[Planetlab-devel] peering PlanetLab and PlanetLabEurope
Tony Mack
tmack at CS.Princeton.EDU
Fri Jun 22 14:54:53 EDT 2007
Hi Thierry,
Ive attached output for both tests.
Thierry Parmentelat wrote:
> Hi Tony
>
> About the problem we are facing with these SSL certificates, please
> find attached a python script that I hope could be useful for
> diagnosing the problem; I'm sure it can be useful to others, since
> this kind of problem is quite common when creating a peering.
>
> Can you please run it like this (from your chroot jail)
> <plc> # check-ssl-peering.py PlanetLab PlanetLabEurope
> /etc/planetlab/PlanetLabEurope.cacert www.planet-lab.eu
> and send me the output ?
> I hope this way I can get useful information on what's going wrong
> with our current setup
>
> Also, can you please send me again (I lost my chat session ...)
> - the dump of your peer object
> - the output of
> <plc> # plcsh
> p=GetPeers(['PlanetLabEurope'])[0]
> p.connect()
> p.GetPeerName()
>
> thanks in advance -- Thierry
>
> ------------------------------------------------------------------------
>
> #!/usr/bin/env plcsh
> # checking ssl connection
> # mimicks what PyCurl does
>
> import sys
> import pycurl
>
> class check_ssl:
>
> def getpeername_post_request (self,local_peername) :
> methodname="GetPeerName"
> from PLC.GPG import gpg_sign
> signature = gpg_sign((),
> self.options.PLC_ROOT_GPG_KEY,
> self.options.PLC_ROOT_GPG_KEY_PUB,
> methodname)
> post="""<?xml version='1.0'?>
> <methodCall>
> <methodName>GetPeerName</methodName>
> <params>
> <param>
> <value><struct>
> <member>
> <name>AuthMethod</name>
> <value><string>gpg</string></value>
> </member>
> <member>
> <name>name</name>
> <value><string>%s</string></value>
> </member>
> <member>
> <name>signature</name>
> <value><string>%s
> </string></value>
> </member>
> </struct></value>
> </param>
> </params>
> </methodCall>"""%(local_peername,signature)
> return post
>
> def check_url (self,url,local_peername,remote_peername,cert,timeout=10,verbose=1):
> curl=pycurl.Curl()
> curl.setopt(pycurl.NOSIGNAL, 1)
>
> # Follow redirections
> curl.setopt(pycurl.FOLLOWLOCATION, 1)
> curl.setopt(pycurl.URL, str(url))
> cert_path = str(cert)
> curl.setopt(pycurl.CAINFO, cert_path)
> curl.setopt(pycurl.SSL_VERIFYPEER, 2)
>
> # Set connection timeout
> if timeout:
> curl.setopt(pycurl.CONNECTTIMEOUT, timeout)
> curl.setopt(pycurl.TIMEOUT, timeout)
>
> curl.setopt(pycurl.VERBOSE, verbose)
>
> # Post request
> curl.setopt(pycurl.POST, 1)
> curl.setopt(pycurl.POSTFIELDS, self.getpeername_post_request(local_peername))
>
> import StringIO
> b = StringIO.StringIO()
> curl.setopt(pycurl.WRITEFUNCTION, b.write)
>
> try:
> curl.perform()
> errcode = curl.getinfo(pycurl.HTTP_CODE)
> response = b.getvalue()
> print 'xmlrpc answer',response
> if response.find('Failed') >= 0:
> print 'FAILURE : failed to authenticate ?'
> return False
> elif response.find(remote_peername) <0:
> print 'FAILURE : xmlrpc round trip OK but peername does not match'
> return False
> else:
> print 'SUCCESS'
> return True
>
> except pycurl.error, err:
> (errcode, errmsg) = err
> if errcode == 60:
> print 'FAILURE', "SSL certificate validation failed, %r"%(errmsg)
> elif errcode != 200:
> print 'FAILURE', "HTTP error %d, errmsg %r" % (errcode,errmsg)
> return False
>
> def main (self):
> from optparse import OptionParser
> usage="%prog [options] local-peername remote-peername cacert hostname [ .. hostname ]"
> parser=OptionParser(usage=usage)
> parser.add_option('-s','--secret',default='/etc/planetlab/secring.gpg',
> dest='PLC_ROOT_GPG_KEY',
> help='local GPG secret ring')
> parser.add_option('-p','--public',default='/etc/planetlab/pubring.gpg',
> dest='PLC_ROOT_GPG_KEY_PUB',
> help='local GPG public ring')
> (self.options, args) = parser.parse_args()
>
> if len(args) < 4:
> parser.print_help()
> sys.exit(2)
> arg=0
> local_peername=args[arg] ; arg+=1
> remote_peername=args[arg] ; arg+=1
> cacert=args[arg]; arg+=1
> ok=False
> for hostname in args[arg:]:
> # this does not seem to make any difference
> # for url_format in [ 'https://%s:443/PLCAPI/' , 'https://%s/PLCAPI/' ]:
> for url_format in [ 'https://%s/PLCAPI/' ]:
> url=url_format%hostname
> print '============================== Checking url=',url
> if self.check_url(url,local_peername,remote_peername,cacert):
> ok=True
> if ok:
> return 0
> else:
> return 1
>
> if __name__ == '__main__':
> sys.exit(check_ssl().main())
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Devel mailing list
> Devel at lists.planet-lab.org
> https://lists.planet-lab.org/mailman/listinfo/devel
>
-------------- next part --------------
============================== Checking url= https://www.planet-lab.eu/PLCAPI/
* About to connect() to www.planet-lab.eu port 443
* Trying 87.98.251.120... * connected
* Connected to www.planet-lab.eu (87.98.251.120) port 443
* successfully set certificate verify locations:
* CAfile: /etc/planetlab/PlanetLabEurope.cacert
CApath: none
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: /C=FR/O=www.planet-lab.eu/OU=GT87987078/OU=See www.geotrust.com/resources/cps (c)07/OU=Domain Control Validated - QuickSSL(R)/CN=www.planet-lab.eu
* start date: 2007-06-21 08:14:52 GMT
* expire date: 2009-06-21 08:14:52 GMT
* common name: www.planet-lab.eu (matched)
* issuer: /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
* SSL certificate verify ok.
> POST /PLCAPI/ HTTP/1.1
User-Agent: PycURL/7.13.1
Host: www.planet-lab.eu
Pragma: no-cache
Accept: */*
Content-Length: 578
Content-Type: application/x-www-form-urlencoded
<?xml version='1.0'?>
<methodCall>
<methodName>GetPeerName</methodName>
<params>
<param>
<value><struct>
<member>
<name>AuthMethod</name>
<value><string>gpg</string></value>
</member>
<member>
<name>name</name>
<value><string>PlanetLab</string></value>
</member>
<member>
<name>signature</name>
<value><string>-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQBGfBnQjF7O116t5nERAjOtAJ0ed/ik6TlWTXjf9F9t5ISgnIH+KwCfT+gz
W/tVHbdjFk0ms3uls+lOOU0=
=D4lJ
-----END PGP SIGNATURE-----
</string></value>
</member>
</struct></value>
</param>
</params>
</methodCall>< HTTP/1.1 200 OK
< Date: Fri, 22 Jun 2007 18:49:48 GMT
< Server: Apache/2.0.54 (Fedora)
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/xml; charset=utf-8
* Closing connection #0
xmlrpc answer <?xml version='1.0'?>
<methodResponse>
<params>
<param>
<value><string>PlanetLabEurope</string></value>
</param>
</params>
</methodResponse>
SUCCESS
-------------- next part --------------
PlanetLab Central Direct API Access
Type "system.listMethods()" or "help(method)" for more information.
>>> p=GetPeers(['PlanetLabEurope'])[0]
>>> p.connect()
>>> p.GetPeerName()
Traceback (most recent call last):
File "/usr/bin/plcsh", line 140, in ?
result = eval(command)
File "<string>", line 0, in ?
File "/data/build/tmp/PLCAPI-4.0-1.planetlab.2007.02.09-root//usr/share/plc_api/PLC/Peers.py", line 181, in wrapper
File "/usr/lib/python2.4/xmlrpclib.py", line 1096, in __call__
return self.__send(self.__name, args)
File "/usr/lib/python2.4/xmlrpclib.py", line 1383, in __request
verbose=self.__verbose
File "/usr/share/plc_api/PLC/PyCurl.py", line 76, in request
raise Exception, "SSL certificate validation failed"
Exception: SSL certificate validation failed
More information about the Devel
mailing list