Mercurial > p > roundup > code
diff share/man/man1/roundup-server.1 @ 6834:5129fc03dc1f
issue2551137, 2551138 - roundup-server SSL issues.
Python3 no longer supports socket._fileobject, so fake it using
SocketIO and layering io.BufferedReader as in:
https://bugs.launchpad.net/python-glanceclient/+bug/1812525
Also handle SSL.ZeroReturnError exception by ignoring it. This
exception is thrown when the SSL layer has been closed and a read
happens. There is a warning in openssl as well as python docs that the
underlying (unencrypted) socket may not be closed. In manual testing,
netstat -anp didn't show any unclosed socket so.... Could it leak a fd
still, unknown.
This also seesm to have fixed an error when running under python2
where socket shutdown throws an error. Maybe ignoring ZeroErrorREturn
handled that case?
Also added doc to man page recommending not using -s and using a real
web server instead. Also added doc on format of pem file passed to -e.
No automated testing on this, so no test updates 8-(.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 18 Aug 2022 14:44:16 -0400 |
| parents | da9a78957bd4 |
| children | 7a48f771cd4f |
line wrap: on
line diff
--- a/share/man/man1/roundup-server.1 Tue Aug 16 22:42:38 2022 -0400 +++ b/share/man/man1/roundup-server.1 Thu Aug 18 14:44:16 2022 -0400 @@ -45,11 +45,19 @@ roundup. .TP \fB-s\fP -Enables use of SSL. +Enables use of SSL. SSL only works when running the server using +python 3. In most cases, you will want to run a real web server +(Apache, Nginx) as a proxy to roundup-server running without SSL. +The real web server can filter/rate limit/firewall requests to +roundup-server. .TP \fB-e\fP \fIfile\fP -Sets a filename containing the PEM file to use for SSL. If left blank, a -temporary self-signed certificate will be used. +Sets a filename containing the PEM file to use for SSL. The PEM file +must include both the private key and certificate with appropriate +headers (e.g. "-----BEGIN PRIVATE KEY-----", "-----END PRIVATE +KEY-----" and "-----BEGIN CERTIFICATE-----", "-----END +CERTIFICATE-----". If no file is specified, a temporary self-signed +certificate will be used. .TP \fB-N\fP Log client machine names instead of IP addresses (much slower).