Python SSL

The ssl module can be found here.

With this change, SSL certificate based client authentication is supported. In order to use this, based CA-type capabilities are required. A central CA needs to be created, with each server and all clients getting a signed cert. See [wiki:Authentication] for details.

Setting up keys is accomplished with three settings, each in the “[communication]” section of bcfg2.conf:

key = /path/to/ssl private key
certificate = /path/to/signed cert for that key
ca = /path/to/cacert.pem

Python SSL Backport Packaging

Both the Bcfg2 server and client are able to use the in-tree ssl module included with python 2.6. The client is also able to still use M2Crypto. A python ssl backport exists for 2.3, 2.4, and 2.5. With this, M2Crypto is not needed, and tlslite is no longer included with Bcfg2 sources. See [wiki:Authentication] for details.

To build a package of the ssl backport for .deb based distributions that don’t ship with python 2.6, you can follow these instructions, which use stdeb. Alternatively if you happen to have .deb packaging skills, it would be great to get policy-complaint .debs into the major deb-based distributions.

The following commands were used to generate this debian package The easy_install command can be found in the python-setuptools package.:

sudo aptitude install python-all-dev fakeroot
sudo easy_install stdeb
tar xvfz ssl-1.14.tar.gz
cd ssl-1.14
cd deb_dist/ssl-1.14
dpkg-buildpackage -rfakeroot -uc -us
sudo dpkg -i ../python-ssl_1.14-1_amd64.deb


Version numbers for the SSL module have changed.

For complete Bcfg2 goodness, you’ll also want to package stdeb using stdeb. The completed debian package can be grabbed from here, which was generated using the following:

sudo aptitude install apt-file
tar xvfz stdeb-0.3.tar.gz
cd stdeb-0.3
cd deb_dist/stdeb-0.3
dpkg-buildpackage -rfakeroot -uc -us
sudo dpkg -i ../python-stdeb_0.3-1_all.deb

Table Of Contents

Previous topic


Next topic

Vim Snippet Support

This Page