-Paul
diff --git a/yum/config.py b/yum/config.py
index bf00852..d26d42e 100644
--- a/yum/config.py
+++ b/yum/config.py
@@ -529,6 +529,11 @@ class YumConf(StartupConf):
metadata_expire = IntOption(1800) # time in seconds
mirrorlist_expire = IntOption(86400) # time in seconds (1 day)
rpm_check_debug = BoolOption(True)
+
+ ssl_ca_cert = Option()
+ ssl_verify = BoolOption(False)
+ ssl_client_cert = Option()
+ ssl_client_key = Option()
_reposlist = []
@@ -562,6 +567,11 @@ class RepoConf(BaseConfig):
metadata_expire = Inherit(YumConf.metadata_expire)
mirrorlist_expire = Inherit(YumConf.mirrorlist_expire)
cost = IntOption(1000)
+
+ ssl_ca_cert=Inherit( YumConf.ssl_ca_cert)
+ ssl_verify=Inherit(YumConf.ssl_verify)
+ ssl_client_cert=Inherit(YumConf.ssl_client_cert)
+ ssl_client_key=Inherit(YumConf.ssl_client_key)
def readStartupConfig(configfile, root):
'''
diff --git a/yum/yumRepo.py b/yum/yumRepo.py
index 85db15b..766c4ca 100644
--- a/yum/yumRepo.py
+++ b/yum/yumRepo.py
@@ -33,6 +33,12 @@ from yum import config
from yum import misc
from constants import *
+try:
+ from M2Crypto import SSL
+ have_m2crypto = True
+except ImportError:
+ have_m2crypto = False
+
import logging
import logginglevels
@@ -234,6 +240,10 @@ class YumRepository(Repository, config.RepoConf):
self.pkgdir = ""
self.hdrdir = ""
self.cost = 1000
+ self.ssl_ca_cert=None
+ ssl_verify=False
+ ssl_client_cert=None
+ ssl_client_key=None
# holder for stuff we've grabbed
self.retrieved = { 'primary':0, 'filelists':0, 'other':0, 'groups':0 }
@@ -422,7 +432,9 @@ class YumRepository(Repository, config.RepoConf):
interrupt_callback=self.interrupt_callback,
timeout=self.timeout,
http_headers=headers,
- reget='simple')
+ reget='simple'
+ # Do not include ssl_ca_cert as this will override ssl_context
+ ssl_context=self._buildcontext())
self._grab = mgclass(self._grabfunc, self.urls,
@@ -501,6 +513,24 @@ class YumRepository(Repository, config.RepoConf):
# store them all back in baseurl for compat purposes
self.baseurl = self._urls
self.check()
+
+ def _buildcontext(self):
+ """Generate SSL contxtet. Has info like CA and client keys. Returns None if M2Crypto is not present"""
+ if have_m2crypto:
+ ctx=SSL.Context()
+ if self.ssl_verify:
+ ctx.set_verify(SSL.verify_peer|SSL.verify_fail_if_no_peer_cert,12)
+ else:
+ cxt.set_allow_unknown_ca(True)
+ ctx.set_verify(SSL.verify_none, -1)
+ if self.ssl_ca_cert:
+ ctx.load_verify_locations(capath=self.ssl_ca_cert)
+ if self.ssl_client_cert:
+ ctx.load_cert(certfile=self.ssl_client_cert,keyfile=self.ssl_client_key)
+ if self.ca_cert:
+ ctx.load_verify_locations(self.ca_cert)
+ else:
+ return None
def _replace_and_check_url(self, url_list):
goodurls = []
On 10/8/07, Paul McIntyre <
paul.mcintyre@xxxxxxxxxxxxxxxxxxx> wrote:
I was looking over some older messages and it looks like someone may have already done it.
http://www.mail-archive.com/yum-devel@xxxxxxxxxxxxxx/msg01239.html
However it doesn't look like the patches were applied.
-PaulOn 10/8/07, seth vidal < skvidal@xxxxxxxxxxxxxxxxx> wrote:
On Mon, 2007-10-08 at 13:42 -0400, Paul McIntyre wrote:
> I've been looking at setting up a YUM server and was looking for a way
> to control client access to the server. My preferred method is
> client/server SSL certs. Another option I've been considering is
> username/passwords. I was wondering if there was a recommended method.
> If not I may try to to patch the trunk for client/server certs from
> the repo config.
>
that's a good patch to try. As soon as I get a word back from the
urlgrabber maintainer I hope to see that patch in yum and urlgrabber
proper.
also check out func when you get a chance:
https://hosted.fedoraproject.org/projects/func/
-sv
_______________________________________________
Yum mailing list
Yum@xxxxxxxxxxxxxxxxxxxx
https://lists.dulug.duke.edu/mailman/listinfo/yum--
Paul
0x9F9E08F2 paul.mcintyre@xxxxxxxxxxxxxxxxxxx
A47A A126 0883 8991 4B07 9C86 5D56 5205 9F9E 08F2
--
Paul
0x9F9E08F2 paul.mcintyre@xxxxxxxxxxxxxxxxxxx
A47A A126 0883 8991 4B07 9C86 5D56 5205 9F9E 08F2
_______________________________________________ Yum mailing list Yum@xxxxxxxxxxxxxxxxxxxx https://lists.dulug.duke.edu/mailman/listinfo/yum
