--- loncom/LondConnection.pm 2018/07/29 03:03:36 1.56 +++ loncom/LondConnection.pm 2018/08/07 17:12:09 1.57 @@ -1,7 +1,7 @@ # This module defines and implements a class that represents # a connection to a lond daemon. # -# $Id: LondConnection.pm,v 1.56 2018/07/29 03:03:36 raeburn Exp $ +# $Id: LondConnection.pm,v 1.57 2018/08/07 17:12:09 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -44,7 +44,8 @@ my $DebugLevel=0; my %perlvar; my %secureconf; my %badcerts; -my %hosttypes; +my %hosttypes; +my %crlchecked; my $InsecureOk; # @@ -80,7 +81,8 @@ sub ReadConfig { unless (lonssl::Read_Host_Types(\%hosttypes,\%perlvar) eq 'ok') { Debug(1,"Failed to retrieve hosttypes hash.\n"); } - undef(%badcerts); + %badcerts = (); + %crlchecked = (); } sub ResetReadConfig { @@ -204,7 +206,7 @@ sub new { Port => $Port, State => "Initialized", AuthenticationMode => "", - InsecureOK => $allowinsecure, + InsecureOK => $allowinsecure, TransactionRequest => "", TransactionReply => "", NextRequest => "", @@ -276,9 +278,10 @@ sub new { my ($ca, $cert) = lonssl::CertificateFile; my $sslkeyfile = lonssl::KeyFile; + my $badcertfile = lonssl::has_badcert_file($self->{LoncapaHim}); if (($conntype ne 'no') && (defined($ca)) && (defined($cert)) && (defined($sslkeyfile)) && - (!exists($badcerts{$self->{LoncapaHim}}))) { + (!exists($badcerts{$self->{LoncapaHim}})) && !$badcertfile) { $self->{AuthenticationMode} = "ssl"; $self->{TransactionRequest} = "init:ssl:$perlvar{'lonVersion'}\n"; } elsif ($self->{InsecureOK}) { @@ -443,16 +446,26 @@ sub Readable { fcntl($socket, F_SETFL, $flags | O_NONBLOCK); $self->ToVersionRequest(); return 0; - } - else { # Failed in ssl exchange. - if (($sslresult == -1) && ($self->{InsecureOK})) { + } + else { # Failed in ssl exchange. + if (($sslresult == -1) && (lonssl::LastError == -1) && ($self->{InsecureOK})) { + my $badcertdir = &lonssl::BadCertDir(); + if (($badcertdir) && $self->{LoncapaHim}) { + if (open(my $fh,'>',"$badcertdir/".$self->{LoncapaHim})) { + close($fh); + } + } $badcerts{$self->{LoncapaHim}} = 1; + &Debug(3,"SSL verification failed: close socket and initiate insecure connection"); + $self->Transition("ReInitNoSSL"); + $socket->close; + return -1; } &Debug(3,"init:ssl failed key negotiation!"); $self->Transition("Disconnected"); $socket->close; return -1; - } + } } elsif ($Response =~ /^[0-9]+/) { # Old style lond. return $self->CompleteInsecure(); @@ -1051,14 +1064,19 @@ sub ExchangeKeysViaSSL { my ($SSLCACertificate, $SSLCertificate) = lonssl::CertificateFile(); my $SSLKey = lonssl::KeyFile(); - + my $CRLFile; + unless ($crlchecked{$peer}) { + $CRLFile = lonssl::CRLFile(); + $crlchecked{$peer} = 1; + } # Promote our connection to ssl and read the key from lond. my $SSLSocket = lonssl::PromoteClientSocket($socket, $SSLCACertificate, $SSLCertificate, $SSLKey, - $peer); + $peer, + $CRLFile); if(defined $SSLSocket) { my $key = <$SSLSocket>; lonssl::Close($SSLSocket); @@ -1211,6 +1229,15 @@ sub PeerLoncapaHim { return $self->{LoncapaHim}; } +# +# Get the Authentication mode +# + +sub GetKeyMode { + my $self = shift; + return $self->{AuthenticationMode}; +} + 1; =pod