diff options
| author | Davanum Srinivas <dims@linux.vnet.ibm.com> | 2013-07-02 09:08:29 -0400 |
|---|---|---|
| committer | Davanum Srinivas <dims@linux.vnet.ibm.com> | 2013-07-08 08:58:58 -0400 |
| commit | 99b7c354271e2ed0893b3c48c7f2a58a55b59b11 (patch) | |
| tree | 303737580276d57f3a81963bef440ff77f8f987b /openstack | |
| parent | abfd8ca6ca13b8ad1d42f081aaf29ec639a4032c (diff) | |
| download | oslo-99b7c354271e2ed0893b3c48c7f2a58a55b59b11.tar.gz oslo-99b7c354271e2ed0893b3c48c7f2a58a55b59b11.tar.xz oslo-99b7c354271e2ed0893b3c48c7f2a58a55b59b11.zip | |
Convert kombu SSL version string into integer
When specifying 'kombu_ssl_version' for the RPC driver such as either
"kombu_ssl_version=3" or "kombu_ssl_version=SSLv3" the relevant
OpenStack service (nova, cinder, etc) will fail as the underlying
rpc driver is trying to create an SSL socket which requires an
integer such as the following built-in SSL integer constants. Added
a validation step that ensures one can set only the supported ssl
versions and to convert from the specified string to an integer
Fixes LP# 1195431
Change-Id: I5d188f46a15bc4ba60d573d6b98def60c56cb987
Diffstat (limited to 'openstack')
| -rw-r--r-- | openstack/common/rpc/impl_kombu.py | 9 | ||||
| -rw-r--r-- | openstack/common/sslutils.py | 20 |
2 files changed, 27 insertions, 2 deletions
diff --git a/openstack/common/rpc/impl_kombu.py b/openstack/common/rpc/impl_kombu.py index 36d2fc5..70f19b4 100644 --- a/openstack/common/rpc/impl_kombu.py +++ b/openstack/common/rpc/impl_kombu.py @@ -34,11 +34,15 @@ from openstack.common.gettextutils import _ from openstack.common import network_utils from openstack.common.rpc import amqp as rpc_amqp from openstack.common.rpc import common as rpc_common +from openstack.common import sslutils kombu_opts = [ cfg.StrOpt('kombu_ssl_version', default='', - help='SSL version to use (valid only if SSL enabled)'), + help='SSL version to use (valid only if SSL enabled). ' + 'valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may ' + 'be available on some distributions' + ), cfg.StrOpt('kombu_ssl_keyfile', default='', help='SSL key file (valid only if SSL enabled)'), @@ -477,7 +481,8 @@ class Connection(object): # http://docs.python.org/library/ssl.html - ssl.wrap_socket if self.conf.kombu_ssl_version: - ssl_params['ssl_version'] = self.conf.kombu_ssl_version + ssl_params['ssl_version'] = sslutils.validate_ssl_version( + self.conf.kombu_ssl_version) if self.conf.kombu_ssl_keyfile: ssl_params['keyfile'] = self.conf.kombu_ssl_keyfile if self.conf.kombu_ssl_certfile: diff --git a/openstack/common/sslutils.py b/openstack/common/sslutils.py index 252da72..281684b 100644 --- a/openstack/common/sslutils.py +++ b/openstack/common/sslutils.py @@ -78,3 +78,23 @@ def wrap(sock): ssl_kwargs['cert_reqs'] = ssl.CERT_REQUIRED return ssl.wrap_socket(sock, **ssl_kwargs) + + +_SSL_PROTOCOLS = { + "tlsv1": ssl.PROTOCOL_TLSv1, + "sslv23": ssl.PROTOCOL_SSLv23, + "sslv3": ssl.PROTOCOL_SSLv3 +} + +try: + _SSL_PROTOCOLS["sslv2"] = ssl.PROTOCOL_SSLv2 +except AttributeError: + pass + + +def validate_ssl_version(version): + key = version.lower() + try: + return _SSL_PROTOCOLS[key] + except KeyError: + raise RuntimeError(_("Invalid SSL version : %s") % version) |