[zorp] missing constants and methods in pssl.py

David Yerger dyerger at stcservices.com
Wed Feb 20 00:56:16 CET 2008 

Thanks for your help, I think we are getting there!  Choking on proxy
stacking though, see below:

Bazsi wrote:
> 
> You probably don't need server side keys as you disabled encryption.
> You
> want the same on the client side, e.g. you'd need
client_keypair_files,
> however the 'keypair' attributes were only added because of the GUI of
> the professional version, you need these:
> 
>           client_key_file             -- [STRING:"":RW:R] Client side
> authentication
>                                          private key corresponding to
> 'client_cert_file'.
>           client_cert_file            -- [STRING:"":RW:R] Filename of
> the client side
>                                          authentication certificate in
> PEM format.
>                                          This must be a server
> certificate, since
>                                          for clients the proxy behaves
> as it were
>                                          an SSL server.
> 

OK, did that, also stripped the PEM passphrase from my private key so
Zorp could read it--  


Then was seeing

Feb 19 18:01:00 localhost zorp/Zhttps[6286]: (svc/INhttps:0/pssl):
Client side SSL handshake successful;
Feb 19 18:01:00 localhost zorp/Zhttps[6286]: (svc/INhttps:0/pssl):
Stacking subproxy; client='19:20', server='21:22'
Feb 19 18:01:00 localhost zorp/Zhttps[6286]: (stderr): Traceback (most
recent call last):
Feb 19 18:01:00 localhost zorp/Zhttps[6286]: (stderr):   File
"/usr/share/zorp/pylib/Zorp/Proxy.py", line 425, in stackProxy
Feb 19 18:01:00 localhost zorp/Zhttps[6286]: (stderr):
proxyLog(self, CORE_DEBUG, 7, "Stacking child proxy; client_fd='%d',
server_fd='%d', class='%s'", (client_stream.fd, server_stream.fd,
proxy_class.__name__))
Feb 19 18:01:00 localhost zorp/Zhttps[6286]: (stderr): AttributeError:
'tuple' object has no attribute '__name__'


Looked again at the example in
http://www.balabit.com/network-security/zorp-gateway/gpl/tutorial/,
looks like for Zorp GPL the correct form is 

self.stack_proxy= OWAHttpProxy

instead of

self.stack_proxy=(Z_STACK_PROXY, OWAHttpProxy)


I now have in my policy.py:

def Zhttps():
        Service("INhttps", INhttps,
                router=DirectedRouter(SockAddrInet("10.0.0.9", 80)))
        Listener(SockAddrInet("aaa.bbb.ccc.ddd", 50443), "INhttps")

class StrongPsslProxy(PsslProxy):
        def config(self):
                PsslProxy.config(self)
                #docs say PSSL_VERIFY_NONE
                #this will change but for now agree with present code
                self.client_verify_type = SSL_VERIFY_NONE
                #self.server_ca_directory = "/etc/ssl/certs/"

class OWAHttpProxy(HttpProxy):
        def config(self):
                HttpProxy.config(self)
                self.request_header["Front-End-Https"]=(HTTP_HDR_INSERT,
"on")

class INhttps(StrongPsslProxy):
        def config(self):
                StrongPsslProxy.config(self)
                self.server_need_ssl=FALSE
                self.client_key_file = "/etc/ssl/private/owa.key"
                self.client_cert_file = "/etc/ssl/certs/owa.crt"
                self.stack_proxy=OWAHttpProxy

which seems to work.

Thanks again

David Yerger

More information about the zorp mailing list