/etc/fedmsg.d/ssl.py is in python-fedmsg 0.9.3-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | # This file is part of fedmsg.
# Copyright (C) 2012 - 2014 Red Hat, Inc.
#
# fedmsg is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# fedmsg is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with fedmsg; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
# Authors: Ralph Bean <rbean@redhat.com>
#
import os
import socket
SEP = os.path.sep
here = os.getcwd()
config = dict(
sign_messages=False,
validate_signatures=True,
# Use these implementations to sign and validate messages
crypto_backend='x509',
crypto_validate_backends=['x509'],
ssldir="/etc/pki/fedmsg",
crl_location="https://fedoraproject.org/fedmsg/crl.pem",
crl_cache="/var/run/fedmsg/crl.pem",
crl_cache_expiry=10,
ca_cert_location="https://fedoraproject.org/fedmsg/ca.crt",
ca_cert_cache="/var/run/fedmsg/ca.crt",
ca_cert_cache_expiry=0, # Never expires
certnames={
# In prod/stg, map hostname to the name of the cert in ssldir.
# Unfortunately, we can't use socket.getfqdn()
#"app01.stg": "app01.stg.phx2.fedoraproject.org",
},
# A mapping of fully qualified topics to a list of cert names for which
# a valid signature is to be considered authorized. Messages on topics not
# listed here are considered automatically authorized.
routing_policy={
# Only allow announcements from production if they're signed by a
# certain certificate.
"org.fedoraproject.prod.announce.announcement": [
"announce-lockbox.phx2.fedoraproject.org",
],
},
# Set this to True if you want messages to be dropped that aren't
# explicitly whitelisted in the routing_policy.
# When this is False, only messages that have a topic in the routing_policy
# but whose cert names aren't in the associated list are dropped; messages
# whose topics do not appear in the routing_policy are not dropped.
routing_nitpicky=False,
)
|