This change adds a server configuration option, tls_cipher_suites,
allowing the server admin to specify a list of cipher suites to be
used when establishing TLS connections with clients. The custom
list supports both cipher suite specification and OpenSSL suite
naming conventions. The list is filtered through a KMIP-approved
set of cipher suites, and then through a set of cipher suites
suitable for the configured authentication suite. Additional debug
logging has been added to the server to provide transparency on
this process.
This change adds a server configuration option to control the
enforcement of TLS certificate client authentication. Before,
client TLS certificates had to include the extended key usage
extension with the clientAuth bit set to be used as sources of
client identity. The new configuration option,
enable_tls_client_auth, allows server admins to enable/disable
this requirement. The configuration setting is optional and the
server defaults to the original enforcing behavior if it is not
set. Admins must explicitly set the option to False to disable
enforcement.
This change fixes a bug introduced with the addition of Python3.5
support. In Python3.5, SIGINT is silently ignored for system calls
(e.g., socket.accept) if the SIGINT signal handler does not raise
an exception. This causes the server to delay shutdown when
receiving SIGINT until after a new connection has been made. This
change updates the server's SIGINT signal handler to raise the
correct exception and updates the error handling code while serving
connections to account for this change in SIGINT processing. This
allows the server to shutdown immediately upon receiving SIGINT.
The server unit tests are updated to account for this change.
This change fixes a bug with the server where the server would
prematurely shutdown upon receiving a client connection using an
invalid certificate. The server will now withstand bad client
connections. The impacted server unit tests have been updated to
reflect the bug fix.
This change fixes a bug with parameter handling when invoking
the server's main routine. The default values provided for the
parameters would override any configuration file settings if
the main routine was used to run the server. To fix this, the
default values were removed, requiring the user to explicitly
specify parameter values if they want them to override the
configuration settings. The parameter doc strings have been
updated to match these changes.
Fixes#217
This change updates the server, updating how it processes config
values and allowing it to handle optional or ommitted policy_path
values. This fixes a bug where users could not leave the
policy_path config file unset, in addition to a bug that forced
users to use '/etc/pykmip/policies' as their policy directory.
Fixes#210
This change adds support for dynamic operation policy loading.
The server config file now supports a 'policy_path' option that
points to a filesystem directory. Each file in the directory
should contain a JSON policy object. The KMIP server will scan
this directory and attempt to load all valid policies it finds.
The results of this process will be logged.
Added console_scripts to setup.py, and added an entry for
pykmip-server. The pykmip-server application will run the PyKMIP
server. The two command line options below will run the server.
python -m kmip.services.server.server
pykmip-server
This change adds the KmipServer, the front-end of the KMIP software
server. The KmipServer is in charge of loading configuration settings,
creating all major server components, and serving and managing client
connections. A KmipServerConfig tool is included to handle configuration
settings. Test cases for all new code are included.
Peter Hamilton
Nathan Reller
Peter