From 12a1782ebec6f1c540998f771d145a74cc556c85 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 20:37:27 -0800 Subject: [PATCH 01/15] whoops, ",".join instead of join --- server-ca/issue-daemon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server-ca/issue-daemon.py b/server-ca/issue-daemon.py index de2a36858..298119e46 100755 --- a/server-ca/issue-daemon.py +++ b/server-ca/issue-daemon.py @@ -49,7 +49,7 @@ def issue(session): return csr = r.hget(session, "csr") names = r.lrange("%s:names" % session, 0, -1) - log("attempting to issue certificate for names: %s" % join(names), session) + log("attempting to issue certificate for names: %s" % ", ".join(names), session) with issue_lock: cert = CSR.issue(csr, names) r.hset(session, "cert", cert) From a96365faf02766d5413079fe5c15566953fc5290 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 20:40:34 -0800 Subject: [PATCH 02/15] make all redis objects global for log() --- server-ca/issue-daemon.py | 1 + server-ca/logging-daemon.py | 1 + server-ca/makechallenge-daemon.py | 1 + server-ca/payment-daemon.py | 1 + server-ca/testchallenge-daemon.py | 1 + 5 files changed, 5 insertions(+) diff --git a/server-ca/issue-daemon.py b/server-ca/issue-daemon.py index 298119e46..7e0053fec 100755 --- a/server-ca/issue-daemon.py +++ b/server-ca/issue-daemon.py @@ -7,6 +7,7 @@ import redis, redis_lock, CSR, sys, signal from sni_challenge.verify import verify_challenge from Crypto import Random +global r r = redis.Redis() ps = r.pubsub() issue_lock = redis_lock.redis_lock(r, "issue_lock") diff --git a/server-ca/logging-daemon.py b/server-ca/logging-daemon.py index 7bbf8f327..209c22d18 100755 --- a/server-ca/logging-daemon.py +++ b/server-ca/logging-daemon.py @@ -4,6 +4,7 @@ import redis, signal, sys +global r r = redis.Redis() ps = r.pubsub() diff --git a/server-ca/makechallenge-daemon.py b/server-ca/makechallenge-daemon.py index 86499fe83..e19f5b068 100755 --- a/server-ca/makechallenge-daemon.py +++ b/server-ca/makechallenge-daemon.py @@ -5,6 +5,7 @@ import redis, time, sys, signal +global r r = redis.Redis() ps = r.pubsub() diff --git a/server-ca/payment-daemon.py b/server-ca/payment-daemon.py index 28b8416de..b8e28023c 100755 --- a/server-ca/payment-daemon.py +++ b/server-ca/payment-daemon.py @@ -26,6 +26,7 @@ import redis, signal, sys +global r r = redis.Redis() ps = r.pubsub() diff --git a/server-ca/testchallenge-daemon.py b/server-ca/testchallenge-daemon.py index 505dbd657..9f062577f 100755 --- a/server-ca/testchallenge-daemon.py +++ b/server-ca/testchallenge-daemon.py @@ -9,6 +9,7 @@ import policy from redis_lock import redis_lock from sni_challenge.verify import verify_challenge +global r r = redis.Redis() ps = r.pubsub() From 24af9acbd0316b772d536ea49416b444f97b751a Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 20:42:07 -0800 Subject: [PATCH 03/15] unfortunately there is a scoping issue here --- server-ca/daemon_common.py | 7 +++++-- server-ca/issue-daemon.py | 1 - server-ca/logging-daemon.py | 1 - server-ca/makechallenge-daemon.py | 1 - server-ca/payment-daemon.py | 1 - server-ca/testchallenge-daemon.py | 1 - 6 files changed, 5 insertions(+), 7 deletions(-) diff --git a/server-ca/daemon_common.py b/server-ca/daemon_common.py index 80a0cb146..d612f4c0a 100644 --- a/server-ca/daemon_common.py +++ b/server-ca/daemon_common.py @@ -5,6 +5,9 @@ import time, binascii from Crypto import Random +import redis +log_redis = redis.Redis() + def signal_handler(a, b): global clean_shutdown clean_shutdown = True @@ -27,6 +30,6 @@ def random_raw(): def log(msg, session = None): if session: - r.publish("logs", "%s: %s" % (short(session), msg)) + log_redis.publish("logs", "%s: %s" % (short(session), msg)) else: - r.publish("logs", "%s" % session) + log_redis.publish("logs", "%s" % session) diff --git a/server-ca/issue-daemon.py b/server-ca/issue-daemon.py index 7e0053fec..298119e46 100755 --- a/server-ca/issue-daemon.py +++ b/server-ca/issue-daemon.py @@ -7,7 +7,6 @@ import redis, redis_lock, CSR, sys, signal from sni_challenge.verify import verify_challenge from Crypto import Random -global r r = redis.Redis() ps = r.pubsub() issue_lock = redis_lock.redis_lock(r, "issue_lock") diff --git a/server-ca/logging-daemon.py b/server-ca/logging-daemon.py index 209c22d18..7bbf8f327 100755 --- a/server-ca/logging-daemon.py +++ b/server-ca/logging-daemon.py @@ -4,7 +4,6 @@ import redis, signal, sys -global r r = redis.Redis() ps = r.pubsub() diff --git a/server-ca/makechallenge-daemon.py b/server-ca/makechallenge-daemon.py index e19f5b068..86499fe83 100755 --- a/server-ca/makechallenge-daemon.py +++ b/server-ca/makechallenge-daemon.py @@ -5,7 +5,6 @@ import redis, time, sys, signal -global r r = redis.Redis() ps = r.pubsub() diff --git a/server-ca/payment-daemon.py b/server-ca/payment-daemon.py index b8e28023c..28b8416de 100755 --- a/server-ca/payment-daemon.py +++ b/server-ca/payment-daemon.py @@ -26,7 +26,6 @@ import redis, signal, sys -global r r = redis.Redis() ps = r.pubsub() diff --git a/server-ca/testchallenge-daemon.py b/server-ca/testchallenge-daemon.py index 9f062577f..505dbd657 100755 --- a/server-ca/testchallenge-daemon.py +++ b/server-ca/testchallenge-daemon.py @@ -9,7 +9,6 @@ import policy from redis_lock import redis_lock from sni_challenge.verify import verify_challenge -global r r = redis.Redis() ps = r.pubsub() From a67c5de30937b65f9d0db01540e314524f8232b6 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 20:43:19 -0800 Subject: [PATCH 04/15] second instance of ",".join bug --- server-ca/issue-daemon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server-ca/issue-daemon.py b/server-ca/issue-daemon.py index 298119e46..8693ca568 100755 --- a/server-ca/issue-daemon.py +++ b/server-ca/issue-daemon.py @@ -54,7 +54,7 @@ def issue(session): cert = CSR.issue(csr, names) r.hset(session, "cert", cert) if cert: # once issuing cert succeeded - log("issued certificate for names: %s" % join(names), session) + log("issued certificate for names: %s" % ", ".join(names), session) r.hset(session, "state", "done") # r.lpush("pending-done", session) else: # should not be reached in deployed version From c4c8b4ed5363c2e82f105d5332bbf767889e96f3 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 20:50:05 -0800 Subject: [PATCH 05/15] use logging mechanism instead of print --- server-ca/makechallenge-daemon.py | 9 ++++----- server-ca/payment-daemon.py | 2 +- server-ca/testchallenge-daemon.py | 17 ++++++++--------- 3 files changed, 13 insertions(+), 15 deletions(-) diff --git a/server-ca/makechallenge-daemon.py b/server-ca/makechallenge-daemon.py index 86499fe83..bb4c7918a 100755 --- a/server-ca/makechallenge-daemon.py +++ b/server-ca/makechallenge-daemon.py @@ -25,7 +25,7 @@ def makechallenge(session): # pending-requests queue and not pushed into any other queue. # We don't have to remove it from pending-makechallenge # because the caller has already done so. - if debug: print "removing expired session", short(session) + log("removing expired session", session) r.lrem("pending-requests", session) return # Currently only makes challenges of type 0 (DomainValidateSNI) @@ -37,9 +37,8 @@ def makechallenge(session): # Make one challenge for each name. (This one-to-one relationship # is not an inherent protocol requirement!) names = r.lrange("%s:names" % session, 0, -1) - if debug: print "%s: new valid request" % session - if debug: print "%s: from requesting client at %s" % (short(session), r.hget(session, "client-addr")) - if debug: print "%s: for %d names: %s" % (short(session), len(names), ", ".join(names)) + log("new valid request from requesting client at %s" % r.hget(session, "client-addr"), session) + log("for %d names: %s" % (len(names), ", ".join(names), session) for i, name in enumerate(names): challenge = "%s:%d" % (session, i) r.hset(challenge, "challtime", int(time.time())) @@ -52,7 +51,7 @@ def makechallenge(session): r.hset(challenge, "dvsni:ext", "1.3.3.7") # Keep accurate count of how many challenges exist in this session. r.hincrby(session, "challenges", 1) - if debug: print "created new challenge", short(challenge) + log("created new challenge %s" % challenge, session) if True: # challenges have been created r.hset(session, "state", "testchallenge") else: diff --git a/server-ca/payment-daemon.py b/server-ca/payment-daemon.py index 28b8416de..4fc6e1976 100755 --- a/server-ca/payment-daemon.py +++ b/server-ca/payment-daemon.py @@ -47,7 +47,7 @@ for message in ps.listen(): if len(session) != 64: continue if session not in r or r.hget(session, "live") != "True": continue if r.hget(session, "state") != "payment": continue - if debug: print "\t** All challenges satisfied; payment received; request %s GRANTED" % short(session) + log("\t** All challenges satisfied; payment received; request GRANTED", session) r.hset(session, "state", "issue") r.lpush("pending-issue", session) continue diff --git a/server-ca/testchallenge-daemon.py b/server-ca/testchallenge-daemon.py index 505dbd657..31551f79f 100755 --- a/server-ca/testchallenge-daemon.py +++ b/server-ca/testchallenge-daemon.py @@ -34,7 +34,7 @@ def testchallenge(session): # pending-requests queue and not pushed into any other queue. # We don't have to remove it from pending-testchallenge # because the caller has already done so. - if debug: print "removing expired session", short(session) + log("removing expired session", session) r.lrem("pending-requests", session) return if r.hget(session, "state") != "testchallenge": @@ -49,7 +49,7 @@ def testchallenge(session): all_satisfied = True for i, name in enumerate(r.lrange("%s:names" % session, 0, -1)): challenge = "%s:%d" % (session, i) - if debug: print "testing challenge", short(challenge) + log("testing challenge %s" % challenge, session) challtime = int(r.hget(challenge, "challtime")) challtype = int(r.hget(challenge, "type")) name = r.hget(challenge, "name") @@ -59,15 +59,14 @@ def testchallenge(session): if not satisfied and not failed: # if debug: print "challenge", short(challenge), "being tested" if challtype == 0: # DomainValidateSNI - if debug: print "\tbeginning dvsni test to %s" % name + log("\tbeginning dvsni test to %s" % name, session) dvsni_nonce = r.hget(challenge, "dvsni:nonce") dvsni_r = r.hget(challenge, "dvsni:r") dvsni_ext = r.hget(challenge, "dvsni:ext") direct_result, direct_reason = verify_challenge(name, dvsni_r, dvsni_nonce, False) proxy_result, proxy_reason = verify_challenge(name, dvsni_r, dvsni_nonce, True) - if debug: - print "\t...direct probe: %s (%s)" % (direct_result, direct_reason) - print "\tTor proxy probe: %s (%s)" % (proxy_result, proxy_reason) + log("\t...direct probe: %s (%s)" % (direct_result, direct_reason), session) + log("\tTor proxy probe: %s (%s)" % (proxy_result, proxy_reason), session) if direct_result and proxy_result: r.hset(challenge, "satisfied", True) else: @@ -80,7 +79,7 @@ def testchallenge(session): # Don't know how to handle this challenge type all_satisfied = False elif not satisfied: - if debug: print "\tchallenge was not attempted" + log("\tchallenge was not attempted", session) all_satisfied = False if all_satisfied: # Challenges all succeeded, so we should prepare to issue @@ -91,7 +90,7 @@ def testchallenge(session): # the daemon that put this session on the queue should # also have implicitly guaranteed this). if policy.payment_required(session): - if debug: print "\t** All challenges satisfied; request %s NEEDS PAYMENT" % short(session) + log("\t** All challenges satisfied; request NEEDS PAYMENT", session) # Try to get a unique abbreviated ID (10 hex digits) for i in xrange(20): abbreviation = random()[:10] @@ -110,7 +109,7 @@ def testchallenge(session): # instantaneously as soon as the payment system sends a "payments" # pubsub message to the payments daemon. else: - if debug: print "\t** All challenges satisfied; request %s GRANTED" % short(session) + log("\t** All challenges satisfied; request GRANTED", session) r.hset(session, "state", "issue") r.lpush("pending-issue", session) else: From 09a2326e8be47f33ba446e343cd34f4a9ae278ba Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 20:52:08 -0800 Subject: [PATCH 06/15] missing paren --- server-ca/makechallenge-daemon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server-ca/makechallenge-daemon.py b/server-ca/makechallenge-daemon.py index bb4c7918a..8231d60bb 100755 --- a/server-ca/makechallenge-daemon.py +++ b/server-ca/makechallenge-daemon.py @@ -38,7 +38,7 @@ def makechallenge(session): # is not an inherent protocol requirement!) names = r.lrange("%s:names" % session, 0, -1) log("new valid request from requesting client at %s" % r.hget(session, "client-addr"), session) - log("for %d names: %s" % (len(names), ", ".join(names), session) + log("for %d names: %s" % (len(names), ", ".join(names), session)) for i, name in enumerate(names): challenge = "%s:%d" % (session, i) r.hset(challenge, "challtime", int(time.time())) From 2dd531b65d2a1453ac7b970082b554af5cc596fa Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 20:53:18 -0800 Subject: [PATCH 07/15] paren in wrong place --- server-ca/makechallenge-daemon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server-ca/makechallenge-daemon.py b/server-ca/makechallenge-daemon.py index 8231d60bb..a424962a4 100755 --- a/server-ca/makechallenge-daemon.py +++ b/server-ca/makechallenge-daemon.py @@ -38,7 +38,7 @@ def makechallenge(session): # is not an inherent protocol requirement!) names = r.lrange("%s:names" % session, 0, -1) log("new valid request from requesting client at %s" % r.hget(session, "client-addr"), session) - log("for %d names: %s" % (len(names), ", ".join(names), session)) + log("for %d names: %s" % (len(names), ", ".join(names)), session) for i, name in enumerate(names): challenge = "%s:%d" % (session, i) r.hset(challenge, "challtime", int(time.time())) From 648d641311b4666676b385f23e099a30e55e0041 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 20:56:24 -0800 Subject: [PATCH 08/15] make logging daemon log when it's shut down --- server-ca/logging-daemon.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server-ca/logging-daemon.py b/server-ca/logging-daemon.py index 7bbf8f327..17f5b1060 100755 --- a/server-ca/logging-daemon.py +++ b/server-ca/logging-daemon.py @@ -26,5 +26,6 @@ for message in ps.listen(): if message["channel"] == "exit": break if clean_shutdown: - print "logging daemon exiting cleanly" + sys.stdout.write("logging daemon exiting cleanly"\n) + sys.stdout.flush() break From 39d19249904dbdebabcbd46b30e51b21f3fcbaf4 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 20:56:58 -0800 Subject: [PATCH 09/15] oops --- server-ca/logging-daemon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server-ca/logging-daemon.py b/server-ca/logging-daemon.py index 17f5b1060..a5bcd32b4 100755 --- a/server-ca/logging-daemon.py +++ b/server-ca/logging-daemon.py @@ -26,6 +26,6 @@ for message in ps.listen(): if message["channel"] == "exit": break if clean_shutdown: - sys.stdout.write("logging daemon exiting cleanly"\n) + sys.stdout.write("logging daemon exiting cleanly\n") sys.stdout.flush() break From b369e96d06983a6e21486bf02dc4fc65f0f5e007 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 21:02:59 -0800 Subject: [PATCH 10/15] issue daemon doesn't verify challenges --- server-ca/issue-daemon.py | 1 - 1 file changed, 1 deletion(-) diff --git a/server-ca/issue-daemon.py b/server-ca/issue-daemon.py index 8693ca568..2b4cee704 100755 --- a/server-ca/issue-daemon.py +++ b/server-ca/issue-daemon.py @@ -4,7 +4,6 @@ # the database that are waiting for a cert to be issued. import redis, redis_lock, CSR, sys, signal -from sni_challenge.verify import verify_challenge from Crypto import Random r = redis.Redis() From 1a830e2ab4d85ef76960c872b00cb9bd3e313f25 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 21:03:54 -0800 Subject: [PATCH 11/15] attempt to log remote peernames of dvsni test sockets! --- server-ca/sni_challenge/verify.py | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/server-ca/sni_challenge/verify.py b/server-ca/sni_challenge/verify.py index 334b778a6..cc8af96af 100644 --- a/server-ca/sni_challenge/verify.py +++ b/server-ca/sni_challenge/verify.py @@ -68,16 +68,17 @@ def verify_challenge(address, r, nonce, socksify=False): sni_support.set_sni_ext(conn.ssl, sni_name) try: conn.connect((address, 443)) + peername = str(conn.socket.getpeername()) except Exception, e: - return False, "Connection to SSL Server failed (%s)" % str(e) + return False, "Connection to SSL Server failed (%s)" % str(e), peername cert_chain = conn.get_peer_cert_chain() #Ensure certificate chain form is correct if cert_chain is None: - return False, "Client did not provide a certificate" + return False, "Client did not provide a certificate", peername if len(cert_chain) != 1: - return False, "Chocolate client should only include 1 cert" + return False, "Chocolate client should only include 1 cert", peername for i in range(0,cert_chain[0].get_ext_count()): ext = cert_chain[0].get_ext_at(i) @@ -87,11 +88,11 @@ def verify_challenge(address, r, nonce, socksify=False): valid = check_challenge_value(sni_support.get_unknown_value(ext.x509_ext), r) if valid: - return True, "Challenge completed successfully" + return True, "Challenge completed successfully", peername else: - return False, "Certificate extension does not check out" + return False, "Certificate extension does not check out", peername - return False, "Chocolate extension not included in certificate" + return False, "Chocolate extension not included in certificate", peername def main(): #Testing the example sni_challenge @@ -108,10 +109,10 @@ def main(): nonce = binascii.hexlify(nonce) nonce2 = binascii.hexlify(nonce2) - valid, response = verify_challenge("example.com", r, nonce) + valid, response, peername = verify_challenge("example.com", r, nonce) #valid, response = verify_challenge("127.0.0.1", r, nonce) print response - valid, response = verify_challenge("www.example.com", r2, nonce2) + valid, response, peername = verify_challenge("www.example.com", r2, nonce2) #valid, response = verify_challenge("localhost", r2, nonce2) print response if __name__ == "__main__": From 14b7d20bf79bf7356ed67ba6d97ac659e9dfff75 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 21:04:24 -0800 Subject: [PATCH 12/15] further attempt to log remote peernames of dvsni test sockets! --- server-ca/testchallenge-daemon.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/server-ca/testchallenge-daemon.py b/server-ca/testchallenge-daemon.py index 31551f79f..523a168c6 100755 --- a/server-ca/testchallenge-daemon.py +++ b/server-ca/testchallenge-daemon.py @@ -63,10 +63,10 @@ def testchallenge(session): dvsni_nonce = r.hget(challenge, "dvsni:nonce") dvsni_r = r.hget(challenge, "dvsni:r") dvsni_ext = r.hget(challenge, "dvsni:ext") - direct_result, direct_reason = verify_challenge(name, dvsni_r, dvsni_nonce, False) - proxy_result, proxy_reason = verify_challenge(name, dvsni_r, dvsni_nonce, True) - log("\t...direct probe: %s (%s)" % (direct_result, direct_reason), session) - log("\tTor proxy probe: %s (%s)" % (proxy_result, proxy_reason), session) + direct_result, direct_reason, direct_peername = verify_challenge(name, dvsni_r, dvsni_nonce, False) + proxy_result, proxy_reason, proxy_peername = verify_challenge(name, dvsni_r, dvsni_nonce, True) + log("\t...direct probe: %s (%s) to %s" % (direct_result, direct_reason, direct_peername), session) + log("\tTor proxy probe: %s (%s) to %s" % (proxy_result, proxy_reason, proxy_peername), session) if direct_result and proxy_result: r.hset(challenge, "satisfied", True) else: From 2172c64070bac3eb4ce6988e4b062c16c24fdd4d Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 21:07:20 -0800 Subject: [PATCH 13/15] show very slightly nicer error for bad payments --- server-ca/payment.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/server-ca/payment.py b/server-ca/payment.py index f500f09f7..767afed24 100755 --- a/server-ca/payment.py +++ b/server-ca/payment.py @@ -30,11 +30,11 @@ class payment(object): def GET(self, session): web.header("Content-type", "text/html") if len(session) != 64 or not all(hexdigit(s) for s in session): - return "Attempt to process payment for invalid session." + return "

Oops!

Attempt to process payment for invalid session." if session not in r or r.hget(session, "live") != "True": - return "Attempt to process payment for invalid session." + return "

Oops!

Attempt to process payment for invalid session." if r.hget(session, "state") != "payment": - return "Attempt to process payment for session not expecting it." + return "

Oops!

Attempt to process payment for session that was not expecting it." r.publish("payments", session) names = r.lrange("%s:names" % session, 0, -1) names_list = '
    ' + "\n".join("
  • %s
    • " % n for n in names) + '
' From 9d1c0b8b19e9e6535aff77886205dc10f7cbb9ff Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 21:08:07 -0800 Subject: [PATCH 14/15] proxy_peername is always 0.0.0.1 (unspecified) --- server-ca/testchallenge-daemon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server-ca/testchallenge-daemon.py b/server-ca/testchallenge-daemon.py index 523a168c6..6221384fb 100755 --- a/server-ca/testchallenge-daemon.py +++ b/server-ca/testchallenge-daemon.py @@ -66,7 +66,7 @@ def testchallenge(session): direct_result, direct_reason, direct_peername = verify_challenge(name, dvsni_r, dvsni_nonce, False) proxy_result, proxy_reason, proxy_peername = verify_challenge(name, dvsni_r, dvsni_nonce, True) log("\t...direct probe: %s (%s) to %s" % (direct_result, direct_reason, direct_peername), session) - log("\tTor proxy probe: %s (%s) to %s" % (proxy_result, proxy_reason, proxy_peername), session) + log("\tTor proxy probe: %s (%s)" % (proxy_result, proxy_reason), session) if direct_result and proxy_result: r.hset(challenge, "satisfied", True) else: From 4c7126d0cdee8b0a81495aff2e3f0b0b79c0a0f1 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Sun, 18 Nov 2012 21:31:00 -0800 Subject: [PATCH 15/15] basic logging about messages from clients --- server-ca/chocolate.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/server-ca/chocolate.py b/server-ca/chocolate.py index 55cf9e973..3cb66a99d 100755 --- a/server-ca/chocolate.py +++ b/server-ca/chocolate.py @@ -233,6 +233,7 @@ class session(object): recipient = m.request.recipient csr = m.request.csr sig = m.request.sig + self.log("new session from %s" % web.ctx.ip) # Check whether we are the intended recipient of the request. Doing this # before the hashcash check is more work for the server but gives a more # helpful error message (because the hashcash will be wrong automatically @@ -314,6 +315,7 @@ class session(object): r.proceed.polldelay = polldelay def handleexistingsession(self, m, r): + self.log("received message from %s" % web.ctx.ip) if m.request.IsInitialized(): self.die(r, r.BadRequest, uri="https://ca.example.com/failures/requestinexistingsession") return