[Planetlab-devel] peering PlanetLab and PlanetLabEurope
Thierry Parmentelat
Thierry.Parmentelat at sophia.inria.fr
Fri Jun 22 07:26:08 EDT 2007
Hi Tony
About the problem we are facing with these SSL certificates, please find
attached a python script that I hope could be useful for diagnosing the
problem; I'm sure it can be useful to others, since this kind of problem
is quite common when creating a peering.
Can you please run it like this (from your chroot jail)
<plc> # check-ssl-peering.py PlanetLab PlanetLabEurope
/etc/planetlab/PlanetLabEurope.cacert www.planet-lab.eu
and send me the output ?
I hope this way I can get useful information on what's going wrong with
our current setup
Also, can you please send me again (I lost my chat session ...)
- the dump of your peer object
- the output of
<plc> # plcsh
p=GetPeers(['PlanetLabEurope'])[0]
p.connect()
p.GetPeerName()
thanks in advance -- Thierry
-------------- next part --------------
#!/usr/bin/env plcsh
# checking ssl connection
# mimicks what PyCurl does
import sys
import pycurl
class check_ssl:
def getpeername_post_request (self,local_peername) :
methodname="GetPeerName"
from PLC.GPG import gpg_sign
signature = gpg_sign((),
self.options.PLC_ROOT_GPG_KEY,
self.options.PLC_ROOT_GPG_KEY_PUB,
methodname)
post="""<?xml version='1.0'?>
<methodCall>
<methodName>GetPeerName</methodName>
<params>
<param>
<value><struct>
<member>
<name>AuthMethod</name>
<value><string>gpg</string></value>
</member>
<member>
<name>name</name>
<value><string>%s</string></value>
</member>
<member>
<name>signature</name>
<value><string>%s
</string></value>
</member>
</struct></value>
</param>
</params>
</methodCall>"""%(local_peername,signature)
return post
def check_url (self,url,local_peername,remote_peername,cert,timeout=10,verbose=1):
curl=pycurl.Curl()
curl.setopt(pycurl.NOSIGNAL, 1)
# Follow redirections
curl.setopt(pycurl.FOLLOWLOCATION, 1)
curl.setopt(pycurl.URL, str(url))
cert_path = str(cert)
curl.setopt(pycurl.CAINFO, cert_path)
curl.setopt(pycurl.SSL_VERIFYPEER, 2)
# Set connection timeout
if timeout:
curl.setopt(pycurl.CONNECTTIMEOUT, timeout)
curl.setopt(pycurl.TIMEOUT, timeout)
curl.setopt(pycurl.VERBOSE, verbose)
# Post request
curl.setopt(pycurl.POST, 1)
curl.setopt(pycurl.POSTFIELDS, self.getpeername_post_request(local_peername))
import StringIO
b = StringIO.StringIO()
curl.setopt(pycurl.WRITEFUNCTION, b.write)
try:
curl.perform()
errcode = curl.getinfo(pycurl.HTTP_CODE)
response = b.getvalue()
print 'xmlrpc answer',response
if response.find('Failed') >= 0:
print 'FAILURE : failed to authenticate ?'
return False
elif response.find(remote_peername) <0:
print 'FAILURE : xmlrpc round trip OK but peername does not match'
return False
else:
print 'SUCCESS'
return True
except pycurl.error, err:
(errcode, errmsg) = err
if errcode == 60:
print 'FAILURE', "SSL certificate validation failed, %r"%(errmsg)
elif errcode != 200:
print 'FAILURE', "HTTP error %d, errmsg %r" % (errcode,errmsg)
return False
def main (self):
from optparse import OptionParser
usage="%prog [options] local-peername remote-peername cacert hostname [ .. hostname ]"
parser=OptionParser(usage=usage)
parser.add_option('-s','--secret',default='/etc/planetlab/secring.gpg',
dest='PLC_ROOT_GPG_KEY',
help='local GPG secret ring')
parser.add_option('-p','--public',default='/etc/planetlab/pubring.gpg',
dest='PLC_ROOT_GPG_KEY_PUB',
help='local GPG public ring')
(self.options, args) = parser.parse_args()
if len(args) < 4:
parser.print_help()
sys.exit(2)
arg=0
local_peername=args[arg] ; arg+=1
remote_peername=args[arg] ; arg+=1
cacert=args[arg]; arg+=1
ok=False
for hostname in args[arg:]:
# this does not seem to make any difference
# for url_format in [ 'https://%s:443/PLCAPI/' , 'https://%s/PLCAPI/' ]:
for url_format in [ 'https://%s/PLCAPI/' ]:
url=url_format%hostname
print '============================== Checking url=',url
if self.check_url(url,local_peername,remote_peername,cacert):
ok=True
if ok:
return 0
else:
return 1
if __name__ == '__main__':
sys.exit(check_ssl().main())
More information about the Devel
mailing list