1. 19 Apr, 2019 1 commit
    • David Johnson's avatar
      Remove m2crypto from sslxmlrpc_server; enable ssl handshake timeout by default. · fccfee60
      David Johnson authored
      Now we rely on the builtin SocketServer and ssl modules.  This combination is
      basically feature-equivalent to m2crypto, for our purposes.  The hack that
      sets a socket timeout to prevent non-ssl clients tying up the server's main
      thread (see commit 381e67a3) remains, but is significantly easier.  The
      problem is that the ssl.SSLSocket.accept method combines both the accept()
      on the server socket, and the ssl handshake "accept", into one function call,
      so we don't get an opportunity to propagate the finite timeout from the
      server socket to the client.  Thus, we override SSLSocket.accept in our own
      derived class, and avoid using the ssl module's various wrap_socket helpers.
      
      It seems reasonable to enable this by default, especially now that we're
      no longer vulnerable to m2crypto version variance.
      
      I also added real argument processing to make it easier to run devel versions.
      fccfee60
  2. 29 Nov, 2018 1 commit
  3. 28 Nov, 2018 1 commit
  4. 03 Aug, 2018 1 commit
  5. 21 Jun, 2018 1 commit
  6. 12 Jan, 2018 3 commits
  7. 30 Oct, 2017 1 commit
  8. 12 Oct, 2017 1 commit
  9. 30 Aug, 2017 2 commits
  10. 23 Aug, 2017 1 commit
  11. 21 Aug, 2017 2 commits
    • David Johnson's avatar
      Improve logging of m2crypto exceptions. · 97d9ad15
      David Johnson authored
      m2crypto's default SSLServer.handle_error function was just printing to
      stdout; that is an easy fix.  However, what is hard is associating the
      Exception with a client_address due to the
      socket/M2Crypto.SSL.Connection abstraction abuse.  Lots of stuff
      happens in Connection.accept(), and if an Exception is raised in there,
      no client_address is returned to the caller (i.e. handle_request()).
      m2crypto does a real disservice by overlaying the socket API and thus
      masking so many customization points that any real user would want to use.
      97d9ad15
    • David Johnson's avatar
      Adjust client SSL timeout and default again. · fd4dedfe
      David Johnson authored
      Bump the SSL accept phase to 3 seconds to be a tad more gracious to
      legitimately-slow clients.  Also restore the default SSL timeout to None
      (i.e. whatever the underlying default timeout is).
      fd4dedfe
  12. 19 Aug, 2017 1 commit
  13. 18 Aug, 2017 1 commit
  14. 17 Aug, 2017 1 commit
  15. 01 Jun, 2017 3 commits
  16. 17 Apr, 2017 1 commit
  17. 22 Sep, 2016 1 commit
    • Mike Hibler's avatar
      By default, print out less info in showlease. · a309b898
      Mike Hibler authored
      The name always overran its field so all of the columns were out of alignment
      and the lines too long and it was just a mess. So by default just print out
      the basic stuff. Use '-l' to get the old, complete output.
      a309b898
  18. 31 May, 2016 1 commit
  19. 19 Mar, 2016 1 commit
  20. 03 Feb, 2016 1 commit
  21. 29 Oct, 2015 1 commit
  22. 18 Aug, 2015 2 commits
  23. 17 Aug, 2015 1 commit
  24. 29 Jul, 2015 1 commit
  25. 24 Jun, 2015 1 commit
    • Mike Hibler's avatar
      Updates for new FreeBSD 10.1 based servers. · 480fdc70
      Mike Hibler authored
      Big changes a comin' to try to get us back on the supported path.
      
       * perl 5.14 -> 5.20
       * mysql 5.1 -> 5.5
       * php 5.4   -> 5.6
       * tcl 8.4   -> 8.6
       * number of vim patches up to 683.
      
      Not everything tested yet, but getting there.
      
      Specific changes:
      
       * New install/ports directory. New packages for FreeBSD 10.1 are version
         6.1. Cleaned up the ports' Makefiles getting rid of conditionals for
         all older versions. Also got rid of ports we don't use. Old ports tree
         is now install/oports.
      
       * Install script changes. Make sure /usr/bin/perl and /usr/local/bin/python
         links exist. Ports no longer make these but we use them in '#!'. Changes
         to mysql install and startup script--mysql has changed a LOT since we did
         the support in 4.x. Create syslog entry for named.log. Make sure php.conf
         loads the legacy "mysql" module rather than using "mysqli".
      
       * Elabinelab support. reflect new packages, remove all old packages
         (except perl) before installing new versions, install "extras" package,
         make sure sendmail cert get regenerated, make sure /usr/bin/perl link
         exists, make sure /usr/local/bin/python link exists.
      
       * Custom ports. otcl and xerces-c2 have both been removed from the ports
         tree as of Q2 2015. ipmitool-devel is a port for the latest version of
         ipmitool. The FreeBSD port is still a rev behind here. We need the
         newer version as it appears to make our SOL consoles more stable.
      
       * Random. Fixed prerender as neato output has changed again. Tweak to
         sslxmlrpc_server to reflect change in an underlying library. Tweak to
         db/libdb.py.in to turn on autocommit which matters now as mysql 5.5 will
         hang on a metadata lock otherwise. Remade eventsys perl/python stubs
         with SWIG 2.0. SWIG 1.3 did not produce working stubs for perl 5.20.
      
      Specific un-changes:
      
       * Apache is still at 2.2. I lack the guts and skilz to upgrade to 2.4.
      
       * Xerces library is still at (now unsupported) 2.8. Assign will need
         changes before we can move to 3.x.
      
       * Python is still 2.7.
      
      Thanks to Keith Sklower for all the work he did converting ports!
      480fdc70
  26. 27 Jan, 2015 1 commit
  27. 18 Nov, 2014 1 commit
  28. 28 Aug, 2014 1 commit
  29. 20 Aug, 2014 2 commits
  30. 28 Jul, 2014 1 commit
  31. 15 Jul, 2014 1 commit
    • Kirk Webb's avatar
      Add taint checks at various places to enforce node restrictions · 797f83dd
      Kirk Webb authored
      A bit overdue, but here they are.
      
      * Disallow image creation for any taint state on node/image
      * Disallow console access for "blackbox" and "useronly" states
      * Disallow node_admin for "blackbox" and "useronly" states
      
      TB Admins are exempt from these restrictions.
      797f83dd
  32. 10 Jul, 2014 1 commit