On 4/15/16 3:33 PM, Martins Innus wrote:
Nathan,
On 4/15/16 2:57 AM, Nathan Scott wrote:
Hi Martins,
----- Original Message -----
[...]
Thanks for the information to get started. I have a few patches to add
some functionality that I'd like to get feedback on.
These sound like good ideas - I'm outta time to look at the code in
detail
today but will take a closer look early next week.
Thanks. I found a few missed corner cases in the third patch. I'll
clean those up and send something new next week.
OK, I think I cleaned some of this up and would appreciate another set
of eyes. Only new commits pasted below.
From here:
https://github.com/ubccr/pcp/tree/client_certs
or diff to master:
https://github.com/performancecopilot/pcp/compare/master...ubccr:client_certs.diff
Same notes from the last round except cleaned up the test for local
connections.
New additions:
1. Support for pmproxy to negotiate client certificates. Again done
with an environment variable. I think it would probably be ideal if
pmproxy could pass through from pmcd that it needs a client certificate,
but since pmproxy negotiates first with the client I don't think this is
possible, correct?
2. Add PCP_ALLOW_BAD_CERT_DOMAIN on the client side to again provide a
non-interactive way to deal with this existing prompt.
Finally, I noticed that pmproxy by default uses /etc/pki/nssdb for both
client and server connections. Since this directory is usually owned by
root and pmproxy usually runs as the pcp user, it can't store supplied
certificates there. So i went looking for an existing directory I could
pass in with the "-C" option to pmproxy. The best I could find was
/var/lib/pcp/tmp. Any thoughts on a better place? Maybe create a
pmproxy directory under /var/lib/pcp/config?
Thanks
Martins
commit 3f3880a59445fb53f71d469969bab5ac2f866d0b
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Wed Apr 20 14:13:21 2016 +0000
Pre-allow certificates from mismatched domains in secure connections
By setting PCP_ALLOW_BAD_CERT_DOMAIN, a client can instruct libpcp
to accept a self signed server certificate on its behalf. Mirrors the
interactive functionality.
src/libpcp/src/secureconnect.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
commit 04a748cebb10a38430f1eb5c76c49bfb8b517edd
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Wed Apr 20 14:11:34 2016 +0000
Better check for local connections to pmproxy and pmcd
src/pmcd/src/dopdus.c | 10 ++--------
src/pmproxy/pmproxy.c | 11 +++--------
2 files changed, 5 insertions(+), 16 deletions(-)
commit 80273c50abc7d850d52d5367bbe2f79eda1796e6
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Fri Apr 15 16:33:44 2016 +0000
Add client cert functionality to pmproxy
src/libpcp/src/secureconnect.c | 2 +-
src/pmproxy/pmproxy.c | 12 ++++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
|