-
Leigh B. Stoller authored
Deal with ssl/nossl clients; at Chad's suggestion add a small handshake tag to ssl enabled tmcc/tmcd which tells tmcd that it needs to enter full SSL mode. This allows old tmcc to connect to an ssl enabled tmcd, and still work okay. I've also ironed out the verification stuff. At the client, we make sure that the CommonName field of the peer cert maps to the same address that we connected to (bossnode). At the server, we check the OU field of the cert (we create the client certs with the OU field set to the node type; a convention I made up!). It must match the type of the node, as we get it from the nodes table. Also check the CommonName to make sure it matches our hostname. This is by no means bulletproof, but perfection is costly, and we don't have the money! Also cleaned up the REDIRECT testmode stuff. Instead of ifdef'ed under TESTMODE, leave it compiled in all the time, but only allow it from the local node (where tmcd is running). Mere users will not be able to access it, but testbed people can use it since they have accounts on the boss node.
40d072cf