def wrap_ssl_impl(sock,
keyfile=None,
certfile=None,
server_side=False,
cert_reqs=None,
ssl_version=None,
ca_certs=None,
do_handshake_on_connect=True,
suppress_ragged_eofs=True,
ciphers=None):
# theoretically the ssl_version could be respected in this
# next line
context = SSL.Context(SSL.SSLv23_METHOD)
if certfile is not None:
context.use_certificate_file(certfile)
if keyfile is not None:
context.use_privatekey_file(keyfile)
context.set_verify(SSL.VERIFY_NONE, lambda *x: True)
connection = SSL.Connection(context, sock)
if server_side:
connection.set_accept_state()
else:
connection.set_connect_state()
return connection
def configure_http2_server(listen_port, server_port, https_pem):
# Let's set up SSL. This is a lot of work in PyOpenSSL.
options = (SSL.OP_NO_COMPRESSION | SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3
| SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1)
# Keep things TSL1_2 and non-ECDH in case tester wants to decrypt the traffic
# in wireshark with the pem key.
context = SSL.Context(SSL.TLSv1_2_METHOD)
context.set_options(options)
context.set_verify(SSL.VERIFY_NONE, lambda *args: True)
context.use_privatekey_file(https_pem)
context.use_certificate_file(https_pem)
context.set_npn_advertise_callback(npn_advertise_cb)
context.set_alpn_select_callback(alpn_callback)
context.set_cipher_list("RSA+AESGCM")
context.set_tmp_ecdh(crypto.get_elliptic_curve(u'prime256v1'))
server = eventlet.listen(('0.0.0.0', listen_port))
server = SSL.Connection(context, server)
print("Serving HTTP/2 Proxy on {}:{} with pem '{}', forwarding to {}:{}".
format("127.0.0.1", listen_port, https_pem, "127.0.0.1",
server_port))
pool = eventlet.GreenPool()
while True:
try:
new_sock, _ = server.accept()
manager = Http2ConnectionManager(new_sock)
manager.server_port = server_port
manager.cert_file = https_pem
pool.spawn_n(manager.run_forever)
except (SystemExit, KeyboardInterrupt):
break
def _tlsstartup(cnn):
authname = None
cert = None
if libssl:
# most fully featured SSL function
ctx = libssl.Context(libssl.SSLv23_METHOD)
ctx.set_options(libssl.OP_NO_SSLv2 | libssl.OP_NO_SSLv3
| libssl.OP_NO_TLSv1 | libssl.OP_NO_TLSv1_1
| libssl.OP_CIPHER_SERVER_PREFERENCE)
ctx.set_cipher_list(
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:'
'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384')
ctx.set_tmp_ecdh(crypto.get_elliptic_curve('secp384r1'))
ctx.use_certificate_file('/etc/confluent/srvcert.pem')
ctx.use_privatekey_file('/etc/confluent/privkey.pem')
ctx.set_verify(libssln.VERIFY_PEER, lambda *args: True)
libssln._lib.SSL_CTX_set_cert_verify_callback(ctx._context,
verify_stub, ffi.NULL)
cnn = libssl.Connection(ctx, cnn)
cnn.set_accept_state()
cnn.do_handshake()
cert = cnn.get_peer_certificate()
else:
try:
# Try relatively newer python TLS function
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
ctx.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
ctx.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
ctx.set_ciphers(
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:'
'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384')
ctx.load_cert_chain('/etc/confluent/srvcert.pem',
'/etc/confluent/privkey.pem')
cnn = ctx.wrap_socket(cnn, server_side=True)
except AttributeError:
# Python 2.6 era, go with best effort
cnn = ssl.wrap_socket(cnn,
keyfile="/etc/confluent/privkey.pem",
certfile="/etc/confluent/srvcert.pem",
ssl_version=ssl.PROTOCOL_TLSv1,
server_side=True)
sessionhdl(cnn, authname, cert=cert)
def configure_http2_server(listen_port,
server_port,
https_pem,
ca_pem,
h2_to_server=False):
# Let's set up SSL. This is a lot of work in PyOpenSSL.
options = (SSL.OP_NO_COMPRESSION | SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3
| SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1)
# Keep things TSL1_2 and non-ECDH in case tester wants to decrypt the traffic
# in wireshark with the pem key.
context = SSL.Context(SSL.TLSv1_2_METHOD)
context.set_options(options)
context.set_verify(SSL.VERIFY_NONE, lambda *args: True)
context.use_privatekey_file(https_pem)
context.use_certificate_file(https_pem)
context.set_alpn_select_callback(alpn_callback)
context.set_tlsext_servername_callback(servername_callback)
context.set_cipher_list("RSA+AESGCM")
context.set_tmp_ecdh(crypto.get_elliptic_curve('prime256v1'))
server = eventlet.listen(('0.0.0.0', listen_port))
server = SSL.Connection(context, server)
server_side_proto = "HTTP/2" if h2_to_server else "HTTP/1.x"
print(f"Serving HTTP/2 Proxy on 127.0.0.1:{listen_port} with pem "
f"'{https_pem}', forwarding to 127.0.0.1:{server_port} via "
f"{server_side_proto}")
pool = eventlet.GreenPool()
while True:
try:
new_sock, _ = server.accept()
manager = Http2ConnectionManager(new_sock, h2_to_server)
manager.server_port = server_port
manager.cert_file = https_pem
manager.ca_file = ca_pem
pool.spawn_n(manager.run_forever)
except KeyboardInterrupt as e:
# The calling test_proxy.py will handle this.
print("Handling KeyboardInterrupt")
raise e
except SystemExit:
break
def wrap_ssl(sock, certificate=None, private_key=None, server_side=False):
try:
from eventlet.green.OpenSSL import SSL
except ImportError:
raise ImportError(
"To use SSL with Eventlet, "
"you must install PyOpenSSL or use Python 2.6 or later.")
context = SSL.Context(SSL.SSLv23_METHOD)
if certificate is not None:
context.use_certificate_file(certificate)
if private_key is not None:
context.use_privatekey_file(private_key)
context.set_verify(SSL.VERIFY_NONE, lambda *x: True)
connection = SSL.Connection(context, sock)
if server_side:
connection.set_accept_state()
else:
connection.set_connect_state()
return connection
raise RuntimeError("No acceptable protocol offered!")
def npn_advertise_cb(conn):
return [b'h2']
# Let's set up SSL. This is a lot of work in PyOpenSSL.
options = (
SSL.OP_NO_COMPRESSION |
SSL.OP_NO_SSLv2 |
SSL.OP_NO_SSLv3 |
SSL.OP_NO_TLSv1 |
SSL.OP_NO_TLSv1_1
)
context = SSL.Context(SSL.SSLv23_METHOD)
context.set_options(options)
context.set_verify(SSL.VERIFY_NONE, lambda *args: True)
context.use_privatekey_file('server.key')
context.use_certificate_file('server.crt')
context.set_npn_advertise_callback(npn_advertise_cb)
context.set_alpn_select_callback(alpn_callback)
context.set_cipher_list(
"ECDHE+AESGCM"
)
context.set_tmp_ecdh(crypto.get_elliptic_curve(u'prime256v1'))
server = eventlet.listen(('0.0.0.0', 443))
server = SSL.Connection(context, server)
pool = eventlet.GreenPool()