[Zope-dev] Re: ZScheduler and SSL

Loren Stafford lstaffor@dynalogic.com
Mon, 31 Jul 2000 10:29:47 -0700


Jim,

It wouldn't be hard to modify ZScheduler to utilize some SSL-capable client
program instead of Client.py. There are just three lines in
ZScheduler/Dispatcher.py that deal with the client interface (search for
'client'). You might also have to munge the URL that you feed to the client
program (to get https:// instead of http://). (Hmmm. Not even MS Outlook is
SSL aware.)

What that client program might be, I don't know. But I wouldn't be surprised
if to find that you could call MSIE or Navigator or Mozilla with a
command-line interface. Does anyone else have any experience with this?

If there is a generally available solution to this SSL client problem, I
wouldn't mind building it into ZScheduler as an option. At the very least, I
could encapsulate the client interface in a separate module. Then you could
conveniently replace that module with your own.

-- Loren


----- Original Message -----
From: "Jim Sanford" <jsanford@atinucleus.com>
To: "Loren Stafford" <lstaffor@dynalogic.com>
Sent: July 31, 2000 07:03 AM
Subject: Re: ZScheduler and SSL [was: Zope.org feedback]


> Every link is hard coded and is fully qualified so I don't
> use absolute_url in any of my code. What Zope does is beyond
> my knowledge.
>
> I access Zope via PCGI behind MS IIS 4.0 and have had no
> other problems with SSL. Speed is not a problem because we
> have a accelerator card that handles the SSL number
> crunching.
>
> Looks like I will have to figure out a way to handle
> scheduled events (primarily executing reports and emailing
> them to different list sof people, primarily management
> types.) Probably with an external method.
>
> Jim
>
> ----- Original Message -----
> From: "Loren Stafford" <lstaffor@dynalogic.com>
> To: "Jim Sanford" <jsanford@atinucleus.com>
> Sent: Sunday, July 30, 2000 4:48 PM
> Subject: ZScheduler and SSL [was: Zope.org feedback]
>
>
> Have you run into other problems with Zope and SSL?  For
> example, the
> absolute_url method -- does it it always return
> http://something or does it
> return the same protocol specifier used for the request?
>
> I ask, because ZScheduler depends on absolute_url. I also
> wonder whether the
> value of absolute_url will always be correct for ZScheduler
> purposes in
> virtual-hosting environments.
>
> -- Loren
>
> ----- Original Message -----
> From: "Jim Sanford" <jsanford@atinucleus.com>
> To: "Loren Stafford" <lstaffor@dynalogic.com>; "Zope List"
> <zope@zope.org>
> Sent: July 28, 2000 03:39 PM
> Subject: Re: Zope.org feedback
>
>
> > We have no http access to our site.
> >
> > It is a corporate Client Relationship Management, Job
> Tracking and Order
> Processing, Production and Tracking system that is accessed
> > from all over the world.
> >
> > I will send this to the list to see if any one else can
> provide help.
> >
> >
> > ----- Original Message -----
> > From: Loren Stafford <lstaffor@dynalogic.com>
> > To: Jim Sanford <jsanford@atinucleus.com>
> > Sent: Friday, July 28, 2000 5:14 PM
> > Subject: Re: Zope.org feedback
> >
> >
> >
> >
> > > URL: http://www.zope.org/Members/lstaffor
> > > ZScheduler uses Client.py.
> > >
> > > Would it be correct to say that if my entire site is
> only accessible via
> > SSL (https) that ZScheduler will not work?
> >
> > I hadn't thought about this before, so you probably know
> more about it
> than
> > I do. But given that the python lib that Client.py uses
> for http
> > (httplib.py) doesn't support https, then you're right.
> >
> > Solutions?
> >
> > 1. Permit http traffic to your site if it comes fromt the
> same IP and is
> for
> > URLs that end in "/trigger". I suppose that IP spoofing
> makes this
> something
> > of a security hole. How bad?
> >
> > 2. Enhance either Client.py or httplib.py to support at
> least enough https
> > to get the job done. I know nothing about this. Is it
> reasonably doable?
> Is
> > there a Zopista willing and able to do it?
> >
> > 3. ....?
> >
> > -- Loren