version 1.544, 2018/07/29 03:03:36
|
version 1.549, 2018/08/20 22:42:05
|
Line 108 my %perlvar; # Will have the apache co
|
Line 108 my %perlvar; # Will have the apache co
|
my %secureconf; # Will have requirements for security |
my %secureconf; # Will have requirements for security |
# of lond connections |
# of lond connections |
|
|
|
my %crlchecked; # Will contain clients for which the client's SSL |
|
# has been checked against the cluster's Certificate |
|
# Revocation List. |
|
|
my $dist; |
my $dist; |
|
|
# |
# |
Line 420 sub SSLConnection {
|
Line 424 sub SSLConnection {
|
Debug("Approving promotion -> ssl"); |
Debug("Approving promotion -> ssl"); |
# And do so: |
# And do so: |
|
|
|
my $CRLFile; |
|
unless ($crlchecked{$clientname}) { |
|
$CRLFile = lonssl::CRLFile(); |
|
$crlchecked{$clientname} = 1; |
|
} |
|
|
my $SSLSocket = lonssl::PromoteServerSocket($Socket, |
my $SSLSocket = lonssl::PromoteServerSocket($Socket, |
$CACertificate, |
$CACertificate, |
$Certificate, |
$Certificate, |
$KeyFile, |
$KeyFile, |
$clientname); |
$clientname, |
|
$CRLFile, |
|
$clientversion); |
if(! ($SSLSocket) ) { # SSL socket promotion failed. |
if(! ($SSLSocket) ) { # SSL socket promotion failed. |
my $err = lonssl::LastError(); |
my $err = lonssl::LastError(); |
&logthis("<font color=\"red\"> CRITICAL " |
&logthis("<font color=\"red\"> CRITICAL " |
Line 780 sub ConfigFileFromSelector {
|
Line 792 sub ConfigFileFromSelector {
|
my $selector = shift; |
my $selector = shift; |
my $tablefile; |
my $tablefile; |
|
|
my $tabledir = $perlvar{'lonTabDir'}.'/'; |
if ($selector eq 'loncapaCAcrl') { |
if (($selector eq "hosts") || ($selector eq "domain") || |
my $tabledir = $perlvar{'lonCertificateDirectory'}; |
($selector eq "dns_hosts") || ($selector eq "dns_domain")) { |
if (-d $tabledir) { |
$tablefile = $tabledir.$selector.'.tab'; |
$tablefile = $tabledir.'/'.$selector.'.pem'; |
|
} |
|
} else { |
|
my $tabledir = $perlvar{'lonTabDir'}.'/'; |
|
if (($selector eq "hosts") || ($selector eq "domain") || |
|
($selector eq "dns_hosts") || ($selector eq "dns_domain")) { |
|
$tablefile = $tabledir.$selector.'.tab'; |
|
} |
} |
} |
return $tablefile; |
return $tablefile; |
} |
} |
Line 807 sub PushFile {
|
Line 826 sub PushFile {
|
my ($command, $filename, $contents) = split(":", $request, 3); |
my ($command, $filename, $contents) = split(":", $request, 3); |
&Debug("PushFile"); |
&Debug("PushFile"); |
|
|
# At this point in time, pushes for only the following tables are |
# At this point in time, pushes for only the following tables and |
# supported: |
# CRL file are supported: |
# hosts.tab ($filename eq host). |
# hosts.tab ($filename eq host). |
# domain.tab ($filename eq domain). |
# domain.tab ($filename eq domain). |
# dns_hosts.tab ($filename eq dns_host). |
# dns_hosts.tab ($filename eq dns_host). |
# dns_domain.tab ($filename eq dns_domain). |
# dns_domain.tab ($filename eq dns_domain). |
|
# loncapaCAcrl.pem ($filename eq loncapaCAcrl); |
# Construct the destination filename or reject the request. |
# Construct the destination filename or reject the request. |
# |
# |
# lonManage is supposed to ensure this, however this session could be |
# lonManage is supposed to ensure this, however this session could be |
Line 833 sub PushFile {
|
Line 853 sub PushFile {
|
|
|
if($filename eq "host") { |
if($filename eq "host") { |
$contents = AdjustHostContents($contents); |
$contents = AdjustHostContents($contents); |
} elsif ($filename eq 'dns_host' || $filename eq 'dns_domain') { |
} elsif (($filename eq 'dns_host') || ($filename eq 'dns_domain') || |
|
($filename eq 'loncapaCAcrl')) { |
if ($contents eq '') { |
if ($contents eq '') { |
&logthis('<font color="red"> Pushfile: unable to install ' |
&logthis('<font color="red"> Pushfile: unable to install ' |
.$tablefile." - no data received from push. </font>"); |
.$tablefile." - no data received from push. </font>"); |
Line 844 sub PushFile {
|
Line 865 sub PushFile {
|
if ($managers{$clientip} eq $clientname) { |
if ($managers{$clientip} eq $clientname) { |
my $clientprotocol = $Apache::lonnet::protocol{$clientname}; |
my $clientprotocol = $Apache::lonnet::protocol{$clientname}; |
$clientprotocol = 'http' if ($clientprotocol ne 'https'); |
$clientprotocol = 'http' if ($clientprotocol ne 'https'); |
my $url = '/adm/'.$filename; |
my $url; |
$url =~ s{_}{/}; |
if ($filename eq 'loncapaCAcrl') { |
|
$url = '/adm/dns/loncapaCRL'; |
|
} else { |
|
$url = '/adm/'.$filename; |
|
$url =~ s{_}{/}; |
|
} |
my $request=new HTTP::Request('GET',"$clientprotocol://$clienthost$url"); |
my $request=new HTTP::Request('GET',"$clientprotocol://$clienthost$url"); |
my $response = LONCAPA::LWPReq::makerequest($clientname,$request,'',\%perlvar,60,0); |
my $response = LONCAPA::LWPReq::makerequest($clientname,$request,'',\%perlvar,60,0); |
if ($response->is_error()) { |
if ($response->is_error()) { |
Line 1883 sub ls3_handler {
|
Line 1909 sub ls3_handler {
|
my $rights; |
my $rights; |
my $ulsout=''; |
my $ulsout=''; |
my $ulsfn; |
my $ulsfn; |
|
|
|
my ($crscheck,$toplevel,$currdom,$currnum,$skip); |
|
unless ($islocal) { |
|
my ($major,$minor) = split(/\./,$clientversion); |
|
if (($major < 2) || ($major == 2 && $minor < 12)) { |
|
$crscheck = 1; |
|
} |
|
} |
if (-e $ulsdir) { |
if (-e $ulsdir) { |
if(-d $ulsdir) { |
if(-d $ulsdir) { |
unless (($getpropath) || ($getuserdir) || |
unless (($getpropath) || ($getuserdir) || |
Line 1892 sub ls3_handler {
|
Line 1926 sub ls3_handler {
|
&Failure($client,"refused\n",$userinput); |
&Failure($client,"refused\n",$userinput); |
return 1; |
return 1; |
} |
} |
if (opendir(LSDIR,$ulsdir)) { |
if (($crscheck) && |
|
($ulsdir =~ m{^/home/httpd/html/res/($LONCAPA::match_domain)(/?$|/$LONCAPA::match_courseid)})) { |
|
($currdom,my $posscnum) = ($1,$2); |
|
if (($posscnum eq '') || ($posscnum eq '/')) { |
|
$toplevel = 1; |
|
} else { |
|
$posscnum =~ s{^/+}{}; |
|
if (&LONCAPA::Lond::is_course($currdom,$posscnum)) { |
|
$skip = 1; |
|
} |
|
} |
|
} |
|
if ((!$skip) && (opendir(LSDIR,$ulsdir))) { |
while ($ulsfn=readdir(LSDIR)) { |
while ($ulsfn=readdir(LSDIR)) { |
|
if (($crscheck) && ($toplevel) && ($currdom ne '') && |
|
($ulsfn =~ /^$LONCAPA::match_courseid$/) && (-d "$ulsdir/$ulsfn")) { |
|
if (&LONCAPA::Lond::is_course($currdom,$ulsfn)) { |
|
next; |
|
} |
|
} |
undef($obs); |
undef($obs); |
undef($rights); |
undef($rights); |
my @ulsstats=stat($ulsdir.'/'.$ulsfn); |
my @ulsstats=stat($ulsdir.'/'.$ulsfn); |
Line 2071 sub server_distarch_handler {
|
Line 2123 sub server_distarch_handler {
|
sub server_certs_handler { |
sub server_certs_handler { |
my ($cmd,$tail,$client) = @_; |
my ($cmd,$tail,$client) = @_; |
my $userinput = "$cmd:$tail"; |
my $userinput = "$cmd:$tail"; |
my $result; |
my $hostname = &Apache::lonnet::hostname($perlvar{'lonHostID'}); |
my $result = &LONCAPA::Lond::server_certs(\%perlvar); |
my $result = &LONCAPA::Lond::server_certs(\%perlvar,$perlvar{'lonHostID'},$hostname); |
&Reply($client,\$result,$userinput); |
&Reply($client,\$result,$userinput); |
return; |
return; |
} |
} |
Line 6993 sub UpdateHosts {
|
Line 7045 sub UpdateHosts {
|
|
|
my %oldconf = %secureconf; |
my %oldconf = %secureconf; |
my %connchange; |
my %connchange; |
if (lonssl::Read_Connect_Config(\%secureconf,\%perlvar) eq 'ok') { |
if (lonssl::Read_Connect_Config(\%secureconf,\%crlchecked,\%perlvar) eq 'ok') { |
logthis('<font color="blue"> Reloaded SSL connection rules </font>'); |
logthis('<font color="blue"> Reloaded SSL connection rules and cleared CRL checking history </font>'); |
} else { |
} else { |
logthis('<font color="yellow"> Failed to reload SSL connection rules </font>'); |
logthis('<font color="yellow"> Failed to reload SSL connection rules and clear CRL checking history </font>'); |
} |
} |
if ((ref($oldconf{'connfrom'}) eq 'HASH') && (ref($secureconf{'connfrom'}) eq 'HASH')) { |
if ((ref($oldconf{'connfrom'}) eq 'HASH') && (ref($secureconf{'connfrom'}) eq 'HASH')) { |
foreach my $type ('dom','intdom','other') { |
foreach my $type ('dom','intdom','other') { |
Line 7275 if ($arch eq 'unknown') {
|
Line 7327 if ($arch eq 'unknown') {
|
chomp($arch); |
chomp($arch); |
} |
} |
|
|
unless (lonssl::Read_Connect_Config(\%secureconf,\%perlvar) eq 'ok') { |
unless (lonssl::Read_Connect_Config(\%secureconf,\%crlchecked,\%perlvar) eq 'ok') { |
&logthis('<font color="blue">No connectionrules table. Will fallback to loncapa.conf</font>'); |
&logthis('<font color="blue">No connectionrules table. Will fallback to loncapa.conf</font>'); |
} |
} |
|
|
Line 8884 is closed and the child exits.
|
Line 8936 is closed and the child exits.
|
=item Red CRITICAL Can't get key file <error> |
=item Red CRITICAL Can't get key file <error> |
|
|
SSL key negotiation is being attempted but the call to |
SSL key negotiation is being attempted but the call to |
lonssl::KeyFile failed. This usually means that the |
lonssl::KeyFile failed. This usually means that the |
configuration file is not correctly defining or protecting |
configuration file is not correctly defining or protecting |
the directories/files lonCertificateDirectory or |
the directories/files lonCertificateDirectory or |
lonnetPrivateKey |
lonnetPrivateKey |