Commit e1871b51 authored by Robert Ricci's avatar Robert Ricci
Browse files

Stop hard-coding the digest of Utah's capture certificate, and read

it out of a file in /usr/testbed/etc .

We put it in a seperate file from the rest of the certificate, because
we need the fingerprint to be publically-readable.
parent b7c376c3
......@@ -6,6 +6,18 @@ This file is in the same format at the FreeBSD UPDATING file, whis is
to say, in reverse chronological order, with the date of the change
in YYYYMMDD format.
Fixed the way we handle the certificate for capture with tiptunnel.
We no longer hard-code the certificate digest in nodetipacl.php3 .
However, as a result, we must place this fingerprint in a publically-
readable file on boss. So, if you have serial lines that you're
running with capture:
1) Copy your /usr/testbed/etc/capture.pem file from your tipserver to
boss, if it isn't there already.
2) In /usr/testbed/etc/ on boss, run: 'openssl x509 -sha -noout
-fingerprint -in capture.pem > capture.fingerprint', and make this
file world-readable.
Changed the length of the node_id columns from 10 to 32. Make sure
you re-compile and restart all daemons written in C (such as
......@@ -15,7 +15,8 @@ include $(OBJDIR)/Makeconf
all: emulab.pem server.pem localnode.pem ronnode.pem pcwa.pem ctrlnode.pem \
keys mksig
remote-site: emulab.pem capture.pem server.pem localnode.pem
remote-site: emulab.pem capture.pem capture.fingerprint server.pem \
include $(TESTBED_SRCDIR)/GNUmakerules
......@@ -84,6 +85,16 @@ capture.pem: dirsmade capture.cnf ca.cnf
cat capture_key.pem capture_cert.pem > capture.pem
rm -f newreq.pem
# Generate the fingerprint of the capture certificate
# NOTE: I'd rather use SHA1 than SHA, but we've widely distributed the
# tiptunnel binary, and it needs SHA
capture.fingerprint: capture.pem
openssl x509 -sha -noout -fingerprint -in capture.pem \
> capture.fingerprint
localnode.pem: dirsmade localnode.cnf ca.cnf $(SRCDIR)/
$(SRCDIR)/ localnode
......@@ -147,10 +158,13 @@ boss-installX: $(INSTALL_ETCDIR)/emulab.pem \
chmod 640 $(INSTALL_ETCDIR)/emulab_privkey.pem
remote-site-boss-install: $(INSTALL_ETCDIR)/emulab.pem \
$(INSTALL_ETCDIR)/capture.pem $(INSTALL_ETCDIR)/server.pem
$(INSTALL_ETCDIR)/capture.pem \
$(INSTALL_ETCDIR)/capture.fingerprint \
$(INSTALL_DATA) localnode.pem $(INSTALL_ETCDIR)/client.pem
chmod 640 $(INSTALL_ETCDIR)/emulab.pem
chmod 640 $(INSTALL_ETCDIR)/capture.pem
chmod 644 $(INSTALL_ETCDIR)/capture.fingerprint
chmod 640 $(INSTALL_ETCDIR)/server.pem
chmod 640 $(INSTALL_ETCDIR)/client.pem
......@@ -43,6 +43,22 @@ if (mysql_num_rows($query_result) == 0) {
USERERROR("The node $node_id does not exist, or seem to have a tipline!", 1);
# Read in the fingerprint of capture's certificate
$capfile = "$TBETC_DIR/capture.fingerprint";
$lines = file($capfile,"r");
if (!$lines) {
TBERROR("Unable to open $capfile!",1);
$fingerline = rtrim($lines[0]);
if (!preg_match("/Fingerprint=([\w:]+)$/",$fingerline,$matches)) {
TBERROR("Unable to find fingerprint in string $fingerline!",1);
$certhash = str_replace(":","",strtolower($matches[1]));
$filename = $node_id . ".tbacl";
header("Content-Type: text/x-testbed-acl");
......@@ -58,10 +74,6 @@ $portnum = $row[portnum];
$keylen = $row[keylen];
$keydata = $row[keydata];
# XXX fix me!!!
# $certhash = "7161bb44818e7be5a5bcd58506163e1583e6aa1c";
$certhash = "0bc864551de711a3d46ac173dbd67cde75c36734";
echo "host: $server\n";
echo "port: $portnum\n";
echo "keylen: $keylen\n";
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment