SSLVerifyPeer(conn,
cert,
errnum,
errdepth,
ok)
| source code
|
Callback function to verify a peer against the candidate cert map.
Note that we have a chicken-and-egg problem during cluster init and
upgrade. This method checks whether the incoming connection comes from a
master candidate by comparing it to the master certificate map in the
cluster configuration. However, during cluster init and cluster upgrade
there are various RPC calls done to the master node itself, before the
candidate certificate list is established and the cluster configuration
is written. In this case, we cannot check against the master candidate
map.
This problem is solved by checking whether the candidate map is empty.
An initialized 2.11 or higher cluster has at least one entry for the
master node in the candidate map. If the map is empty, we know that we
are still in the bootstrap/upgrade phase. In this case, we read the
server certificate digest and compare it to the incoming request.
This means that after an upgrade of Ganeti, the system continues to
operate like before, using server certificates only. After the client
certificates are generated with ``gnt-cluster renew-crypto
--new-node-certificates``, RPC communication is switched to using client
certificates and the trick of using server certificates does not work
anymore.
- Parameters:
conn (OpenSSL.SSL.Connection ) - the OpenSSL connection object
cert (OpenSSL.X509 ) - the peer's SSL certificate
|