/usr/lib/python2.7/dist-packages/acix/core/ssl.py is in nordugrid-arc-acix-core 5.4.2-1build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 | import os
from OpenSSL import SSL
DEFAULT_HOST_KEY = '/etc/grid-security/hostkey.pem'
DEFAULT_HOST_CERT = '/etc/grid-security/hostcert.pem'
DEFAULT_CERTIFICATES = '/etc/grid-security/certificates'
class ContextFactory:
def __init__(self, key_path=DEFAULT_HOST_KEY, cert_path=DEFAULT_HOST_CERT,
verify=False, ca_dir=None):
self.key_path = key_path
self.cert_path = cert_path
self.verify = verify
self.ca_dir = ca_dir
if self.verify and ca_dir is None:
self.ca_dir = DEFAULT_CERTIFICATES
self.ctx = None
def getContext(self):
if self.ctx is not None:
return self.ctx
ctx = SSL.Context(SSL.SSLv23_METHOD) # this also allows tls 1.0
ctx.set_options(SSL.OP_NO_SSLv2) # ssl2 is unsafe
ctx.set_options(SSL.OP_NO_SSLv3) # ssl3 is also unsafe
ctx.use_privatekey_file(self.key_path)
ctx.use_certificate_file(self.cert_path)
ctx.check_privatekey() # sanity check
def verify_callback(conn, x509, error_number, error_depth, allowed):
# just return what openssl thinks is right
return allowed
if self.verify:
ctx.set_verify(SSL.VERIFY_PEER, verify_callback)
calist = [ ca for ca in os.listdir(self.ca_dir) if ca.endswith('.0') ]
for ca in calist:
# openssl wants absolute paths
ca = os.path.join(self.ca_dir, ca)
ctx.load_verify_locations(ca)
if self.ctx is None:
self.ctx = ctx
return ctx
if __name__ == '__main__':
cf = ContextFactory()
ctx = cf.getContext()
print ctx
|