issued the HTTP server certificate ;serverca = /etc/kojivmd/serverca.crt diff --git a/www/conf/web.conf b/www/conf/web.conf index 38f0b619..3bd6f914 100644 --- a/www/conf/web.conf +++ b/www/conf/web.conf @@ -15,7 +15,6 @@ KojiFilesURL = http://server.example.com/kojifiles # SSL authentication options # WebCert = /etc/kojiweb/kojiweb.crt -# ClientCA = /etc/kojiweb/clientca.crt # KojiHubCA = /etc/kojiweb/kojihubca.crt LoginTimeout = 72 diff --git a/www/kojiweb/index.py b/www/kojiweb/index.py index a5505d1a..876d9567 100644 --- a/www/kojiweb/index.py +++ b/www/kojiweb/index.py @@ -122,10 +122,9 @@ def _krbLogin(environ, session, principal): def _sslLogin(environ, session, username): options = environ['koji.options'] client_cert = options['WebCert'] - client_ca = options['ClientCA'] server_ca = options['KojiHubCA'] - return session.ssl_login(client_cert, client_ca, server_ca, + return session.ssl_login(client_cert, None, server_ca, proxyuser=username) def _assertLogin(environ): diff --git a/www/kojiweb/wsgi_publisher.py b/www/kojiweb/wsgi_publisher.py index e7908152..41387341 100644 --- a/www/kojiweb/wsgi_publisher.py +++ b/www/kojiweb/wsgi_publisher.py @@ -77,7 +77,6 @@ class Dispatcher(object): ['KrbService', 'string', 'host'], ['WebCert', 'string', None], - ['ClientCA', 'string', '/etc/kojiweb/clientca.crt'], ['KojiHubCA', 'string', '/etc/kojiweb/kojihubca.crt'], ['PythonDebug', 'boolean', False],