Changes committed to git://git.pcp.io/pcp.git master
Martins Innus (28):
Pre-allow self signed server certificates in secure connections
Add client certificate support in secure connections.
Reject insecure remote connections if PMCD_REQUIRE_CLIENT_CERT is set
Add client cert functionality to pmproxy
Better check for local connections to pmproxy and pmcd
Pre-allow certificates from mismatched domains in secure connections
Start implementing PM_SERVER_FEATURE_CERT_REQD
Fix a typo
Allow pmproxy to pass through the CERT_REQD feature to clients
Fix option for secure connection required in pmcd
Handle common code used by both pmproxy and pmcd for client certs.
Add an nssdb directory to hold pcp user owned certs
Allow the name of the server certificate to be customized
Fix options typo
Adds some documentation for new secure connection features.
Fix some broken logic with client certs
Allow the client to change the cert directory
Update hostname for __pmSecureClientHandshake in pmproxy
Allow the server-side NSS_Init be read/write
Cleanup some debugging
Add a missing commit from previous specfile changes
Fix a typo for PM_SERVER_FEATURE_CERT_REQD feature checking.
Add some more documentation and cleanup some debug for client certs.
More cleanups for client cert support
Add a missing file from last commit
QA for Client certs
Add tutorial on new client certificate use
qa: only add pmcd -Q option with force_client_cert setting
Joseph White (2):
Updated SandyBridge conf to use cpu reference cycles.
Added configuration settings for Intel Haswell.
Nathan Scott (1):
qa: ensure papi test 967 is notrun if perfevent active
GNUmakefile | 1
build/rpm/pcp.spec.in | 6
man/html/lab.secureclient.html | 281 +++++++++++++++++++++++++++++++++++++
man/man1/pcpintro.1 | 35 +++-
man/man1/pmcd.1 | 13 +
man/man1/pmproxy.1 | 8 +
qa/006.out | 2
qa/1069 | 3
qa/1069.out | 4
qa/820 | 45 +++++
qa/820.out | 15 +
qa/967 | 2
qa/common.secure | 9 +
qa/group | 1
src/include/pcp.conf.in | 4
src/include/pcp/impl.h | 9 -
src/include/pcp/pmapi.h | 1
src/libpcp/src/auxserver.c | 30 +++
src/libpcp/src/connect.c | 53 +++++-
src/libpcp/src/err.c | 2
src/libpcp/src/exports | 4
src/libpcp/src/secureconnect.c | 71 ++++++---
src/libpcp/src/secureserver.c | 76 +++++++---
src/pmcd/src/dopdus.c | 56 +++++--
src/pmcd/src/pmcd.c | 34 +++-
src/pmdas/perfevent/perfevent.conf | 20 ++
src/pmdas/pmcd/help | 3
src/pmdas/pmcd/root_pmcd | 19 +-
src/pmdas/pmcd/src/pmcd.c | 2
src/pmproxy/pmproxy.c | 280 ++++++++++++++++++++++--------------
src/pmproxy/pmproxy.h | 1
31 files changed, 883 insertions(+), 210 deletions(-)
commit ce871d2b02fa46342d7b33071543c53d6ea42417
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon May 23 14:58:59 2016 +1000
qa: ensure papi test 967 is notrun if perfevent active
Previous update to perfevent config seems to be conflicting
with papi PMDA - so make sure these two don't run together.
967 22s ... - output mismatch (see 967.out.bad)
184,185c184
< 126.0.NUMBER (<noname>): numval: 1 valfmt: 1 vlist[]:
< value NUMBER
---
> 126.0.NUMBER (<noname>): Missing metric value(s)
190c189
< value "Papi is running, TOT_INS(5) NUMBER"
---
> value "Papi is stopped, "
Failures: 967
commit 71e5df4d076d2920c567e0ca06b9dd1e8fc911c5
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Mon May 23 10:54:53 2016 +1000
qa: only add pmcd -Q option with force_client_cert setting
commit ddb6582d5568adf68e7b1399defb4b354d834796
Author: Marko Myllynen <myllynen@xxxxxxxxxx>
Date: Fri May 20 11:51:54 2016 +1000
pmrep: fix infinity handling
pmrep(1) did not handle infinite values properly like other clients,
for example the expression: "tst = proc.memory.vmrss / 0" generates
exception: OverflowError: cannot convert float infinity to integer
Handle it better, and similar example to above as a regression test.
commit 2a613adceda44417f03856b9ce5d51178b2440d5
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Wed May 18 16:29:37 2016 +0000
Add tutorial on new client certificate use
commit 452f59837a2a112eb6e33a45da543c829a23f5ca
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Wed May 18 13:13:18 2016 +0000
QA for Client certs
Ensure that local clients can still connect if we use -Q
commit 9292a178d71447dbcb1bd006ad8d4acacd57e1f6
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Tue May 17 17:43:49 2016 +0000
Add a missing file from last commit
commit 07519d0f4d084605e2799a6d92d04aebbc797bd5
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Tue May 17 17:15:59 2016 +0000
More cleanups for client cert support
Add documentation
Change build process to create the nssdb dir during make
Remove conditionals so protocol message from pmcd is always
the same. Deal with enforcement later in the handshake process.
commit 314d4decc75a6f43f69b4fe78d3af7fdde8a750b
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Thu May 5 20:03:28 2016 +0000
Add some more documentation and cleanup some debug for client certs.
commit 035479d5e77e89dba9c4a104d7fd80fa92c67048
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Thu May 5 19:25:06 2016 +0000
Fix a typo for PM_SERVER_FEATURE_CERT_REQD feature checking.
commit cc0ee7d67cbb259f42de2149eaa7ee90d4fdc856
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Thu May 5 13:54:31 2016 +0000
Add a missing commit from previous specfile changes
commit fcf13e50c5907d62bc0cf915e9cce52be75846a7
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Thu May 5 13:53:52 2016 +0000
Cleanup some debugging
commit 60e2becd00d991b2b0b3a1a024aad88634bd2e52
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Thu May 5 13:51:36 2016 +0000
Allow the server-side NSS_Init be read/write
pmproxy acts as both a client and server. Since the
server init path happens first, the db previously
got opened readonly. Instead try to open RW.
Any downside to doing this by default?
Should this be conditional on something?
commit 795600adfcd23a9f099169c865116a1fa01e009b
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Thu May 5 13:40:52 2016 +0000
Update hostname for __pmSecureClientHandshake in pmproxy
I think this should be the peer hostname, not localhost. As far as
I can tell, all other uses of this function set it to the remote
pmcd hostname. This is used in the call to SSL_SetURL/SSL_RevealURL
in order to validate the name in the remote cert.
commit 597a97c1f95bf3720f350d5325796ec3a0c39fb8
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Thu May 5 14:27:53 2016 +0000
Allow the client to change the cert directory
commit 5feca757d5668066afcc8464292c2cbbe03a341f
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Wed May 4 17:26:17 2016 +0000
Fix some broken logic with client certs
commit f7c364ef9e0edd198b3897458a0f2d5db44d6569
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Wed May 4 10:18:57 2016 +0000
Adds some documentation for new secure connection features.
commit 389a3eecb0b2ca64c9cbb753173e833a4eff35b5
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Wed May 4 13:57:03 2016 +0000
Fix options typo
commit c4ea4540abb01ed0bf6bb1a78ed9d4dabe9df59a
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Tue May 3 18:57:38 2016 +0000
Allow the name of the server certificate to be customized
Add a -M option to pmproxy and pmcd to change the name of the
collector certificate that is searched for in the nssbd.
Also, when a server sends their certficate to the client. The
original nickname is not sent. Use the subject as the name to
save under. Since under nss, the nickname:subject mapping must
be 1:1. If a client received certificates with different subjects
from different servers, the certificate save would fail with a
hardcoded nickname on the second certificate.
commit 330d695d738922f18223b8cacc8a34432448da75
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Tue May 3 17:48:13 2016 +0000
Add an nssdb directory to hold pcp user owned certs
commit 349bf9b818ea054a6764b2acd1f0176bb8e8bbfd
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Tue May 3 14:59:36 2016 +0000
Handle common code used by both pmproxy and pmcd for client certs.
commit 81eb2fce1c1314408e8adb1f213b0e4f17cc9963
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Tue May 3 14:42:15 2016 +0000
Fix option for secure connection required in pmcd
commit 5bd496d45b7aadbbeb34b79c160f4ff691e46382
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Tue May 3 10:34:55 2016 +0000
Allow pmproxy to pass through the CERT_REQD feature to clients
commit caa00f95478882f7075394a0b2e5611fe1665733
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Wed Apr 27 16:02:38 2016 +0000
Fix a typo
commit e6776d23162864196c032b469d9b4c49afa17a29
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Wed Apr 27 14:12:03 2016 +0000
Start implementing PM_SERVER_FEATURE_CERT_REQD
Allow pmcd to advertise that it needs a client certificate through
PDU messages.
commit aaf9a474d7129fe1497b631e3f311fcc98c446de
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Wed Apr 20 14:13:21 2016 +0000
Pre-allow certificates from mismatched domains in secure connections
By setting PCP_ALLOW_BAD_CERT_DOMAIN, a client can instruct libpcp
to accept a self signed server certificate on its behalf. Mirrors the
interactive functionality.
commit 79f6652ec20bc7b111f848326feefba6d3e67895
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Wed Apr 20 14:11:34 2016 +0000
Better check for local connections to pmproxy and pmcd
commit 1c80e4bb546b040f4f88d3ede3e0ed5eaa951c3d
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Fri Apr 15 16:33:44 2016 +0000
Add client cert functionality to pmproxy
commit ef2e6cc5e2ca7a998a6f842cc3a10a88c650dc19
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Thu Apr 14 19:55:02 2016 +0000
Reject insecure remote connections if PMCD_REQUIRE_CLIENT_CERT is set
commit 5ef137dc550b167119a345400a74a4e0921990ba
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Thu Apr 14 19:52:25 2016 +0000
Add client certificate support in secure connections.
By setting PMCD_REQUIRE_CLIENT_CERT, pmcd can require that a client
making a secure connection provide a valid certificate.
commit d82c6d468bdca8a523dd0eab1a30d8d7c5850bd0
Author: Martins Innus <minnus@xxxxxxxxxxx>
Date: Thu Apr 14 19:45:25 2016 +0000
Pre-allow self signed server certificates in secure connections
By setting PCP_SERVER_SELF_CERT, a client can instruct libpcp
to accept a self signed server certificate on its behalf.
commit 499fcd215e0838c1b38bdedf1eeca219813ca073
Author: Joseph White <jpwhite4@xxxxxxxxxxx>
Date: Tue Feb 9 14:52:35 2016 -0500
Added configuration settings for Intel Haswell.
commit ea99658071b8b27769baf74522144de9dfd187a8
Author: Joseph White <jpwhite4@xxxxxxxxxxx>
Date: Fri Oct 30 10:14:43 2015 -0400
Updated SandyBridge conf to use cpu reference cycles.
|