Re: [zorp-hu] 3.9 ssl keybridge nem indul

13 Apr 2011

      On Wed, Apr 13, 2011 at 03:52:08PM +0200, Kosa Attila wrote:
...
Ha kiszedem a StrongPsslProxy-t, akkor pedig azert obegat a
logba, hogy nincs definialva az X509KeyBridge:
Apr 13 15:45:59 squeeze-zorp39gpl zorp/zorp_https[13889]: core.stderr(3): (stderr): NameError: global name 'X509KeyBridge' is not defined#012
Miutan leirtam a fentieket, beugrott valami, es megneztem a
/usr/share/zorp/pylib/Zorp konyvtarat, es mit ad Isten, van egy
Keybridge.py fajl :) Importaltam, es maris mas a hibauzenet :)
Rossz konyvtarat adtam meg neki, ahova generalta volna a
kulcsokat. Azt is javitottam, es ezt kaptam a logba:

Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter): Starting service; name='intra_Keybridge_HTTPS_inter'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:0): Starting proxy instance; client_fd='15', client_address='AF_INET(192.168.2.1:1296)', client_zone='Zone(intranet, 192.168.2.0/24)', client_local='AF_INET(62.112.211.40:443)', client_protocol='TCP'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy starting; class='KeybridgeStrongHttpsProxy', proxy='http'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.error(3): (svc/intra_Keybridge_HTTPS_inter:0/http/client): Error while fetching line; error='Invalid line, embedded NUL character found, buffer=[#026#003#001]'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/client): accounting info; type='ZStreamLine', duration='0', sent='0', received='49'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy ending; class='KeybridgeStrongHttpsProxy', module='http'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(4): (svc/intra_Keybridge_HTTPS_inter:0): Ending proxy instance;
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/client): accounting info; type='ZStreamFD', duration='0', sent='0', received='77'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter): Starting service; name='intra_Keybridge_HTTPS_inter'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:1): Starting proxy instance; client_fd='15', client_address='AF_INET(192.168.2.1:1297)', client_zone='Zone(intranet, 192.168.2.0/24)', client_local='AF_INET(62.112.211.40:443)', client_protocol='TCP'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:1/http): Proxy starting; class='KeybridgeStrongHttpsProxy', proxy='http'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.error(3): (svc/intra_Keybridge_HTTPS_inter:1/http/client): Error while fetching line; error='Invalid line, embedded NUL character found, buffer=[#026#003]'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:1/http/client): accounting info; type='ZStreamLine', duration='0', sent='0', received='20'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:1/http): Proxy ending; class='KeybridgeStrongHttpsProxy', module='http'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(4): (svc/intra_Keybridge_HTTPS_inter:1): Ending proxy instance;
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:1/http/client): accounting info; type='ZStreamFD', duration='0', sent='0', received='72'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter): Starting service; name='intra_Keybridge_HTTPS_inter'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:2): Starting proxy instance; client_fd='15', client_address='AF_INET(192.168.2.1:1298)', client_zone='Zone(intranet, 192.168.2.0/24)', client_local='AF_INET(62.112.211.40:443)', client_protocol='TCP'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:2/http): Proxy starting; class='KeybridgeStrongHttpsProxy', proxy='http'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:2/http/client): accounting info; type='ZStreamLine', duration='0', sent='0', received='0'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:2/http): Proxy ending; class='KeybridgeStrongHttpsProxy', module='http'
Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(4): (svc/intra_Keybridge_HTTPS_inter:2): Ending proxy instance;

A konfig most igy nez ki:

from Zorp.Core import *
from Zorp.Pssl import *
from Zorp.Http import *
from Zorp.Keybridge import *

InetZone("intranet", "192.168.2.0/24",
        inbound_services=[],
        outbound_services=["intra_Keybridge_HTTPS_inter"])

InetZone("internet", "0.0.0.0/0",
        inbound_services=["intra_Keybridge_HTTPS_inter"],
        outbound_services=[])

class StrongHttpsProxy(HttpProxy):
        def config(self):
                HttpProxy.config(self)
                self.ssl.client_keypair_files=("/etc/ssl/certs/fw.akarmi.hu.crt", "/etc/ssl/private/fw.akarmi.hu.key.nopass")
                self.ssl.client_verify_type=SSL_VERIFY_NONE
                self.ssl.client_connection_security = SSL_FORCE_SSL
                self.ssl.server_connection_security = SSL_FORCE_SSL
                self.ssl.server_cagroup_directories=("/etc/zorp/ca.crt", "/etc/zorp/crls/")
                self.ssl.server_ssl_method=SSL_METHOD_ALL
                self.ssl.server_disable_proto_sslv2=TRUE
                self.ssl.server_ssl_cipher=SSL_CIPHERS_HIGH
                self.ssl.server_verify_type=SSL_VERIFY_REQUIRED_UNTRUSTED

class KeybridgeStrongHttpsProxy(StrongHttpsProxy):
        def config(self):
                self.ssl.key_generator=X509KeyBridge(key_file="/etc/zorp/keybridging_cert/fwca.key", key_passphrase="jelszo", cache_directory="/var/lib/zorp/keybridge-cache", trusted_ca_files=("/etc/zorp/certs/trust.crt", "/etc/zorp/certs/trust.key.nopass"), untrusted_ca_files=("/etc/zorp/certs/untrust.crt", "/etc/zorp/certs/untrust.key.nopass"))
                self.ssl.handshake_seq=PSSL_HSO_SERVER_CLIENT
                self.ssl.client_keypair_generate=TRUE

def zorp_https() :
        Service(name="intra_Keybridge_HTTPS_inter", proxy_class=KeybridgeStrongHttpsProxy, router=TransparentRouter(overrideable=FALSE, forge_addr=TRUE))

        Dispatcher(bindto=DBIface(protocol=ZD_PROTO_TCP, iface="eth1", ip="192.168.2.254", port=60443), service="intra_Keybridge_HTTPS_inter", transparent=TRUE, threaded=FALSE, backlog=255)

-- 
		Udvozlettel
				    Zsiga