Utilities for using M2Crypto SSL with DIRAC.


Gets the details of the current peer as a standard dict. The peer details are obtained from the supplied M2 SSL Connection obj “conn”. The details returned are those from ~X509Chain.getCredentials, without Registry info:

DN - Full peer DN as string x509Chain - Full chain of peer isProxy - Boolean, True if chain ends with proxy isLimitedProxy - Boolean, True if chain ends with limited proxy group - String, DIRAC group for this peer, if known

Returns a dict of details.

DIRAC.Core.DISET.private.Transports.SSL.M2Utils.getM2SSLContext(ctx=None, **kwargs)

Gets an M2Crypto.SSL.Context configured using the standard DIRAC connection keywords from kwargs. The keywords are:

  • clientMode: Boolean, if False hostcerts are always used. If True

    a proxy is used unless other flags are set.

  • useCertificates: Boolean, Set to true to use hostcerts in client


  • proxyString: String, allow a literal proxy string to be provided.

  • proxyLocation: String, Path to file to use as proxy, defaults to

    usual location(s) if not set.

  • skipCACheck: Boolean, if True, don’t verify peer certificates.

  • sslMethods: String, List of SSL algorithms to enable in OpenSSL style

    cipher format, e.g. “SSLv3:TLSv1”.

  • sslCiphers: String, OpenSSL style cipher string of ciphers to allow

    on this connection.

If an existing context “ctx” is provided, it is just reconfigured with the selected arguments.

Returns the new or updated context.

DIRAC.Core.DISET.private.Transports.SSL.M2Utils.ssl_verify_callback_print_error(ok, store)

This callback method does nothing but printing the error. It prints a few more useful info than the exception

  • ok – current validation status

  • store – pointer to the X509_CONTEXT_STORE