| 23 | | We have switched to the in-tree ssl module included with python 2.6. A backport exists for 2.3, 2.4, and 2.5. With this, M2Crypto is not needed, and tlslite is no longer included with bcfg2 sources. The ssl module can be found [http://pypi.python.org/pypi/ssl/1.14 here]. |
| 24 | | |
| 25 | | '''NOTE:''' To build the module on Debian (lenny), I had to apply this [attachment:ssl-debian.patch patch] to remove bluetooth references. |
| 26 | | |
| 27 | | With this change, SSL certificate based client authentication is supported. In order to use this, based CA-type capabilities are required. A central CA needs to be created, with each server and all clients getting a signed cert. See [wiki:Authentication] for details. |
| 28 | | |
| 29 | | Setting up keys is accomplished with three settings, each in the "`[communication]`" section of bcfg2.conf: |
| 30 | | {{{ |
| 31 | | key = /path/to/ssl private key |
| 32 | | certificate = /path/to/signed cert for that key |
| 33 | | ca = /path/to/cacert.pem |
| 34 | | }}} |
| | 23 | We have switched to the in-tree ssl module included with python 2.6. A backport exists for 2.3, 2.4, and 2.5. With this, M2Crypto is not needed, and tlslite is no longer included with bcfg2 sources. Information about building the ssl pre-req is [wiki:ssl here] |
