def ssl_wrap_socket(sock): """ Wrap an existing socket in SSL :param sock: non-SSL socket to wrap :returns: An SSL wrapped socket """ utils.validate_key_cert(CONF.api.key_file, CONF.api.cert_file) ssl_kwargs = { 'server_side': True, 'certfile': CONF.api.cert_file, 'keyfile': CONF.api.key_file, 'cert_reqs': ssl.CERT_NONE, } if CONF.api.ca_file: ssl_kwargs['ca_certs'] = CONF.api.ca_file ssl_kwargs['cert_reqs'] = ssl.CERT_REQUIRED return ssl.wrap_socket(sock, **ssl_kwargs)
def configure_socket(self, old_conf=None, has_changed=None): """ Ensure a socket exists and is appropriately configured. This function is called on start up, and can also be called in the event of a configuration reload. When called for the first time a new socket is created. If reloading and either bind_host or bind port have been changed the existing socket must be closed and a new socket opened (laws of physics). In all other cases (bind_host/bind_port have not changed) the existing socket is reused. :param old_conf: Cached old configuration settings (if any) :param has changed: callable to determine if a parameter has changed """ # Do we need a fresh socket? new_sock = (old_conf is None or (has_changed('bind_host') or has_changed('bind_port'))) # Will we be using https? use_ssl = not (not CONF.api.cert_file or not CONF.api.key_file) # Were we using https before? old_use_ssl = (old_conf is not None and not (not old_conf.get('key_file') or not old_conf.get('cert_file'))) # Do we now need to perform an SSL wrap on the socket? wrap_sock = use_ssl is True and (old_use_ssl is False or new_sock) # Do we now need to perform an SSL unwrap on the socket? unwrap_sock = use_ssl is False and old_use_ssl is True if new_sock: self._sock = None if old_conf is not None: self.sock.close() _sock = get_socket(self.default_port) _sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # sockets can hang around forever without keepalive _sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1) self._sock = _sock if wrap_sock: self.sock = ssl_wrap_socket(self._sock) if unwrap_sock: self.sock = self._sock if new_sock and not use_ssl: self.sock = self._sock # Pick up newly deployed certs if old_conf is not None and use_ssl is True and old_use_ssl is True: if has_changed('cert_file') or has_changed('key_file'): utils.validate_key_cert(CONF.api.key_file, CONF.api.cert_file) if has_changed('cert_file'): self.sock.certfile = CONF.api.cert_file if has_changed('key_file'): self.sock.keyfile = CONF.api.key_file if new_sock or (old_conf is not None and has_changed('tcp_keepidle')): # This option isn't available in the OS X version of eventlet if hasattr(socket, 'TCP_KEEPIDLE'): self.sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_KEEPIDLE, CONF.api.tcp_keepidle) if old_conf is not None and has_changed('backlog'): self.sock.listen(CONF.api.backlog)
def configure_socket(self, old_conf=None, has_changed=None): """ Ensure a socket exists and is appropriately configured. This function is called on start up, and can also be called in the event of a configuration reload. When called for the first time a new socket is created. If reloading and either bind_host or bind port have been changed the existing socket must be closed and a new socket opened (laws of physics). In all other cases (bind_host/bind_port have not changed) the existing socket is reused. :param old_conf: Cached old configuration settings (if any) :param has_changed: callable to determine if a parameter has changed """ # Do we need a fresh socket? new_sock = (old_conf is None or ( has_changed('bind_host') or has_changed('bind_port'))) # Will we be using https? use_ssl = not (not CONF.api.cert_file or not CONF.api.key_file) # Were we using https before? old_use_ssl = (old_conf is not None and not ( not old_conf.get('key_file') or not old_conf.get('cert_file'))) # Do we now need to perform an SSL wrap on the socket? wrap_sock = use_ssl is True and (old_use_ssl is False or new_sock) # Do we now need to perform an SSL unwrap on the socket? unwrap_sock = use_ssl is False and old_use_ssl is True if new_sock: self._sock = None if old_conf is not None: self.sock.close() _sock = get_socket(self.default_port) _sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # sockets can hang around forever without keepalive _sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1) self._sock = _sock if wrap_sock: self.sock = ssl_wrap_socket(self._sock) if unwrap_sock: self.sock = self._sock if new_sock and not use_ssl: self.sock = self._sock # Pick up newly deployed certs if old_conf is not None and use_ssl is True and old_use_ssl is True: if has_changed('cert_file') or has_changed('key_file'): utils.validate_key_cert(CONF.api.key_file, CONF.api.cert_file) if has_changed('cert_file'): self.sock.certfile = CONF.api.cert_file if has_changed('key_file'): self.sock.keyfile = CONF.api.key_file if new_sock or (old_conf is not None and has_changed('tcp_keepidle')): # This option isn't available in the OS X version of eventlet if hasattr(socket, 'TCP_KEEPIDLE'): self.sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_KEEPIDLE, CONF.api.tcp_keepidle) if old_conf is not None and has_changed('backlog'): self.sock.listen(CONF.api.backlog)