• Leigh B. Stoller's avatar
    A fair amount of cleanup, both of the ssl stuff and of tmcd in general. · 40d072cf
    Leigh B. Stoller authored
    Deal with ssl/nossl clients; at Chad's suggestion add a small handshake
    tag to ssl enabled tmcc/tmcd which tells tmcd that it needs to enter
    full SSL mode. This allows old tmcc to connect to an ssl enabled tmcd,
    and still work okay.
    I've also ironed out the verification stuff. At the client, we make sure
    that the CommonName field of the peer cert maps to the same address that
    we connected to (bossnode).
    At the server, we check the OU field of the cert (we create the client
    certs with the OU field set to the node type; a convention I made up!).
    It must match the type of the node, as we get it from the nodes table.
    Also check the CommonName to make sure it matches our hostname. This is
    by no means bulletproof, but perfection is costly, and we don't have the
    Also cleaned up the REDIRECT testmode stuff. Instead of ifdef'ed under
    TESTMODE, leave it compiled in all the time, but only allow it from the
    local node (where tmcd is running). Mere users will not be able to
    access it, but testbed people can use it since they have accounts on the
    boss node.
decls.h 818 Bytes