Revision 6149f03e
b/vncauthproxy/client.py | ||
---|---|---|
76 | 76 |
help=("User password for the control connection " |
77 | 77 |
"authentication")) |
78 | 78 |
parser.add_option("--no-ssl", dest="no_ssl", |
79 |
action='store_false', default=False,
|
|
79 |
action='store_true', default=False,
|
|
80 | 80 |
help=("Disable SSL/TLS for control connecions " |
81 | 81 |
"(default: %s)" % False)) |
82 |
parser.add_option("--ca-cert", dest="ca_cert", |
|
83 |
default=None, |
|
84 |
metavar="CACERT", |
|
85 |
help=("CA certificate file to use for server auth")) |
|
86 |
parser.add_option("--strict", dest="strict", |
|
87 |
default=False, action='store_true', |
|
88 |
metavar="STRICT", |
|
89 |
help=("Perform strict authentication on the server " |
|
90 |
"SSL cert")) |
|
82 | 91 |
|
83 | 92 |
(opts, args) = parser.parse_args(args) |
84 | 93 |
|
... | ... | |
94 | 103 |
if not opts.auth_password: |
95 | 104 |
parser.error("The --auth-password argument is mandatory.") |
96 | 105 |
|
106 |
# Sanity check |
|
107 |
if opts.strict and not opts.ca_cert: |
|
108 |
parser.error("--strict requires --ca-cert to be set") |
|
109 |
if opts.no_ssl and opts.ca_cert: |
|
110 |
parser.error("--no-ssl and --ca-cert / --strict options " |
|
111 |
"are mutually exclusive") |
|
112 |
|
|
97 | 113 |
return (opts, args) |
98 | 114 |
|
99 | 115 |
|
100 | 116 |
def request_forwarding(sport, daddr, dport, password, |
101 | 117 |
auth_user, auth_password, |
102 | 118 |
server_address=DEFAULT_SERVER_ADDRESS, |
103 |
server_port=DEFAULT_SERVER_PORT, no_ssl=False): |
|
119 |
server_port=DEFAULT_SERVER_PORT, no_ssl=False, |
|
120 |
ca_cert=None, strict=False): |
|
104 | 121 |
"""Connect to vncauthproxy and request a VNC forwarding.""" |
105 | 122 |
if not password: |
106 | 123 |
raise ValueError("You must specify a non-empty password") |
... | ... | |
129 | 146 |
continue |
130 | 147 |
|
131 | 148 |
if not no_ssl: |
149 |
reqs = ssl.CERT_NONE |
|
150 |
if strict: |
|
151 |
reqs = ssl.CERT_REQUIRED |
|
152 |
elif ca_cert: |
|
153 |
reqs = ssl.CERT_OPTIONAL |
|
154 |
|
|
132 | 155 |
server = ssl.wrap_socket( |
133 |
server, cert_reqs=ssl.CERT_NONE,
|
|
156 |
server, cert_reqs=reqs, ca_certs=ca_cert,
|
|
134 | 157 |
ssl_version=ssl.PROTOCOL_TLSv1) |
135 | 158 |
|
136 | 159 |
server.settimeout(60.0) |
... | ... | |
166 | 189 |
dport=opts.dport, password=opts.password, |
167 | 190 |
auth_user=opts.auth_user, |
168 | 191 |
auth_password=opts.auth_password, |
169 |
no_ssl=opts.no_ssl) |
|
192 |
no_ssl=opts.no_ssl, ca_cert=opts.ca_cert, |
|
193 |
strict=opts.strict) |
|
170 | 194 |
|
171 | 195 |
reason = None |
172 | 196 |
if 'reason' in res: |
Also available in: Unified diff