This change fixes a bug with the KmipSession logging shared
ciphers used by the TLS connection. The SSLSocket only supports
shared cipher information starting with Python 3.5. Any use of
the server with older versions of Python will fail when any
connection attempts are made. This fix adds a conditional check
that skips logging shared cipher information if the SSLSocket
does not support that information.
Fixes#361
This change adds a server configuration option, tls_cipher_suites,
allowing the server admin to specify a list of cipher suites to be
used when establishing TLS connections with clients. The custom
list supports both cipher suite specification and OpenSSL suite
naming conventions. The list is filtered through a KMIP-approved
set of cipher suites, and then through a set of cipher suites
suitable for the configured authentication suite. Additional debug
logging has been added to the server to provide transparency on
this process.
This change adds a server configuration option to control the
enforcement of TLS certificate client authentication. Before,
client TLS certificates had to include the extended key usage
extension with the clientAuth bit set to be used as sources of
client identity. The new configuration option,
enable_tls_client_auth, allows server admins to enable/disable
this requirement. The configuration setting is optional and the
server defaults to the original enforcing behavior if it is not
set. Admins must explicitly set the option to False to disable
enforcement.
This change updates the KmipSession, allowing it to extract client
identity from the client certificate of a TLS connection. The
certificate subject common name is used as the client identity if
the certificate has client authentication set in the extended key
usage extension.
This change breaks backwards compatibility. If a client certificate
does not define a client identity, the session will reject it and
shutdown the connection. Any client certificates used to connect
with the software server in the past will need to be replaced with
certificates that define a suitable client identity.
This change fixes a bug with the KmipSession connection handling logic
that would terminate the connection before actually receiving a
termination from the client. The corresponding unit tests have been
updated to reflect this fix.
This change adds KmipEngine support to the KmipSession. The session will
now pass on received requests for processing by the engine, handling any
results or errors that occur. The KmipSession test suite has been
updated to reflect this change.
When KmipSession instantiated without session name there is error:
File ".../PyKMIP/kmip/services/server/session.py", line 57, in __init__
self._logger = logging.getLogger('.'.join((__name__, name)))
TypeError: sequence item 1: expected str instance, NoneType found
This change adds a KmipSession class that manages individual
client/server connections in a thread of execution separate from the
main thread. A test suite is included.
Peter Hamilton
Peter
Viktor Tarasov