def main():
print 'initializing ctx ...'
ctx = M2Crypto.SSL.Context(protocol='sslv2')
ctx.load_cert_chain(certchainfile=CERTFILE, keyfile=KEYFILE)
ctx.set_options(m2.SSL_OP_ALL)
ctx.set_cipher_list('ALL')
print 'initializing socket and accepting connection ...'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('0.0.0.0', 8443))
sock.listen(1)
conn, addr = sock.accept()
print 'ssl handshake ...'
ssl_conn = M2Crypto.SSL.Connection(ctx=ctx, sock=conn)
ssl_conn.set_socket_read_timeout(timeout(2))
ssl_conn.setup_ssl()
ssl_conn_res = ssl_conn.accept_ssl()
if ssl_conn_res == 1:
print 'SSL connection accepted'
else:
res = ssl_conn.ssl_get_error(ssl_conn_res)
print 'SSL handshake failed: %s (\'%s\')' % (res, resolve_ssl_code(res))
def handle(self, conn, profile, file_bag):
ctx = M2Crypto.SSL.Context(self.proto, weak_crypto=True)
ctx.load_cert_chain(certchainfile=profile.certnkey.cert_filename,
keyfile=profile.certnkey.key_filename)
set_ephemeral_params(ctx)
self.logger.debug('trying to accept SSL connection %s with profile %s',
conn, profile)
try:
# try to accept SSL connection
ssl_conn = M2Crypto.SSL.Connection(ctx=ctx, sock=conn.sock)
ssl_conn.set_socket_read_timeout(timeout(self.sock_read_timeout))
ssl_conn.setup_ssl()
ssl_conn_res = ssl_conn.accept_ssl()
if ssl_conn_res != 1:
res = ssl_conn.ssl_get_error(ssl_conn_res)
res = resolve_ssl_code(res)
self.logger.debug('SSL handshake failed: %s', res)
return ConnectionAuditResult(conn, profile, res)
self.logger.debug(
'SSL connection accepted, version %s, cipher %s' %
(ssl_conn.get_version(), ssl_conn.get_cipher()))
if ssl_conn.get_version(
) == 'SSLv2' and ssl_conn.get_cipher() is None:
## workaround for #46
raise Exception(UNEXPECTED_EOF)
# try to read something from the client
start_time = time()
client_req = ssl_conn.read(size=MAX_SIZE)
end_time = time()
dt = end_time - start_time
if client_req == None:
# read timeout
res = ConnectedReadTimeout(dt)
else:
if len(client_req) == 0:
# EOF or timeout? XXX
if dt < self.sock_read_timeout:
res = ConnectedGotEOFBeforeTimeout(dt)
else:
res = ConnectedReadTimeout(dt)
else:
# got data
res = ConnectedGotRequest(client_req, dt, file_bag)
except Exception as ex:
res = str(ex)
self.logger.debug('SSL accept failed: %s', ex)
# report the result
return ConnectionAuditResult(conn, profile, res)
def handle(self, conn, profile, file_bag):
ctx = M2Crypto.SSL.Context(self.proto, weak_crypto=True)
ctx.load_cert_chain(certchainfile=profile.certnkey.cert_filename, keyfile=profile.certnkey.key_filename)
set_ephemeral_params(ctx)
self.logger.debug('trying to accept SSL connection %s with profile %s', conn, profile)
try:
# try to accept SSL connection
ssl_conn = M2Crypto.SSL.Connection(ctx=ctx, sock=conn.sock)
ssl_conn.set_socket_read_timeout(timeout(self.sock_read_timeout))
ssl_conn.setup_ssl()
ssl_conn_res = ssl_conn.accept_ssl()
if ssl_conn_res != 1:
res = ssl_conn.ssl_get_error(ssl_conn_res)
res = resolve_ssl_code(res)
self.logger.debug('SSL handshake failed: %s', res)
return ConnectionAuditResult(conn, profile, res)
self.logger.debug(
'SSL connection accepted, version %s, cipher %s' % (ssl_conn.get_version(), ssl_conn.get_cipher()))
if ssl_conn.get_version() == 'SSLv2' and ssl_conn.get_cipher() is None:
## workaround for #46
raise Exception(UNEXPECTED_EOF)
# try to read something from the client
start_time = time()
client_req = ssl_conn.read(size=MAX_SIZE)
end_time = time()
dt = end_time - start_time
if client_req == None:
# read timeout
res = ConnectedReadTimeout(dt)
else:
if len(client_req) == 0:
# EOF or timeout? XXX
if dt < self.sock_read_timeout:
res = ConnectedGotEOFBeforeTimeout(dt)
else:
res = ConnectedReadTimeout(dt)
else:
# got data
res = ConnectedGotRequest(client_req, dt, file_bag)
except Exception as ex:
res = str(ex)
self.logger.debug('SSL accept failed: %s', ex)
# report the result
return ConnectionAuditResult(conn, profile, res)
def handle(self, conn, profile, file_bag):
# create a context, explicitly specify the flavour of the protocol
ctx = M2Crypto.SSL.Context(protocol=profile.profile_spec.proto, weak_crypto=True)
ctx.load_cert_chain(certchainfile=profile.certnkey.cert_filename, keyfile=profile.certnkey.key_filename)
set_ephemeral_params(ctx)
# set restrict all protocols except the one prescribed by the profile
options = m2.SSL_OP_ALL
if profile.profile_spec.proto == 'sslv2':
options |= m2.SSL_OP_NO_SSLv3 | m2.SSL_OP_NO_TLSv1
elif profile.profile_spec.proto == 'sslv3':
options |= m2.SSL_OP_NO_SSLv2 | m2.SSL_OP_NO_TLSv1
elif profile.profile_spec.proto == 'tlsv1':
options |= m2.SSL_OP_NO_SSLv2 | m2.SSL_OP_NO_SSLv3
else:
raise ValueError('unsupported protocol: %s' % profile.profile_spec.proto)
ctx.set_options(options)
# set allowed ciphers
ctx.set_cipher_list(profile.profile_spec.cipher)
self.logger.debug('trying to accept SSL connection %s with profile %s', conn, profile)
try:
# try to accept SSL connection
ssl_conn = M2Crypto.SSL.Connection(ctx=ctx, sock=conn.sock)
ssl_conn.set_socket_read_timeout(timeout(self.sock_read_timeout))
ssl_conn.setup_ssl()
ssl_conn_res = ssl_conn.accept_ssl()
if ssl_conn_res == 1:
self.logger.debug(
'SSL connection accepted, version %s cipher %s' % (ssl_conn.get_version(), ssl_conn.get_cipher()))
if ssl_conn.get_version() == 'SSLv2' and ssl_conn.get_cipher() is None:
# workaround for #46
raise Exception(UNEXPECTED_EOF)
return ConnectionAuditResult(conn, profile, Connected())
else:
res = ssl_conn.ssl_get_error(ssl_conn_res)
res = resolve_ssl_code(res)
self.logger.debug('SSL handshake failed: %s', res)
return ConnectionAuditResult(conn, profile, res)
except Exception as ex:
res = str(ex)
self.logger.debug('SSL accept failed: %s', ex)
return ConnectionAuditResult(conn, profile, res)