Changeset 6988
- Timestamp:
- 11/06/10 13:25:00 (11 years ago)
- Location:
- TI12-security/trunk/NDGSecurity/python
- Files:
-
- 1 added
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/NDGSecurity/python/Tests
-
Property
svn:ignore
set to
apache-mod-proxy
curl
-
Property
svn:ignore
set to
-
TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/ssl.py
r6861 r6988 81 81 82 82 def __init__(self, app, global_conf, prefix=PARAM_PREFIX, **app_conf): 83 83 """Read configuration settings from the global and application specific 84 ini file settings 85 """ 84 86 super(ApacheSSLAuthnMiddleware, self).__init__(app, 85 87 global_conf, … … 104 106 ApacheSSLAuthnMiddleware.CACERT_FILEPATH_LIST_OPTNAME 105 107 108 # Verify against trust root if set. Alternatively, the verification 109 # step can be configured in the Apache config file. The latter will 110 # correctly verify proxy certificates if the environment variable 111 # OPENSSL_ALLOW_PROXY_CERTS is set in the start up. The verification 112 # code in isValidClientCert can't correctly verify proxy certificates 113 # because only a single certificate is passed in the SSL_CLIENT_CERT 114 # environ variable and not the complete certificate chain 106 115 self.caCertStack = app_conf.get(caCertFilePathListParamName, []) 107 116 … … 109 118 ApacheSSLAuthnMiddleware.CLIENT_CERT_DN_MATCH_LIST_OPTNAME 110 119 120 # Specify a restricted list of DNs of which the input client certificate 121 # DN must match at least one 111 122 self.clientCertDNMatchList = app_conf.get( 112 123 clientCertDNMatchListParamName, []) … … 341 352 return False 342 353 343 # Verify against trust root if set 354 # Verify against trust root if set. Alternatively, the verification 355 # step can be configured in the Apache config file. The latter will 356 # correctly verify proxy certificates if the environment variable 357 # OPENSSL_ALLOW_PROXY_CERTS is set in the start up. The verification 358 # code HERE can't correctly verify proxy certificates because only a 359 # single certificate is passed in the SSL_CLIENT_CERT environ variable 360 # and not the complete certificate chain 344 361 if len(self.caCertStack) == 0: 345 362 log.warning("No CA certificates set for Client certificate " … … 361 378 362 379 # Verify against list of acceptable DNs if set 363 364 380 if len(self.clientCertDNMatchList) > 0: 365 381 dn = self.__clientCert.dn … … 440 456 """Set user ID in AuthKit cookie from client certificate submitted 441 457 """ 442 userId = self.clientCert.dn['CN'] 458 commonName = self.clientCert.dn['CN'] 459 if len(commonName) > 0: 460 # Proxy certificate will have multiple CNs 461 userId = commonName[0] 462 else: 463 userId = commonName 443 464 444 465 self.environ[
Note: See TracChangeset
for help on using the changeset viewer.