Add option for CA certificate for validating clients
This can be used to secure TCP traffic between Radicale and a reverse proxy
This commit is contained in:
parent
6bb0e9d956
commit
3af5809d71
4
config
4
config
@ -41,6 +41,10 @@
|
|||||||
# SSL private key
|
# SSL private key
|
||||||
#key = /etc/ssl/radicale.key.pem
|
#key = /etc/ssl/radicale.key.pem
|
||||||
|
|
||||||
|
# CA certificate for validating clients. This can be used to secure
|
||||||
|
# TCP traffic between Radicale and a reverse proxy
|
||||||
|
#certificate_authority =
|
||||||
|
|
||||||
# SSL Protocol used. See python's ssl module for available values
|
# SSL Protocol used. See python's ssl module for available values
|
||||||
#protocol = PROTOCOL_TLSv1_2
|
#protocol = PROTOCOL_TLSv1_2
|
||||||
|
|
||||||
|
@ -143,6 +143,7 @@ class HTTPSServer(HTTPServer):
|
|||||||
key = None
|
key = None
|
||||||
protocol = None
|
protocol = None
|
||||||
ciphers = None
|
ciphers = None
|
||||||
|
certificate_authority = None
|
||||||
|
|
||||||
def __init__(self, address, handler):
|
def __init__(self, address, handler):
|
||||||
"""Create server by wrapping HTTP socket in an SSL socket."""
|
"""Create server by wrapping HTTP socket in an SSL socket."""
|
||||||
@ -150,6 +151,9 @@ class HTTPSServer(HTTPServer):
|
|||||||
|
|
||||||
self.socket = ssl.wrap_socket(
|
self.socket = ssl.wrap_socket(
|
||||||
self.socket, self.key, self.certificate, server_side=True,
|
self.socket, self.key, self.certificate, server_side=True,
|
||||||
|
cert_reqs=ssl.CERT_REQUIRED if self.certificate_authority else
|
||||||
|
ssl.CERT_NONE,
|
||||||
|
ca_certs=self.certificate_authority or None,
|
||||||
ssl_version=self.protocol, ciphers=self.ciphers)
|
ssl_version=self.protocol, ciphers=self.ciphers)
|
||||||
|
|
||||||
self.server_bind()
|
self.server_bind()
|
||||||
@ -187,6 +191,9 @@ class RequestHandler(wsgiref.simple_server.WSGIRequestHandler):
|
|||||||
|
|
||||||
def get_environ(self):
|
def get_environ(self):
|
||||||
env = super().get_environ()
|
env = super().get_environ()
|
||||||
|
if hasattr(self.connection, "getpeercert"):
|
||||||
|
# The certificate can be evaluated by the auth module
|
||||||
|
env["REMOTE_CERTIFICATE"] = self.connection.getpeercert()
|
||||||
# Parent class only tries latin1 encoding
|
# Parent class only tries latin1 encoding
|
||||||
env["PATH_INFO"] = unquote(self.path.split("?", 1)[0])
|
env["PATH_INFO"] = unquote(self.path.split("?", 1)[0])
|
||||||
return env
|
return env
|
||||||
|
@ -169,11 +169,15 @@ def serve(configuration, logger):
|
|||||||
server_class = ThreadedHTTPSServer
|
server_class = ThreadedHTTPSServer
|
||||||
server_class.certificate = configuration.get("server", "certificate")
|
server_class.certificate = configuration.get("server", "certificate")
|
||||||
server_class.key = configuration.get("server", "key")
|
server_class.key = configuration.get("server", "key")
|
||||||
|
server_class.certificate_authority = configuration.get(
|
||||||
|
"server", "certificate_authority")
|
||||||
server_class.ciphers = configuration.get("server", "ciphers")
|
server_class.ciphers = configuration.get("server", "ciphers")
|
||||||
server_class.protocol = getattr(
|
server_class.protocol = getattr(
|
||||||
ssl, configuration.get("server", "protocol"), ssl.PROTOCOL_SSLv23)
|
ssl, configuration.get("server", "protocol"), ssl.PROTOCOL_SSLv23)
|
||||||
# Test if the SSL files can be read
|
# Test if the SSL files can be read
|
||||||
for name in ("certificate", "key"):
|
for name in ["certificate", "key"] + (
|
||||||
|
["certificate_authority"]
|
||||||
|
if server_class.certificate_authority else []):
|
||||||
filename = getattr(server_class, name)
|
filename = getattr(server_class, name)
|
||||||
try:
|
try:
|
||||||
open(filename, "r").close()
|
open(filename, "r").close()
|
||||||
|
@ -74,6 +74,11 @@ INITIAL_CONFIG = OrderedDict([
|
|||||||
"help": "set private key file",
|
"help": "set private key file",
|
||||||
"aliases": ["-k", "--key"],
|
"aliases": ["-k", "--key"],
|
||||||
"type": str}),
|
"type": str}),
|
||||||
|
("certificate_authority", {
|
||||||
|
"value": "",
|
||||||
|
"help": "set CA certificate for validating clients",
|
||||||
|
"aliases": ["--certificate-authority"],
|
||||||
|
"type": str}),
|
||||||
("protocol", {
|
("protocol", {
|
||||||
"value": "PROTOCOL_TLSv1_2",
|
"value": "PROTOCOL_TLSv1_2",
|
||||||
"help": "SSL protocol used",
|
"help": "SSL protocol used",
|
||||||
|
Loading…
Reference in New Issue
Block a user