initial ssl implementation (more tests coming)

doc/README.rst

@@ -124,10 +124,13 @@ it will continue to poll for a read-write connection.
 If a single address resolves to multiple IPv4 or IPv6 addresses,
 the client will connect to an arbitrary of these addresses.
 
-Authentication
---------------
+SSL
+---
+
+ZEO supports the use of SSL connections between servers and clients,
+including certificate authentication.
+
 
-ZEO supports SSL certificate authentication.
 
 Installing software
 ===================
@@ -288,8 +291,8 @@ transaction-timeout
 
         This defaults to 30 seconds.
 
-SSL configuration
-~~~~~~~~~~~~~~~~~
+Server SSL configuration
+~~~~~~~~~~~~~~~~~~~~~~~~
 
 A server can optionally support SSL.  Do do so, include a `ssl`
 subsection of the ZEO section, as in::
@@ -316,20 +319,26 @@ subsection of the ZEO section, as in::
 The ``ssl`` section has settings:
 
 certificate
-        The path to an SSL certificate file for the server.
+  The path to an SSL certificate file for the server.
 
 key
-        The path to the SSL key file for the server certificate.
+  The path to the SSL key file for the server certificate.
+
+password-function
+  A dotted name if an importable function that, when imported, returns
+  the password needed to unlock the key (if the key requires a password.)
 
 authenticate
-        The path to a file or directory containing client certificates
-        to authenticate.  ((See the ``cafile`` and ``capath``
-        parameters in the Python documentation for
-        ``ssl.SSLContext.load_verify_locations``.)
+  The path to a file or directory containing client certificates
+  to authenticate.  ((See the ``cafile`` and ``capath``
+  parameters in the Python documentation for
+  ``ssl.SSLContext.load_verify_locations``.)
+
+  If this setting is used. then certificate authentication is
+  used to authenticate clients.  A client must be configured
+  with one of the certificates supplied using this setting.
 
-        If this setting is used. then certificate authentication is
-        used to authenticate clients.  A client must be configuted
-        with one of the certificates supplied using this setting.
+  This option assumes that you're using self-signed certificates.
 
 Running the ZEO server as a daemon
 ----------------------------------
@@ -602,59 +611,59 @@ disconnect_poll
    The delay in seconds between attempts to connect to the
    server, in seconds.  Defaults to 1 second.
 
-SSL configuration
-~~~~~~~~~~~~~~~~~
+Client SSL configuration
+~~~~~~~~~~~~~~~~~~~~~~~~
 
 An ``ssl`` subsection can be used to enable and configure SSL, as in::
 
   %import ZEO
 
   <clientstorage>
-    server 8200
+    server zeo.example.com8200
     <ssl>
     </ssl>
   </clientstorage>
 
 In the example above, SSL is enabled in it's simplest form:
 
-- No authentication certificate is supplied
+- The cient expects the server to have a signed certificate, which the
+  client validates.
 
-- The server isn't authenticated against certificates.
-
-- The server's host name isn't checked.
+- The server server host name ``zeo.example.com`` is checked against
+  the server's certificate.
 
 A number of settings can be provided to configure SSL:
 
 certificate
-        The path to an SSL certificate file for the client.  This is
-        needed to allow the server to authenticate the client.
+  The path to an SSL certificate file for the client.  This is
+  needed to allow the server to authenticate the client.
 
 key
-        The path to the SSL key file for the client certificate.
+  The path to the SSL key file for the client certificate.
 
-authenticate
-        The path to a file or directory containing server certificates
-        to authenticate.  ((See the ``cafile`` and ``capath``
-        parameters in the Python documentation for
-        ``ssl.SSLContext.load_verify_locations``.)
+password-function
+  A dotted name if an importable function that, when imported, returns
+  the password needed to unlock the key (if the key requires a password.)
 
-        If this setting is used. then certificate authentication is
-        used to authenticate server.  The server must be configuted
-        with one of the certificates supplied using this setting.
+authenticate
+  The path to a file or directory containing server certificates
+  to authenticate.  ((See the ``cafile`` and ``capath``
+  parameters in the Python documentation for
+  ``ssl.SSLContext.load_verify_locations``.)
 
-        If this setting has the value ``SIGNED`` or ``-``, then
-        default certificate authoritied from the client host system
-        will be used.
+  If this setting is used. then certificate authentication is
+  used to authenticate the server.  The server must be configuted
+  with one of the certificates supplied using this setting.
 
 check-hostname
-        This is a boolean setting that defaults to false. Verify the
-        host name in the server certificate is as expected.
+  This is a boolean setting that defaults to true. Verify the
+  host name in the server certificate is as expected.
 
 server-hostname
-        The expected server host name.  This defaults to the host name
-        used in the server address.  This option must be used when
-        ``verify-host`` is true and when a server address has no host
-        name (localhost, or unix domain socket) or when there is more
-        than one seerver and server hostnames differ.
+  The expected server host name.  This defaults to the host name
+  used in the server address.  This option must be used when
+  ``check-hostname`` is true and when a server address has no host
+  name (localhost, or unix domain socket) or when there is more
+  than one seerver and server hostnames differ.
 
-        Using this setting implies the ``verify-host`` setting.
+  Using this setting implies a true value for the ``check-hostname`` setting.

setup.py

@@ -92,7 +92,7 @@ def alltests():
                     _unittests_only(suite, mod.test_suite())
     return suite
 
-tests_require = ['zope.testing', 'manuel', 'random2']
+tests_require = ['zope.testing', 'manuel', 'random2', 'mock']
 
 long_description = (
     open('README.rst').read()

src/ZEO/ClientStorage.py

@@ -95,6 +95,7 @@ class ClientStorage(object):
                  blob_cache_size=None, blob_cache_size_check=10,
                  client_label=None,
                  cache=None,
+                 ssl = None, ssl_server_hostname=None,
                  # Mostly ignored backward-compatability options
                  client=None, var=None,
                  min_disconnect_poll=1, max_disconnect_poll=None,
@@ -139,10 +140,6 @@ class ClientStorage(object):
             Defaults to None, in which case the cache is not
             persistent.  See ClientCache for more info.
 
-        disconnect_poll
-            The delay in seconds between attempts to connect to the
-            server, in seconds.  Defaults to 1 second.
-
         wait_timeout
             Maximum time to wait for results, including connecting.
 
@@ -266,6 +263,7 @@ class ClientStorage(object):
             addr, self, cache, storage,
             ZEO.asyncio.client.Fallback if read_only_fallback else read_only,
             wait_timeout or 30,
+            ssl = ssl, ssl_server_hostname=ssl_server_hostname,
             )
         self._call = self._server.call
         self._async = self._server.async

src/ZEO/StorageServer.py

@@ -769,6 +769,7 @@ class StorageServer:
                  invalidation_queue_size=100,
                  invalidation_age=None,
                  transaction_timeout=None,
+                 ssl=None,
                  ):
         """StorageServer constructor.
 
@@ -841,7 +842,7 @@ class StorageServer:
             storage.registerDB(StorageServerDB(self, name))
         self.invalidation_age = invalidation_age
         self.zeo_storages_by_storage_id = {} # {storage_id -> [ZEOStorage]}
-        self.acceptor = ZEO.acceptor.Acceptor(addr, self.new_connection)
+        self.acceptor = ZEO.acceptor.Acceptor(addr, self.new_connection, ssl)
         if isinstance(addr, tuple) and addr[0]:
             self.addr = self.acceptor.addr
         else:
@@ -1395,3 +1396,7 @@ class Serving(ServerEvent):
 class Closed(ServerEvent):
     pass
 
+default_cert_authenticate = 'SIGNED'
+def ssl_config(section):
+    from .sslconfig import ssl_config
+    return ssl_config(section, True)

src/ZEO/acceptor.py

@@ -38,13 +38,34 @@ logger = logging.getLogger(__name__)
 class Acceptor(asyncore.dispatcher):
     """A server that accepts incoming RPC connections"""
 
-    def __init__(self, addr, factory):
-        self.socket_map = {}
-        asyncore.dispatcher.__init__(self, map=self.socket_map)
+    def __init__(self, addr, factory, ssl=None):
+        self.__socket_map = {}
+        asyncore.dispatcher.__init__(self, map=self.__socket_map)
         self.addr = addr
-        self.factory = factory
+
+        self.__ssl = ssl
+        if ssl is not None:
+            from ssl import SSLError
+
+            wrap_socket = ssl.wrap_socket
+            def ssl_factory(sock, addr):
+                try:
+                    conn = wrap_socket(sock, server_side=True)
+                except SSLError:
+                    logger.debug("SSL failure", exc_info=True)
+                else:
+                    return factory(conn, addr)
+
+            self.__factory = ssl_factory
+        else:
+            self.__factory = factory
+
         self._open_socket()
 
+    __ssl_context = None
+    def __ssl_wrap_socket(self, sock):
+        return sock
+
     def _open_socket(self):
         addr = self.addr
 
@@ -119,18 +140,20 @@ class Acceptor(asyncore.dispatcher):
         if addr: # Sometimes None on Mac. See above.
             addr = addr[:2]
 
+        sock = self.__ssl_wrap_socket(sock)
+
         try:
-            c = self.factory(sock, addr)
+            c = self.__factory(sock, addr)
         except Exception:
-            if sock.fileno() in asyncore.socket_map:
-                del asyncore.socket_map[sock.fileno()]
+            if sock.fileno() in self.__socket_map:
+                del self.__socket_map[sock.fileno()]
             logger.exception("Error in handle_accept")
         else:
             logger.info("connect from %s: %s", repr(addr), c)
 
     def loop(self, timeout=30.0):
         try:
-            asyncore.loop(map=self.socket_map, timeout=timeout)
+            asyncore.loop(map=self.__socket_map, timeout=timeout)
         except Exception:
             if not self.__closed:
                 raise # Unexpected exc
@@ -142,4 +165,4 @@ class Acceptor(asyncore.dispatcher):
         if not self.__closed:
             self.__closed = True
             asyncore.dispatcher.close(self)
-            logger.debug("Closed accepter, %s", len(self.socket_map))
+            logger.debug("Closed accepter, %s", len(self.__socket_map))

src/ZEO/asyncio/client.py

@@ -36,7 +36,7 @@ class Protocol(base.Protocol):
 
     def __init__(self, loop,
                  addr, client, storage_key, read_only, connect_poll=1,
-                 heartbeat_interval=60):
+                 heartbeat_interval=60, ssl=None, ssl_server_hostname=None):
         """Create a client interface
 
         addr is either a host,port tuple or a string file name.
@@ -54,6 +54,8 @@ class Protocol(base.Protocol):
         self.connect_poll = connect_poll
         self.heartbeat_interval = heartbeat_interval
         self.futures = {} # { message_id -> future }
+        self.ssl = ssl
+        self.ssl_server_hostname = ssl_server_hostname
 
         self.connect()
 
@@ -81,7 +83,8 @@ class Protocol(base.Protocol):
         if isinstance(self.addr, tuple):
             host, port = self.addr
             cr = self.loop.create_connection(
-                self.protocol_factory, host or 'localhost', port)
+                self.protocol_factory, host or 'localhost', port,
+                ssl=self.ssl, server_hostname=self.ssl_server_hostname)
         else:
             cr = self.loop.create_unix_connection(
                 self.protocol_factory, self.addr)
@@ -265,7 +268,8 @@ class Client:
 
     def __init__(self, loop,
                  addrs, client, cache, storage_key, read_only, connect_poll,
-                 register_failed_poll=9):
+                 register_failed_poll=9,
+                 ssl=None, ssl_server_hostname=None):
         """Create a client interface
 
         addr is either a host,port tuple or a string file name.
@@ -281,6 +285,8 @@ class Client:
         self.connect_poll = connect_poll
         self.register_failed_poll = register_failed_poll
         self.client = client
+        self.ssl = ssl
+        self.ssl_server_hostname = ssl_server_hostname
         for name in Protocol.client_delegated:
             setattr(self, name, getattr(client, name))
         self.cache = cache
@@ -344,6 +350,8 @@ class Client:
             self.protocols = [
                 Protocol(self.loop, addr, self,
                          self.storage_key, self.read_only, self.connect_poll,
+                         ssl=self.ssl,
+                         ssl_server_hostname=self.ssl_server_hostname,
                          )
                 for addr in self.addrs
                 ]
@@ -584,14 +592,16 @@ class Client:
 class ClientRunner:
 
     def set_options(self, addrs, wrapper, cache, storage_key, read_only,
-                    timeout=30, disconnect_poll=1):
+                    timeout=30, disconnect_poll=1,
+                    **kwargs):
         self.__args = (addrs, wrapper, cache, storage_key, read_only,
                        disconnect_poll)
+        self.__kwargs = kwargs
         self.timeout = timeout
 
     def setup_delegation(self, loop):
         self.loop = loop
-        self.client = Client(loop, *self.__args)
+        self.client = Client(loop, *self.__args, **self.__kwargs)
         self.call_threadsafe = self.client.call_threadsafe
         self.call_async_threadsafe = self.client.call_async_threadsafe
 
@@ -685,9 +695,10 @@ class ClientThread(ClientRunner):
 
     def __init__(self, addrs, client, cache,
                  storage_key='1', read_only=False, timeout=30,
-                 disconnect_poll=1):
+                 disconnect_poll=1, ssl=None, ssl_server_hostname=None):
         self.set_options(addrs, client, cache, storage_key, read_only,
-                         timeout, disconnect_poll)
+                         timeout, disconnect_poll,
+                         ssl=ssl, ssl_server_hostname=ssl_server_hostname)
         self.thread = threading.Thread(
             target=self.run,
             name="%s zeo client networking thread" % client.__name__,

src/ZEO/component.xml

 <component>
 
-  <sectiontype name="zeo">
+  <import package="ZODB"/>
 
-    <description>
-      The content of a ZEO section describe operational parameters
-      of a ZEO server except for the storage(s) to be served.
-    </description>
+  <sectiontype name="ssl" datatype="ZEO.zconfig.client_ssl">
 
-    <key name="address" datatype="socket-binding-address"
-         required="yes">
+    <key name="certificate" datatype="existing-dirpath" required="yes">
       <description>
-        The address at which the server should listen.  This can be in
-        the form 'host:port' to signify a TCP/IP connection or a
-        pathname string to signify a Unix domain socket connection (at
-        least one '/' is required).  A hostname may be a DNS name or a
-        dotted IP address.  If the hostname is omitted, the platform's
-        default behavior is used when binding the listening socket (''
-        is passed to socket.bind() as the hostname portion of the
-        address).
+        The full path to an SSL certificate file.
       </description>
     </key>
 
-    <key name="read-only" datatype="boolean"
-         required="no"
-         default="false">
+    <key name="key" datatype="existing-dirpath" required="no">
       <description>
-        Flag indicating whether the server should operate in read-only
-        mode.  Defaults to false.  Note that even if the server is
-        operating in writable mode, individual storages may still be
-        read-only.  But if the server is in read-only mode, no write
-        operations are allowed, even if the storages are writable.  Note
-        that pack() is considered a read-only operation.
+        The full path to an SSL key file for the client certificate.
       </description>
     </key>
 
-    <key name="invalidation-queue-size" datatype="integer"
-         required="no"
-         default="100">
+    <key name="password-function" required="no">
       <description>
-        The storage server keeps a queue of the objects modified by the
-        last N transactions, where N == invalidation_queue_size.  This
-        queue is used to speed client cache verification when a client
-        disconnects for a short period of time.
+        Dotted name of importable function for retrieving a password
+        for the client certificate key.
       </description>
     </key>
 
-    <key name="invalidation-age" datatype="float" required="no">
+    <key name="authenticate" datatype="existing-dirpath" required="no">
       <description>
-        The maximum age of a client for which quick-verification
-        invalidations will be provided by iterating over the served
-        storage. This option should only be used if the served storage
-        supports efficient iteration from a starting point near the
-        end of the transaction history (e.g. end of file).
+        Path to a file or directory containing server certificates to be
+        authenticated.
       </description>
     </key>
 
-    <key name="transaction-timeout" datatype="integer"
-         required="no">
+    <key name="check-hostname" datatype="boolean" required="no">
       <description>
-        The maximum amount of time to wait for a transaction to commit
-        after acquiring the storage lock, specified in seconds.  If the
-        transaction takes too long, the client connection will be closed
-        and the transaction aborted.
+        Verify the host name in the server certificate is as expected.
       </description>
     </key>
 
-    <key name="pid-filename" datatype="existing-dirpath"
-         required="no">
+    <key name="server-hostname" required="no">
       <description>
-        The full path to the file in which to write the ZEO server's Process ID
-        at startup. If omitted, $INSTANCE/var/ZEO.pid is used.
+         Host name to use for SSL host name checks.
+
+         If ``check-hostname`` is true then use this as the
+         value to check.  If an address is a host/port pair, then this
+         defaults to the host in the address.
       </description>
-      <metadefault>$INSTANCE/var/ZEO.pid (or $clienthome/ZEO.pid)</metadefault>
     </key>
 
-    <!-- DM 2006-06-12: added option -->
-    <key name="drop-cache-rather-verify" datatype="boolean"
-         required="no" default="false">
-       <description>
-         indicates that the cache should be dropped rather than
-	 verified when the verification optimization is not
-	 available (e.g. when the ZEO server restarted).
-       </description>
+  </sectiontype>
+
+  <sectiontype name="clientstorage" datatype="ZEO.zconfig.ClientStorageConfig"
+               implements="ZODB.storage">
+
+    <section type="ssl" name="*" attribute="ssl" />
+
+    <multikey name="server" datatype="socket-connection-address" required="yes"
+              />
+
+    <key name="cache-size" datatype="byte-size" default="20MB">
+      <description>
+         The cache size in bytes, KB or MB. This defaults to a 20MB.
+         Optional ``KB`` or ``MB`` suffixes can (and usually are) used to
+         specify units other than bytes.
+      </description>
+    </key>
+
+    <key name="cache-path" required="no">
+      <description>
+         The file path of a persistent cache file
+      </description>
+    </key>
+
+    <key name="blob-dir" required="no">
+      <description>
+        Path name to the blob cache directory.
+      </description>
+    </key>
+
+    <key name="shared-blob-dir" required="no" default="no"
+        datatype="boolean">
+      <description>
+          Tells whether the cache is a shared writable directory
+          and that the ZEO protocol should not transfer the file
+          but only the filename when committing.
+      </description>
+    </key>
+
+    <key name="blob-cache-size" required="no" datatype="byte-size">
+      <description>
+            Maximum size of the ZEO blob cache, in bytes.  If not set, then
+            the cache size isn't checked and the blob directory will
+            grow without bound.
+
+            This option is ignored if shared_blob_dir is true.
+      </description>
+    </key>
+
+    <key name="blob-cache-size-check" required="no" datatype="integer">
+      <description>
+            ZEO check size as percent of blob_cache_size.  The ZEO
+            cache size will be checked when this many bytes have been
+            loaded into the cache. Defaults to 10% of the blob cache
+            size.   This option is ignored if shared_blob_dir is true.
+      </description>
+    </key>
+
+    <key name="read-only" datatype="boolean" default="off">
+      <description>
+        A flag indicating whether this should be a read-only storage,
+        defaulting to false (i.e. writing is allowed by default).
+      </description>
+    </key>
+
+    <key name="read-only-fallback" datatype="boolean" default="off">
+      <description>
+        A flag indicating whether a read-only remote storage should be
+        acceptable as a fallback when no writable storages are
+        available.  Defaults to false.  At most one of read_only and
+        read_only_fallback should be true.
+      </description>
+    </key>
+
+    <key name="wait-timeout" datatype="integer" default="30">
+      <description>
+         How long to wait for an initial connection, defaulting to 30
+         seconds.  If an initial connection can't be made within this time
+         limit, then creation of the client storage will fail with a
+         ``ZEO.Exceptions.ClientDisconnected`` exception.
+
+         After the initial connection, if the client is disconnected:
+
+         - In-flight server requests will fail with a
+           ``ZEO.Exceptions.ClientDisconnected`` exception.
+
+         - New requests will block for up to ``wait_timeout`` waiting for a
+           connection to be established before failing with a
+           ``ZEO.Exceptions.ClientDisconnected`` exception.
+      </description>
+    </key>
+
+    <key name="client-label" required="no">
+      <description>
+        A label for the client in server logs
+      </description>
+    </key>
+
+    <!-- The following are undocumented, but not gone. :) -->
+
+    <key name="storage" default="1">
+      <description>
+        The name of the storage that the client wants to use.  If the
+        ZEO server serves more than one storage, the client selects
+        the storage it wants to use by name.  The default name is '1',
+        which is also the default name for the ZEO server.
+      </description>
+    </key>
+
+    <key name="name" default="">
+      <description>
+        The storage name.  If unspecified, the address of the server
+        will be used as the name.
+      </description>
     </key>
 
   </sectiontype>

src/ZEO/runzeo.py

@@ -105,6 +105,7 @@ class ZEOOptionsMixin:
                  "t:", "timeout=", float)
         self.add('pid_file', 'zeo.pid_filename',
                  None, 'pid-file=')
+        self.add("ssl", "zeo.ssl")
 
 class ZEOOptions(ZDOptions, ZEOOptionsMixin):
 
@@ -341,6 +342,7 @@ def create_server(storages, options):
         invalidation_queue_size = options.invalidation_queue_size,
         invalidation_age = options.invalidation_age,
         transaction_timeout = options.transaction_timeout,
+        ssl = options.ssl,
         )
 
 

src/ZEO/schema.xml

@@ -12,7 +12,7 @@
   <import package="ZODB"/>
 
   <!-- Use the ZEO server information structure. -->
-  <import package="ZEO"/>
+  <import package="ZEO" file="server.xml" />
 
   <import package="ZConfig.components.logger"/>
 

src/ZEO/server.xml

+<component>
+
+  <sectiontype name="ssl" datatype="ZEO.zconfig.server_ssl">
+
+    <key name="certificate" datatype="existing-dirpath" required="yes">
+      <description>
+        The full path to an SSL certificate file.
+      </description>
+    </key>
+
+    <key name="key" datatype="existing-dirpath" required="no">
+      <description>
+        The full path to an SSL key file for the server certificate.
+      </description>
+    </key>
+
+    <key name="password-function" required="no">
+      <description>
+        Dotted name of importable function for retrieving a password
+        for the client certificate key.
+      </description>
+    </key>
+
+    <key name="authenticate" required="yes">
+      <description>
+        Path to a file or directory containing client certificates to
+        be authenticated. This can also be - or SIGNED to require
+        signed client certificates.
+      </description>
+    </key>
+
+  </sectiontype>
+
+  <sectiontype name="zeo">
+
+    <section type="ssl" name="*" attribute="ssl" />
+
+    <description>
+      The content of a ZEO section describe operational parameters
+      of a ZEO server except for the storage(s) to be served.
+    </description>
+
+    <key name="address" datatype="socket-binding-address"
+         required="yes">
+      <description>
+        The address at which the server should listen.  This can be in
+        the form 'host:port' to signify a TCP/IP connection or a
+        pathname string to signify a Unix domain socket connection (at
+        least one '/' is required).  A hostname may be a DNS name or a
+        dotted IP address.  If the hostname is omitted, the platform's
+        default behavior is used when binding the listening socket (''
+        is passed to socket.bind() as the hostname portion of the
+        address).
+      </description>
+    </key>
+
+    <key name="read-only" datatype="boolean"
+         required="no"
+         default="false">
+      <description>
+        Flag indicating whether the server should operate in read-only
+        mode.  Defaults to false.  Note that even if the server is
+        operating in writable mode, individual storages may still be
+        read-only.  But if the server is in read-only mode, no write
+        operations are allowed, even if the storages are writable.  Note
+        that pack() is considered a read-only operation.
+      </description>
+    </key>
+
+    <key name="invalidation-queue-size" datatype="integer"
+         required="no"
+         default="100">
+      <description>
+        The storage server keeps a queue of the objects modified by the
+        last N transactions, where N == invalidation_queue_size.  This
+        queue is used to speed client cache verification when a client
+        disconnects for a short period of time.
+      </description>
+    </key>
+
+    <key name="invalidation-age" datatype="float" required="no">
+      <description>
+        The maximum age of a client for which quick-verification
+        invalidations will be provided by iterating over the served
+        storage. This option should only be used if the served storage
+        supports efficient iteration from a starting point near the
+        end of the transaction history (e.g. end of file).
+      </description>
+    </key>
+
+    <key name="transaction-timeout" datatype="integer"
+         required="no">
+      <description>
+        The maximum amount of time to wait for a transaction to commit
+        after acquiring the storage lock, specified in seconds.  If the
+        transaction takes too long, the client connection will be closed
+        and the transaction aborted.
+      </description>
+    </key>
+
+    <key name="pid-filename" datatype="existing-dirpath"
+         required="no">
+      <description>
+        The full path to the file in which to write the ZEO server's Process ID
+        at startup. If omitted, $INSTANCE/var/ZEO.pid is used.
+      </description>
+      <metadefault>$INSTANCE/var/ZEO.pid (or $clienthome/ZEO.pid)</metadefault>
+    </key>
+
+  </sectiontype>
+
+</component>

src/ZEO/tests/client.pem

+-----BEGIN CERTIFICATE-----
+MIID/TCCAuWgAwIBAgIJAJWOSC4oLyp9MA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJWQTENMAsGA1UEChMEWk9EQjERMA8GA1UEAxMIem9k
+Yi5vcmcxHjAcBgkqhkiG9w0BCQEWD2NsaWVudEB6b2RiLm9yZzAeFw0xNjA2MjMx
+NTA3MTNaFw0xNzA2MjMxNTA3MTNaMFwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJW
+QTENMAsGA1UEChMEWk9EQjERMA8GA1UEAxMIem9kYi5vcmcxHjAcBgkqhkiG9w0B
+CQEWD2NsaWVudEB6b2RiLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBANqtLqtrzwDv0nakKiTX5ZtSHOaTmfwHzHsZJkcNf7kJUgGtE0oe3cIj4iAC
+CCpPfUf9OfIA1NpmDsvPMqw80ho1o9g8QZWfW6QOTj2kbnanrRqMDmRvrWlzMQIe
++7EabYxbTjyduk76N2Sa4Tf/my6Yton3zyKtdjSJzoQ/SAKT+Nvjt5s47I4THEFY
+gN7Njbg1FyihKwuwR64EUsyBanutKvXVT7gnB1V2cQhn+LW+NwgzsxKnptvyvBGr
+Ago+uoxrHlIQu59xznS2vA3Ck2K3hIOnXpXYYGeRYKzplZLZnCfZ2uQheiO3ioEO
+UCXICbPMxA7IEpTC75j1n9a3HKcCAwEAAaOBwTCBvjAdBgNVHQ4EFgQUCg1EhkHz
+qYFOgbI/D6zR1tcwHBcwgY4GA1UdIwSBhjCBg4AUCg1EhkHzqYFOgbI/D6zR1tcw
+HBehYKReMFwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJWQTENMAsGA1UEChMEWk9E
+QjERMA8GA1UEAxMIem9kYi5vcmcxHjAcBgkqhkiG9w0BCQEWD2NsaWVudEB6b2Ri
+Lm9yZ4IJAJWOSC4oLyp9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
+AJk3TviNGmjzCuDzLajeLEB9Iy285Fl3D/3TvThSDECS3cUq+i8fQm0cjOYnE/rK
+6Lpg6soeQFetoWQsNT2uvxyv3iZEOtBwNhQKaKTkzIRTmMx/aWM0zG0c3psepC6c
+1Fgp0HAts2JKC4Ni7zHFBDb8YZi87IUHYNKuJKcUWKiEgeHu2zCI1Q43FMSKoaG8
+XwYi1Mxw6TQQtjZrMnNPSeO7zySBuCw10bCZSMC5xvsqckfREifRT//4A0/COWYK
+/p6TZMTaMjrK8fOaPpap314QnLf80P6oLEZ7wkghaNuyq8IzgATuxYVy21132MNB
+qZIUS+iblQAZDSHnQJoehQQ=
+-----END CERTIFICATE-----

src/ZEO/tests/client_key.pem

+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA2q0uq2vPAO/SdqQqJNflm1Ic5pOZ/AfMexkmRw1/uQlSAa0T
+Sh7dwiPiIAIIKk99R/058gDU2mYOy88yrDzSGjWj2DxBlZ9bpA5OPaRudqetGowO
+ZG+taXMxAh77sRptjFtOPJ26Tvo3ZJrhN/+bLpi2iffPIq12NInOhD9IApP42+O3
+mzjsjhMcQViA3s2NuDUXKKErC7BHrgRSzIFqe60q9dVPuCcHVXZxCGf4tb43CDOz
+Eqem2/K8EasCCj66jGseUhC7n3HOdLa8DcKTYreEg6deldhgZ5FgrOmVktmcJ9na
+5CF6I7eKgQ5QJcgJs8zEDsgSlMLvmPWf1rccpwIDAQABAoIBAQDSju7hIG2x+Tou
+AuSRlVEAvZAWdQlQJDJAVXcF83mIMfFEq+Jm/FGLHgIdz9cM5n07VBj3bNWHdb3J
+gTjJn8audffNvjdoWoli7mNn92xl1A5aAYHaM65GWyRVZn/zh/7zpvcuZrF+Wm/7
+7yXtRbGmrGUXdAV+3odzDz5LGKO91fTuM2nW0j+p7+q2Bzko7+rl9AVxaveco4pt
+TtqXX2eOC3wTcNotBfJJD89/+/szg62K4CYCUAaetKMPcVrgQ4v0YHakOl8lJJxW
+q7XiqhPyjeZp6h8e9dtVCkeZHa3xacuoftF2w3FslVEX/LOooAKf07PU1xxJezZN
+trP11pgBAoGBAPoysqD9OW3C0WyIXm/Lx1Pncr/p/kKYlXNDWQRmizHmfLC4xrBI
+n75mYSp7BJ7Gh2W7lW9lnyJ0uaqXdqOOswO/baTeSEvvhL+lLs4F1cQWemjTD4qy
+KqCxCCbTf8gZPssiJXsXGmf6yWAdpjfYUxarxB0Ks6wHLBpQHctvVebJAoGBAN+/
+W0+yAXssr7AWgKAyiHtqE/MiI8e0bDJWDjHxaPvnSVyDwVOARj/JKvw7jnhg8FKJ
+1iWtl8ym2ktcAQygSl3HW4wggD59BbeXrUQr4nZi8wLMTpLxnSfITFrwXpwVShT4
+8KJPR46W/Plkphm1fZn6Lr0uGJ12pV+iPAq/F+/vAoGALmRoKuHJXEjbfDxtBl3K
+wAwSgvNoagDQ9WZvgxlghggu5rXcYaOVu0BQlAfre2VkhcCanOVC9KigJLmhDgLP
+vsooEoIE9c+b1c1TOHBsiseAOx+nqhgPP2yUDl75Oqkzs4bJXGGUS+N8o43b3E8I
+WRPQcXIijqtlyhtA6w/h5cECgYEA2M6DnGXQKZrTYr1rRc+xkGTpj9607P5XGS9p
+8dsK74zd+VdyLYdOiuBTVrYfB2ZneJM3fqsHPLcxL3SnT6TCarySaOXVXremoo/G
+xRgBCNY4w61VNe4JalMcKcJg6r12W3wdMCnCHNkRqFdu29qRKnLSd14DXBFrjY+W
+vpMMjuECgYEAtNOm9WTCAlVbGTMplXcUJBWNwdOz+sHMi+PhP/fTNm0XH3fepFeQ
+th7b/RYocTwAHGu8mArX2DgXAfDQAYMPFN8vmbh0XQsQV+iuja9MO2TagTyVSe3x
+DBOTFCLg8oWtzwySZ6BKR/KsGI2ryRxyE1VojV0zNXRyZqDCm+G4Vs0=
+-----END RSA PRIVATE KEY-----

src/ZEO/tests/forker.py

@@ -40,9 +40,6 @@ class ZEOConfig:
             addr = '%s:%s' % addr
         self.address = addr
         self.read_only = None
-        self.invalidation_queue_size = None
-        self.invalidation_age = None
-        self.transaction_timeout = None
         self.loglevel = 'INFO'
 
     def dump(self, f):
@@ -50,13 +47,16 @@ class ZEOConfig:
         print("address " + self.address, file=f)
         if self.read_only is not None:
             print("read-only", self.read_only and "true" or "false", file=f)
-        if self.invalidation_queue_size is not None:
-            print("invalidation-queue-size",
-                  self.invalidation_queue_size, file=f)
-        if self.invalidation_age is not None:
-            print("invalidation-age", self.invalidation_age, file=f)
-        if self.transaction_timeout is not None:
-            print("transaction-timeout", self.transaction_timeout, file=f)
+
+        for name in (
+            'invalidation_queue_size', 'invalidation_age',
+            'transaction_timeout', 'pid_filename',
+            'ssl_certificate', 'ssl_key',
+            ):
+            v = getattr(self, name, None)
+            if v:
+                print(name.replace('_', '-'), v, file=f)
+
         print("</zeo>", file=f)
 
         print("""
@@ -177,25 +177,24 @@ def start_zeo_server(storage_conf=None, zeo_conf=None, port=None, keep=False,
         storage_conf = '<blobstorage>\nblob-dir %s\n%s\n</blobstorage>' % (
             blob_dir, storage_conf)
 
-    if port is None:
-        raise AssertionError("The port wasn't specified")
+    if zeo_conf is None or isinstance(zeo_conf, dict):
+        if port is None:
+            raise AssertionError("The port wasn't specified")
 
-    if isinstance(port, int):
-        addr = 'localhost', port
-    else:
-        addr = port
-        adminaddr = port+'-test'
+        if isinstance(port, int):
+            addr = 'localhost', port
+        else:
+            addr = port
 
-    if zeo_conf is None or isinstance(zeo_conf, dict):
         z = ZEOConfig(addr)
         if zeo_conf:
             z.__dict__.update(zeo_conf)
-        zeo_conf = z
+        zeo_conf = str(z)
 
     # Store the config info in a temp file.
     tmpfile = tempfile.mktemp(".conf", dir=os.getcwd())
     fp = open(tmpfile, 'w')
-    zeo_conf.dump(fp)
+    fp.write(zeo_conf + '\n\n')
     fp.write(storage_conf)
     fp.close()
 

src/ZEO/tests/server.pem

+-----BEGIN CERTIFICATE-----
+MIID/TCCAuWgAwIBAgIJAKpYWt7G+3R4MA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJWQTENMAsGA1UEChMEWk9EQjERMA8GA1UEAxMIem9k
+Yi5vcmcxHjAcBgkqhkiG9w0BCQEWD3NlcnZlckB6b2RiLm9yZzAeFw0xNjA2MjMx
+NTA5MTZaFw0xNzA2MjMxNTA5MTZaMFwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJW
+QTENMAsGA1UEChMEWk9EQjERMA8GA1UEAxMIem9kYi5vcmcxHjAcBgkqhkiG9w0B
+CQEWD3NlcnZlckB6b2RiLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBANqyMazB39wFKFh2nIspOw+e/7LPLQZpsd6BnYOxPbdlhb23Q930WqgW5qCA
+aJjLqkmvQvZhElXdO2lOxGLR2/Cu71UgmYXkZbMKqPNtoYCPRPCCKm5EczAFXTy4
+SUD40wAlndP7J8TjpIaKZjgdfy4GWnGQQAbXUR1eFZszQtU7pUvyjgXsY+BEgq4h
+F4iIBarcf8k/6PTldTRLxEbRiTNZ4cdIEtTJL/LzSu5oBw8Z3J05aPg9DcWVl89P
+XtemKxU8+Vm847xXJkuODkpSgOCqAPn959b/DGdn1fyx2CR0lSgC4n2rYE/oWxw0
+hiyI1jeXTAfOtqvcg4XA5Cs3ivUCAwEAAaOBwTCBvjAdBgNVHQ4EFgQUoWgKmGKI
+o2U9vFK48cyXuZrmPdgwgY4GA1UdIwSBhjCBg4AUoWgKmGKIo2U9vFK48cyXuZrm
+PdihYKReMFwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJWQTENMAsGA1UEChMEWk9E
+QjERMA8GA1UEAxMIem9kYi5vcmcxHjAcBgkqhkiG9w0BCQEWD3NlcnZlckB6b2Ri
+Lm9yZ4IJAKpYWt7G+3R4MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
+ACiGzPx1445EdyO4Em3M6MwPQD8KVLvxsYE5HQMk0A2BTJOs2Vzf0NPL2hn947D/
+wFe/ubkJXmzPG2CBCbNA//exWj8x2rR8256qJuWDwFx0WUFpRmEVFUGK+bpvgxQV
+DlLxnWV8z6Tq9vINRjKT3mcBX4OpDgbEL4O92pbJ7kZNn4Z2+v6/lsWzg3Eo6LVY
+fj902gQD/6hjVenD6J5Dqftj4x9nsKjdMz8n5Ok5E1J02ghiWjlUp1PNUKwc2Elw
+oFnjPiacbko0fSnD9Zf6qBbACAYyBkHvBc1ZMebnGepZn3E6V91X5kZl84hGzgsb
+C+2aGtAqSnvL4/DlIyss3hc=
+-----END CERTIFICATE-----

src/ZEO/tests/server_key.pem

+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA2rIxrMHf3AUoWHaciyk7D57/ss8tBmmx3oGdg7E9t2WFvbdD
+3fRaqBbmoIBomMuqSa9C9mESVd07aU7EYtHb8K7vVSCZheRlswqo822hgI9E8IIq
+bkRzMAVdPLhJQPjTACWd0/snxOOkhopmOB1/LgZacZBABtdRHV4VmzNC1TulS/KO
+Bexj4ESCriEXiIgFqtx/yT/o9OV1NEvERtGJM1nhx0gS1Mkv8vNK7mgHDxncnTlo
++D0NxZWXz09e16YrFTz5WbzjvFcmS44OSlKA4KoA+f3n1v8MZ2fV/LHYJHSVKALi
+fatgT+hbHDSGLIjWN5dMB862q9yDhcDkKzeK9QIDAQABAoIBACtwA0/V/jm8SIQx
+ouw9Fz8GDLGeVsoUSkDwq7GRjbmUj5jcAr3eH/eM/OfaOWxH353dEsbPBw5I79j9
+zSH3nuDSTjUxUWz3rX9/WYloOBDJ5B6FLBpUvDBIkHlT/TDLe1VnI08Mbpy7vlz+
+tkjlCvLATkyKIz14nOLhYhc+ekLRxQZrVRgHIPW13c0F61drkc4uCs/UMbYRzZiZ
+nnMeQLghIUP13xMtMMkNx0P1ampvV18kCJWuvHUqOMnCaPnTGCnGfOUtq98sTdui
+vBnleePmBzF5VGT7M3e3pr63EKyVPD/bx2dbItcxOahBTgDbMQR4AQ65NvD5+B0+
+d9XbfgECgYEA7wLsMvFAmj5IrXYGYnaqy1LsMiZll9zv4QB2tAKLSIy5z0Cns54R
+ttI6Ni94CfjBOKmR5IZXjgXZg5ydu+tBLwqNMJISziFSyTxzwNsAEPczUHefFhwq
+zhAkIVsISy42AxpuyHlz5EBSJiUULhguUhmIDxCbQnmlSK6X9MxYO3UCgYEA6j2c
+dfU4RC2tzjNKoKs52mUoWmwFsM5CKs0hDeRn2KV80nNKn/mRa0cZ36u/x0hN3fBm
+wrwNiZWOX+ot5SfnePx0dOiTOxfWYeXtzVqF6KhPUK8K5424zL+N1uw941gvkXYR
+Cc79AxDI/S5y/2ZR8aW4H91LdCcvPlE4Dp1JoYECgYAuE2gpYezMT1l/ZxNQBARk
+8fVqrZBEOGld/NLlXOAw+kAPvi0WKVDM57YlH/2KHpRRMg9X+LYEQQhvoM+fnHiS
+cvxI8sABUNc+yBKgiRd4Lc+MoaLfhkqSMvZkH8J3i88Jxhy5NQCsbeHoTJmZUTwM
+w7NBBDiKFh1Q56ePn50ayQKBgQCA8guoT6Z6uZ6dDVU+nyOI2vjc1exICTMZdrSE
+fkDAXVEaVMc2y17G7GwM2fIHlQDwdP9ModLd80td937uUAo3atn85W7vL88fM0C2
+M+fVTJnk84cQMs8RPz2om4HyHcCJ1bHJcX2Ma3gJD8HUYJIpcS2rtNlthoiWSIWQ
+XfuDgQKBgQCYW+x52XSaTjE0SviYmeNuO30bELgjxPyPLge407EAp1h6Sr9Za5ap
+2aQsClsuzpHcHDoWmzO+dTr70Qyt/YoY5FN3uZRG9m7X/OH7+ceBEU/BtQ0Whem4
+YNE5lpuw4eGsJQGkhRFcqKy66gId7Sw5b6CIaJqbhQCogkWt5JQuWQ==
+-----END RSA PRIVATE KEY-----

src/ZEO/tests/serverpw.pem

+-----BEGIN CERTIFICATE-----
+MIID8DCCAtigAwIBAgIJALop9P9MBfzLMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJWQTENMAsGA1UEChMEWk9EQjERMA8GA1UEAxMIem9k
+Yi5vcmcxGjAYBgkqhkiG9w0BCQEWC3B3QHpvZGIub3JnMB4XDTE2MDYyMzE1MTAz
+MVoXDTE3MDYyMzE1MTAzMVowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMQ0w
+CwYDVQQKEwRaT0RCMREwDwYDVQQDEwh6b2RiLm9yZzEaMBgGCSqGSIb3DQEJARYL
+cHdAem9kYi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKw/iw
+N1EPddU9QQQ+OnCJv9G3rbTOPt4zEbpfTROIHTME3krFKPALrGF2aK+oBpHx3/TZ
+HN5UvWK/jmGtDL9jekKCAaeAaVIKlESUS6DIxZY+FaO3re/1fbmBNRz8Cnn1raAw
+/4YZRDPvblooH4Nt5m7uooGAIIDPft3fInhmGboOoIpXc7nMGVGOWXlDN5I9oFmm
+4vby4CUMy3A/0wnHgTuMNy7Tpjgz2E/1MRAOyWQ7PZYiASs4ycZfas8058O8DI+o
+rSYyum/czecIz52P6jbx5LWvcKDWac8QbJoHPelthYtxcMHee2+Nh6MWW688CBzq
+HSeFAdNO3d9kMiFpAgMBAAGjgbwwgbkwHQYDVR0OBBYEFDui1OC2+2z2rHADglk5
+tGOndxhoMIGJBgNVHSMEgYEwf4AUO6LU4Lb7bPascAOCWTm0Y6d3GGihXKRaMFgx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJWQTENMAsGA1UEChMEWk9EQjERMA8GA1UE
+AxMIem9kYi5vcmcxGjAYBgkqhkiG9w0BCQEWC3B3QHpvZGIub3JnggkAuin0/0wF
+/MswDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAiEYO8MZ3OG8sqy9t
+AtUZbv0aTsIUzy/QTUKKDUo8qwKNOylqyqGAZV0tZ5eCoqIGFAwRJBBymIizU3zH
+U1k2MnYZMVi7uYwSy+qwg52+X7GLl/kaAfx8kNvpr274CuZQnLojJS+K8HtH5Pom
+YD3gTO3OxGS4IS6uf6DD+mf+C9OBnTl47P0HA0/eHBEXVSc2vsv30H/UoW5VbZ6z
+6TWkoPwSMVhCNRRRif4/eqCLh24/h5b4uvAC+tsrIPQ9If7EsqVTNMCbAkv3ib6g
+OmaCdbrGkqvD3UVn7i5ci96UZoF80EWNZiwhMdvQtMfOAR4jHQ1pTepJni6JwzZP
+UMNDpQ==
+-----END CERTIFICATE-----

src/ZEO/tests/serverpw_key.pem

+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,769B900D03925712
+
+z5M/XkqEC1+PxJ1T3QrUhGG9fPTBsPxKy8WlwIytbMg0RXS0oJBiFgNYp1ktqzGo
+yT+AdTCRR1hNVX8M5HbV3ksUjKxXKCL3+yaaB6JtGbNRr2qTNwosvxD92nKT/hvN
+R6rHF6LcO05s8ubs9b9ON/ja7HCx69N5CjBuCbCFHUTlAXkwD9w0ScrxrtfP50EY
+FOw6LAqhhzq6/KO7c1SJ7k9LYzakhL+nbw5KM9QgBk4WHlmKLbCZIZ5RWvu0F4s5
+n4qk/BcuXIkbYuEv2kH0nDk5eDfA/dj7xZcMMgL5VFymQzaZLYyj4WuQYXu/7JW/
+nM/ZWBkZOMaI3vnPTG1hJ9pgjLjQnjfNA/bGWwbLxjCsPmR8yvZS4v2iqdB6X3Vl
+yJ9aV9r8KoU0PJk3x4v2Zp+RQxgrKSaQw59sXptaXAY3NCRR6ohvq4P5X6UB8r5S
+vYdoMeVXhX1hzXeMguln7zQInwJhPZqk4wMIV3lTsCqh1eJ7NC2TGCwble+B/ClR
+KtzuJBzoYPLw44ltnXPEMmVH1Fkh17+QZFgZRJrKGD9PGOAXmnzudsZ1xX9kNnOM
+JLIT/mzKcqkd8S1n1Xi1x7zGA0Ng5xmKGFe8oDokPJucJO1Ou+hbLDmC0DZUGzr1
+qqPJ3F/DzZZDTmD/rZF6doPJgFAZvgpVeiWS8/v1qbz/nz13uwXDLjRPgLfcKpmQ
+4R3V4QlgviDilW61VTZnzV9qAOx4fG6+IwWIGBlrJnfsH/fSCDNlAStc6k12zdun
+PIIRJBfbEprGig3vRWUoBASReqow1JCN9DaVCX1P27pDKY5oDe+7/HOrQpwhPoya
+2HEwbKeyY0nCcCXbkWGL1bwEUs/PrJv+61rik4KxOWhKpHWkZLzbozELb44jXrJx
+e8K8XKz4La2DEjsUYHc31u6T69GBQO9JDEvih15phUWq8ITvDnkHpAg+wYb1JAHD
+QcqDtAulMvT/ZGN0h7qdwbHMggEsLgCCVPG4iZ5K4cXsMbePFvQqq+o4FTMF+cM5
+2Dq0wir92U9cH+ooy80LIt5Kp5zqgQZzr73o9MEgwqJocCrx9ZrofKRUmTV+ZU0r
+w5mfUM47Ctnqia0UNGx6SUs3CHFDPWPbzrAaqGzSvFhzR1MMoL1/rJzP1VSm3Fk3
+ESWkPrg0J8dcQP/ch9MhH8eoQYyA+2q1vClUbeZLAs5KoHxgi6pSkGYqFhshrA+t
+2AIrUPDPPDf0PgRoXJrzdVOiNNY1rzyql+0JqDH6DjCVcAADWY+48p9U2YFTd7Je
+DvnZWihwe0qYGn1AKIkvJ4SR3bQg36etrxhMrMl/8lUn2dnT7GFrhjr9HwCpJwa7
+8tv150SrQXt3FXZCHb+RMUgoWZDeksDohPiGzXkPU6kaSviZVnRMslyU4ahWp6vC
+8tYUhb7K6N+is1hYkICNt6zLl2vBDuCDWmiIwopHtnH1kz8bYlp4/GBVaMIgZiCM
+gM/7+p4YCc++s2sJiQ9+BqPo0zKm3bbSP+fPpeWefQVte9Jx4S36YXU52HsJxBTN
+WUdHABC+aS2A45I12xMNzOJR6VfxnG6f3JLpt3MkUCEg+898vJGope+TJUhD+aJC
+-----END RSA PRIVATE KEY-----

src/ZEO/zconfig.py

@@ -2,33 +2,37 @@
 """
 import os
 
-default_cert_authenticate = 'SIGNED', '-'
 def ssl_config(section, server):
     import ssl
 
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-    if section.certificate:
-        context.load_cert_chain(section.certificate,
-                                keyfile=section.key)
+    cafile = capath = None
     auth = section.authenticate
     if auth:
-        if auth in default_cert_authenticate:
-            context.load_default_certs(
-                ssl.Purpose.CLIENT_AUTH if server else ssl.Purpose.SERVER_AUTH)
-        elif os.path.isdir(auth):
-            context.load_verify_locations(capath=auth)
+        if os.path.isdir(auth):
+            capath=auth
         else:
-            context.load_verify_locations(cafile=auth)
+            cafile=auth
+
+    context = ssl.create_default_context(
+        ssl.Purpose.CLIENT_AUTH, cafile=cafile, capath=capath)
+
+    if section.certificate:
+        password = section.password_function
+        if password:
+            module, name = password.rsplit('.', 1)
+            module = __import__(module, globals(), locals(), ['*'], 0)
+            password = getattr(module, name)
+        context.load_cert_chain(section.certificate, section.key, password)
 
-        context.verify_mode = ssl.CERT_REQUIRED
-    else:
-        context.verify_mode = ssl.CERT_NONE
+    context.verify_mode = ssl.CERT_REQUIRED
 
     if server:
         context.check_hostname = False
         return context
 
-    context.check_hostname = section.check_hostname or section.server_hostname
+    context.check_hostname = bool(
+        section.check_hostname is None and (section.server_hostname or not auth)
+        or section.check_hostname)
 
     return context, section.server_hostname