support for Client authenticated SSL connections (https)

[powerking@…]

Our company has a TRAC/SVN environment protected by SSL using both, server cerificates and user certificates. Unfortunately I did not get a connection from a bitten-slave to the bitten master running on that server.

The bitten-slave supports username and password as input to use an authenticated connection and I'm not sure, if it supportes connection to a https: with only server certificate. But it has no options for key_file and cert_file that would be needed to open a mutual secured SSL connection.

I looked around a bit, but I'm not so much familiar with python. Here is what I found out:

• urllib, urllib2 should already support certificates using the parameters key_file and cert_file.
• so I hope, that extending this feature (client auth) isn't too hard?
• even though the urllib allows accessing SSL protected web sites, it does not verify the server certificate, as the SSL lib does not either. This should be prominently noted somewhere.

for completeness: the log of running my slave:

C:\Programme\Python27\Scripts>bitten-slave.exe -v 
           https://any.server.com/trac/AnyProject/builds >log.txt
[INFO    ] Slave launched at 2010-11-17 11:34:29
[DEBUG   ] Authentication not provided. Attempting to execute build anonymously.
[DEBUG   ] Configured packages: {}
[DEBUG   ] Sending slave configuration: <slave version="5" name="user"><platform 
           processor="x86 Family 15 Model 4 Stepping 1, GenuineIntel">x86</platform>
           <os version="XP" family="nt">Windows</os></slave>
[DEBUG   ] Sending POST request to 'https://any.server.com/trac/AnyProject/builds'
[ERROR   ] <urlopen error [Errno 1] _ssl.c:499: error:14094410:SSL 
           routines:SSL3_READ_BYTES:sslv3 alert handshake failure>
[DEBUG   ] Removing working directory c:\temp\bittenxvn91v
[INFO    ] Slave exited at 2010-11-17 11:34:29

[cpenas@…]

Hi. I manage a trac/svn installation secured through SSL and client certificates in a ​small open source development company.

We had exactly that problem, and we made a patch agains 0.6.x branch to allow bitten-slave to use a pair of CRT/KEY files in pem format.

Unfortunately our installed bitten-master belongs to a early revision and the stable branch of bitten-slave fails to comunicate with the trac, giving a 500 error after a succesful connection. So I had to readapt the patch to our installed slave, using the same techniques. And now it works, can access using certificates to trac, recover the recipe and transmit the results. It's a patch in the transport of the slave so I don't know how it behaves when something goes odd, and only have working experience in our bitten-slave installation which is different from the 0.6.x branch.

I leave the patch here, perhaps it will be useful. It's based on ​this report on a python bug over that x509 issue

Hope it helps.

[cpenas@…]

Patch to use PEM key/cert pair