def _open(suffix, dscp):
error, sock = TCPStream._open(suffix, dscp)
if error:
return error, None
# Create an SSL context
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_verify(SSL.VERIFY_PEER, SSLStream.verify_cb)
ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
# If the client has not set the SSL configuration files
# exception would be raised.
ctx.use_privatekey_file(Stream._SSL_private_key_file)
ctx.use_certificate_file(Stream._SSL_certificate_file)
ctx.load_verify_locations(Stream._SSL_ca_cert_file)
ssl_sock = SSL.Connection(ctx, sock)
ssl_sock.set_connect_state()
return error, ssl_sock
def __init__(self, server_address, HandlerClass):
BaseServer.__init__(self, server_address, HandlerClass)
# SSLv2 and SSLv3 supported
ctx = SSL.Context(SSL.SSLv23_METHOD)
# pem files defined before
fpem_priv = 'newreq.pem'
fpem_cli = 'newcert.pem'
# establish private key
ctx.use_privatekey_file(fpem_priv)
# establish public/client certificate
ctx.use_certificate_file(fpem_cli)
# setup the ssl socket
self.socket = SSL.Connection(
ctx, socket.socket(self.address_family, self.socket_type))
# bind to interface
self.server_bind()
# activate the interface
self.server_activate()
def send_init_packets(host):
tpkt = TPKT()
tpdu = TPDU()
rdp_neg = RDP_NEG_REQ()
rdp_neg['Type'] = 1
rdp_neg['requestedProtocols'] = 1
tpdu['VariablePart'] = rdp_neg.getData()
tpdu['Code'] = 0xe0
tpkt['TPDU'] = tpdu.getData()
s = socket.socket()
s.connect((host, 3389))
s.sendall(tpkt.getData())
s.recv(8192)
ctx = SSL.Context(SSL.TLSv1_METHOD)
tls = SSL.Connection(ctx, s)
tls.set_connect_state()
tls.do_handshake()
return tls
def _init_socket(self):
if self.__unix:
self.__realsocket = socket.socket(socket.AF_UNIX,
socket.SOCK_STREAM)
else:
self.__realsocket = socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
self.__realsocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
fcntl.fcntl(self.__realsocket.fileno(), fcntl.F_SETFD, 1)
if self.__ssl and not self.__unix:
self.__socket = SSL.Connection(self.__crypto_context,
self.__realsocket)
else:
if self.__socket:
notifier.socket_remove(self.__socket)
self.__socket.close()
self.__socket = None
def handle_secure_connection(self, client_socket, request, dialog_id):
""" performs all TLS stuff with client
returns (wrapped secure_socket socket, client request after CONNECT)
"""
client_socket.sendall(self.dialog_service.make_established_response(dialog_id))
context = self.tls_service.create_ssl_context(request.host)
secure_socket = SSL.Connection(context, client_socket)
secure_socket.set_accept_state()
try:
secure_socket.do_handshake()
except SSL.Error as err:
secure_socket.close()
raise SSL.Error(err)
# return secure_socket, None
# read application data request after handshake
post_handshake_raw = read(secure_socket)
final_request = self.dialog_service.make_request_from_raw(post_handshake_raw, dialog_id)
return secure_socket, final_request
def __init__(self, server_address, RequestHandlerClass):
from OpenSSL import SSL
BaseServer.__init__(self, server_address, RequestHandlerClass)
ctx = SSL.Context(SSL.SSLv3_METHOD)
cert = os.path.join(settings.Config.ResponderPATH,
settings.Config.SSLCert)
key = os.path.join(settings.Config.ResponderPATH,
settings.Config.SSLKey)
ctx.use_privatekey_file(key)
ctx.use_certificate_file(cert)
self.socket = SSL.Connection(
ctx, socket.socket(self.address_family, self.socket_type))
self.server_bind()
self.server_activate()
def __init__(self, sleeper=None):
ctx = SSL.Context(SSL.SSLv23_METHOD)
# TLS 1.3 removes renegotiation support. Which is great for them, but
# we still have to support versions before that, and that means we
# need to test renegotation support, which means we need to force this
# to use a lower version where this test server can trigger
# renegotiations. Of course TLS 1.3 support isn't released yet, but
# I'm told that this will work once it is. (And once it is we can
# remove the pragma: no cover too.) Alternatively, once we drop
# support for CPython 3.5 on MacOS, then we could switch to using
# TLSv1_2_METHOD.
#
# Discussion: https://github.com/pyca/pyopenssl/issues/624
if hasattr(SSL, "OP_NO_TLSv1_3"): # pragma: no cover
ctx.set_options(SSL.OP_NO_TLSv1_3)
# Unfortunately there's currently no way to say "use 1.3 or worse", we
# can only disable specific versions. And if the two sides start
# negotiating 1.4 at some point in the future, it *might* mean that
# our tests silently stop working properly. So the next line is a
# tripwire to remind us we need to revisit this stuff in 5 years or
# whatever when the next TLS version is released:
assert not hasattr(SSL, "OP_NO_TLSv1_4")
ctx.use_certificate_file(CERT1)
ctx.use_privatekey_file(CERT1)
self._conn = SSL.Connection(ctx, None)
self._conn.set_accept_state()
self._lot = _core.ParkingLot()
self._pending_cleartext = bytearray()
self._send_all_mutex = UnLock(
_core.ResourceBusyError,
"simultaneous calls to PyOpenSSLEchoStream.send_all")
self._receive_some_mutex = UnLock(
_core.ResourceBusyError,
"simultaneous calls to PyOpenSSLEchoStream.receive_some")
if sleeper is None:
async def no_op_sleeper(_):
return
self.sleeper = no_op_sleeper
else:
self.sleeper = sleeper
def do_tlsalpn_challenges(client, authzs):
port = 5001
example_key, example_cert = load_example_cert()
server_certs = {'localhost': (example_key, example_cert)}
challs = {
a.body.identifier.value: get_chall(a, challenges.TLSALPN01)
for a in authzs
}
chall_certs = {
domain: tls_alpn_01_cert(client, c, domain)
for domain, c in challs.items()
}
# TODO: this won't be needed once acme standalone tls-alpn server serves
# certs correctly, not only challenge certs.
chall_certs['localhost'] = (example_key, example_cert)
server = standalone.TLSALPN01Server(("", port), server_certs, chall_certs)
thread = threading.Thread(target=server.serve_forever)
thread.start()
# Loop until the TLSALPN01Server is ready.
while True:
try:
s = socket.socket()
s.connect(("localhost", port))
client_ssl = SSL.Connection(SSL.Context(SSL.TLSv1_METHOD), s)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name("localhost")
client_ssl.set_alpn_protos([b'acme-tls/1'])
client_ssl.do_handshake()
break
except (socket.error, SSL.Error):
time.sleep(0.1)
finally:
s.close()
for chall_body in challs.values():
client.answer_challenge(chall_body, chall_body.response(client.key))
def cleanup():
server.shutdown()
server.server_close()
thread.join()
return cleanup
def get_requests_verify(hostname, port):
"""
Get verification method for sending HTTP requests to Hopsworks.
Credit to https://gist.github.com/gdamjan/55a8b9eec6cf7b771f92021d93b87b2c
Returns:
if env var HOPS_UTIL_VERIFY is not false
then if hopsworks certificate is self-signed, return the path to the truststore (PEM)
else if hopsworks is not self-signed, return true
return false
"""
if constants.ENV_VARIABLES.REQUESTS_VERIFY_ENV_VAR in os.environ and os.environ[
constants.ENV_VARIABLES.REQUESTS_VERIFY_ENV_VAR] == 'true':
hostname_idna = idna.encode(hostname)
sock = socket()
sock.connect((hostname, int(port)))
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.check_hostname = False
ctx.verify_mode = SSL.VERIFY_NONE
sock_ssl = SSL.Connection(ctx, sock)
sock_ssl.set_connect_state()
sock_ssl.set_tlsext_host_name(hostname_idna)
sock_ssl.do_handshake()
cert = sock_ssl.get_peer_certificate()
crypto_cert = cert.to_cryptography()
sock_ssl.close()
sock.close()
try:
commonname = crypto_cert.subject.get_attributes_for_oid(
NameOID.COMMON_NAME)[0].value
issuer = crypto_cert.issuer.get_attributes_for_oid(
NameOID.COMMON_NAME)[0].value
if commonname == issuer and constants.ENV_VARIABLES.DOMAIN_CA_TRUSTSTORE_PEM_ENV_VAR in os.environ:
return os.environ[
constants.ENV_VARIABLES.DOMAIN_CA_TRUSTSTORE_PEM_ENV_VAR]
else:
return True
except x509.ExtensionNotFound:
return True
return False
def run(self):
kb = self._scanner.get_knowledge_base()
protocol_versions = self._scanner.get_enabled_versions()
methods = convert_versions2methods(protocol_versions)
methods.reverse()
for method in methods:
try:
ctx = SSL.Context(method)
except:
# ToDo:
continue
ctx.set_cipher_list("ALL:COMPLEMENT")
ctx.set_options(_util.lib.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
conn = self._scanner.handler.connect()
conn_ssl = SSL.Connection(ctx, conn._socket)
conn_ssl.set_tlsext_host_name(
self._scanner.handler.hostname.encode("utf-8"))
conn_ssl.set_connect_state()
try:
conn_ssl.do_handshake()
except Exception as e:
# ToDo:
# print(e)
conn_ssl.close()
continue
kb.set("server.renegotiation.support", False)
if _util.lib.SSL_get_secure_renegotiation_support(
conn_ssl._ssl) == 1:
kb.set("server.renegotiation.secure", True)
kb.set("server.renegotiation.support", True)
else:
kb.set("server.renegotiation.secure", False)
kb.set("server.renegotiation.support", False)
cipher_status = _util.lib.SSL_do_handshake(conn_ssl._ssl)
if cipher_status == 1:
if _util.lib.SSL_get_state(conn_ssl._ssl) == SSL.SSL_ST_OK:
kb.set("server.renegotiation.support", True)
conn_ssl.close()
def get_host_certificate(host, port=443):
"""Get a host's certificate.
:param str host: The hostname from which to fetch the certificate.
:param int port: The port from which to fetch the certificate, if different
than ``443``.
:return: The host's X.509 certificate.
:rtype: :class:`OpenSSL.crypto.X509`
"""
ip_addr = socket.gethostbyname(host)
sock = socket.socket()
context = SSL.Context(SSL.TLSv1_METHOD)
context.set_options(SSL.OP_NO_SSLv2)
context.load_verify_locations(certifi.where(), None)
ssl_sock = SSL.Connection(context, sock)
ssl_sock.connect((ip_addr, port))
ssl_sock.do_handshake()
return ssl_sock.get_peer_certificate()
def __init__(self, args, kwargs):
irc_server.IRCServer.__init__(self, args, kwargs)
# Setup SSL.
# TODO: Load certificate path from config and handle missing certificate.
ssl_ctx = SSL.Context(SSL.SSLv23_METHOD)
ssl_key_path = '../server.pem'
ssl_ctx.use_privatekey_file(ssl_key_path)
ssl_ctx.use_certificate_file(ssl_key_path)
self.socket = SSL.Connection(
ssl_ctx, socket.socket(self.address_family, self.socket_type))
self.server_bind()
self.server_activate()
# Create a default channel and set a default map.
channel = self.channels.setdefault('#lobby',
irc_server.IRCChannel('#lobby'))
channel.topic = 'Map:Farm'
def accept(self): # pylint: disable=missing-docstring
sock, addr = self.sock.accept()
context = SSL.Context(self.method)
context.set_options(SSL.OP_NO_SSLv2)
context.set_options(SSL.OP_NO_SSLv3)
context.set_tlsext_servername_callback(self._pick_certificate_cb)
if self.alpn_selection is not None:
context.set_alpn_select_callback(self.alpn_selection)
ssl_sock = self.FakeConnection(SSL.Connection(context, sock))
ssl_sock.set_accept_state()
self.log_callback("SSL Socket: Performing handshake with {0}".format(addr))
try:
ssl_sock.do_handshake()
except SSL.Error as error:
# _pick_certificate_cb might have returned without
# creating SSL context (wrong server name)
raise socket.error(error)
return ssl_sock, addr
def wrapClientConnection(self, cert='/tmp/impacket.crt'):
# Create a context, we don't really care about the SSL/TLS
# versions used since it is only intended for local use and thus
# doesn't have to be super-secure
ctx = SSL.Context(SSL.SSLv23_METHOD)
try:
ctx.use_privatekey_file(cert)
ctx.use_certificate_file(cert)
except SSL.Error:
LOG.info('SSL requested - generating self-signed certificate in /tmp/impacket.crt')
generateImpacketCert(cert)
ctx.use_privatekey_file(cert)
ctx.use_certificate_file(cert)
sslSocket = SSL.Connection(ctx, self.socksSocket)
sslSocket.set_accept_state()
# Now set this property back to the SSL socket instead of the regular one
self.socksSocket = sslSocket
def run(self):
if self._scanner.handler.name != "imap":
return
kb = self._scanner.get_knowledge_base()
methods = self._scanner.get_enabled_methods()
methods.reverse()
for method in methods:
try:
ctx = SSL.Context(method)
except:
# ToDo:
continue
server_info = self._scanner.handler.get_server_info()
if server_info is None:
ctx.set_cipher_list("ALL:COMPLEMENT")
conn = self._scanner.handler.connect()
conn_ssl = SSL.Connection(ctx, conn)
conn_ssl.set_tlsext_host_name(
self._scanner.handler.hostname.encode("utf-8"))
conn_ssl.set_connect_state()
try:
conn_ssl.do_handshake()
except Exception as e:
print(e)
conn_ssl.close()
continue
server_info = self._scanner.handler.get_server_info(conn_ssl)
conn_ssl.close()
if server_info is None:
return
kb.set("server.custom.protocol.imap",
ResultGroup(label="IMAP Information"))
kb.set(
"server.custom.protocol.imap.banner",
ResultValue(label="Server banner",
value=server_info.get("banner")))
def get_certificate(hostname: str, port: int) -> HostInfo:
hostname_idna = idna.encode(hostname)
sock = socket.socket()
sock.connect((hostname, port))
peername = sock.getpeername()
ctx = SSL.Context(SSL.SSLv23_METHOD) # most compatible
ctx.check_hostname = False
ctx.verify_mode = SSL.VERIFY_NONE
sock_ssl = SSL.Connection(ctx, sock)
sock_ssl.set_connect_state()
sock_ssl.set_tlsext_host_name(hostname_idna)
sock_ssl.do_handshake()
cert = sock_ssl.get_peer_certificate()
sock_ssl.close()
sock.close()
return HostInfo(cert=cert, peername=peername, hostname=hostname)
def certificate_age(config, host, port=443):
"""
Check a TLS certificate of a host to determine if it's going to expire soon
:param config: dictionary containing settings
config['vars']['cert_expiration_days_threshold']: If the certificate
is set to expire in a number of days less than this threshold then
alert
:param host: The host to fetch the certificate from
:return: 3-tuple of (success, name, message)
success: Boolean value indicating if there is a problem or not
name: DNS name
message: String describing the status
"""
name = host
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
except Exception as e:
return False, name, "Exception %s %s" % (e.__class__, e)
try:
ctx = SSL.Context(SSL.TLSv1_METHOD)
ctx.load_verify_locations(CA_CERTS)
except Exception as e:
return False, name, "Exception %s %s" % (e.__class__, e)
try:
ssl_sock = SSL.Connection(ctx, sock)
ssl_sock.set_connect_state()
ssl_sock.set_tlsext_host_name(host)
ssl_sock.do_handshake()
x509 = ssl_sock.get_peer_certificate()
asn1 = x509.get_notAfter()
result = check_expiration_date(
asn1, name, config['vars']['cert_expiration_days_threshold'])
except Exception as e:
return False, name, "Exception %s %s" % (e.__class__, e)
finally:
ssl_sock.shutdown()
sock.close()
return result
def get_cert(host, port, user_args):
"""Connection to the host."""
if user_args.socks:
import socks
socks_host, socks_port = filter_hostname(user_args.socks)
socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, socks_host, int(socks_port), True)
socket.socket = socks.socksocket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
osobj = SSL.Context(PROTOCOL_TLSv1)
sock.connect((host, int(port)))
oscon = SSL.Connection(osobj, sock)
oscon.set_tlsext_host_name(host.encode())
oscon.set_connect_state()
oscon.do_handshake()
cert = oscon.get_peer_certificate()
sock.close()
return cert
def tls_start(tls_start: tls.TlsStartData):
# INSECURE
ssl_context = SSL.Context(SSL.SSLv23_METHOD)
if tls_start.conn == tls_start.context.client:
ssl_context.use_privatekey_file(
pkg_data.path("../test/mitmproxy/data/verificationcerts/trusted-leaf.key")
)
ssl_context.use_certificate_chain_file(
pkg_data.path("../test/mitmproxy/data/verificationcerts/trusted-leaf.crt")
)
tls_start.ssl_conn = SSL.Connection(ssl_context)
if tls_start.conn == tls_start.context.client:
tls_start.ssl_conn.set_accept_state()
else:
tls_start.ssl_conn.set_connect_state()
if tls_start.context.client.sni is not None:
tls_start.ssl_conn.set_tlsext_host_name(tls_start.context.client.sni.encode())
def verify_cert(hostname, port):
hostname_idna = idna.encode(hostname)
sock = socket()
sock.connect((hostname, port))
peername = sock.getpeername()
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.check_hostname = False
ctx.verify_mode = SSL.VERIFY_NONE
sock_ssl = SSL.Connection(ctx, sock)
sock_ssl.set_connect_state()
sock_ssl.set_tlsext_host_name(hostname_idna)
sock_ssl.do_handshake()
cert = sock_ssl.get_peer_certificate()
crypto_cert = cert.to_cryptography()
sock_ssl.close()
sock.close()
return HostInfo(cert=crypto_cert, peername=peername, hostname=hostname)
def __init__(self,server_address,HandlerClass,certFile='certs/cert.pem',keyFile='certs/key.pem',logRequests=False):
"""Secure XML-RPC server.
It it very similar to SimpleXMLRPCServer but it uses HTTPS for transporting XML data.
"""
cpem.log_event('debug',"starting SecureXMLRPCServer")
self.logRequests = logRequests #turn off the BaseHTTPServer logging... because we dun need it.
SimpleXMLRPCServer.SimpleXMLRPCDispatcher.__init__(self,True,None)
ThreadedBaseServer(self,SocketServer.BaseServer.__init__(self,server_address,HandlerClass))
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.use_privatekey_file (keyFile)
ctx.use_certificate_file(certFile)
self.socket = SSL.Connection(ctx,socket.socket(self.address_family,self.socket_type))
self.server_bind()
self.server_activate()
cpem.log_event('debug','server setup complete')
def shutdown_request(self,request):
request.shutdown()
def test_alpn_select_callback():
ctx = SSL.Context(SSL.SSLv23_METHOD)
conn = SSL.Connection(ctx)
conn.set_app_data(tlsconfig.AppData(server_alpn=b"h2", http2=True))
# Test that we try to mirror the server connection's ALPN
assert tlsconfig.alpn_select_callback(
conn, [b"http/1.1", b"qux", b"h2"]) == b"h2"
# Test that we respect the client's preferred HTTP ALPN.
conn.set_app_data(tlsconfig.AppData(server_alpn=None, http2=True))
assert tlsconfig.alpn_select_callback(
conn, [b"qux", b"http/1.1", b"h2"]) == b"http/1.1"
assert tlsconfig.alpn_select_callback(
conn, [b"qux", b"h2", b"http/1.1"]) == b"h2"
# Test no overlap
assert tlsconfig.alpn_select_callback(
conn, [b"qux", b"quux"]) == SSL.NO_OVERLAPPING_PROTOCOLS
def convert_to_ssl(self, cert, key, **sslctx_kwargs):
"""
Convert connection to SSL.
For a list of parameters, see BaseHandler._create_ssl_context(...)
"""
context = self.create_ssl_context(
cert,
key,
**sslctx_kwargs)
self.connection = SSL.Connection(context, self.connection)
self.connection.set_accept_state()
try:
self.connection.do_handshake()
except SSL.Error as v:
raise TlsException("SSL handshake error: %s" % repr(v))
self.ssl_established = True
self.rfile.set_descriptor(self.connection)
self.wfile.set_descriptor(self.connection)
def __connect(cls, hostname: str, port: int) -> SSL.Connection:
"""
Method for opening a socket to the Conjur server
"""
ctx = cls._get_ssl_context()
# Taken from
# https://gist.github.com/brandond/f3d28734a40c49833176207b17a44786#file-sslscan-py-L17
conjur_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
conjur_conn = SSL.Connection(context=ctx, socket=conjur_sock)
conjur_conn.connect((hostname, port))
# handle SNI
conjur_conn.set_tlsext_host_name(hostname.encode())
conjur_conn.do_handshake()
logging.debug("TLS connection established. "
"Fetching certificate from Conjur server...")
return conjur_conn
def listen(self):
# This should have been a SSLAcceptor ...
if self._sok == None:
def verify_cb(conn, cert, errnum, depth, ok):
# This obviously has to be updated
print 'Got certificate: %s' % cert.get_subject()
return ok
# Initialize context
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_session_id('weightless:%s:%s' %
(time(), randint(1024, 4096)))
ctx.set_options(SSL.OP_NO_SSLv2)
ctx.set_verify(SSL.VERIFY_PEER, verify_cb) # Demand a certificate
ctx.use_privatekey_file(self._keyfile)
ctx.use_certificate_file(self._certfile)
# Set up server
self._sok = SSL.Connection(ctx, socket())
self._sok.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self._sok.setsockopt(SOL_SOCKET, SO_LINGER, pack('ii', 0, 0))
self._sok.bind(
('0.0.0.0' if self._bindAddress is None else self._bindAddress,
self._port))
self._sok.listen(127)
self._acceptor = Acceptor(reactor=self._reactor,
port=self._port,
sinkFactory=lambda sok: HttpsHandler(
reactor=self._reactor,
sok=sok,
generatorFactory=self._generatorFactory,
timeout=self._timeout,
recvSize=self._recvSize,
prio=self._prio,
maxConnections=self._maxConnections,
errorHandler=self._errorHandler,
compressResponse=self._compressResponse),
prio=self._prio,
sok=self._sok,
bindAddress=self._bindAddress)
def get_server_root_cert(address, port, certDict, root=True):
"""Attempt to retrieve the the root certificate in the full SSL cert chain
from the provided server address & port. The certDict parameter should
contain a dictionary of { certificate.get_subject().hash() md5 hash : certificate },
which this function will use to match the certificate chain to a stored root
certificate. This function will return a single certificate as a PyOpenSSL X509
object, or None if the chain couldn't be retrieved for some reason, or the
certDict did not contain a matching certificate.
"""
# Use PyOpenSSL to initiate an SSL connection and get the full cert chain.
# Sadly Python's built in SSL library can't do this so we must use this
# OpenSSL-based library.
cert = None
ctx = SSL.Context(SSL.TLSv1_2_METHOD)
# do the connection, and fetch the cert chain
soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_soc = SSL.Connection(ctx, soc)
ssl_soc.connect((address, port))
ssl_soc.set_tlsext_host_name(bytes(address, "utf8"))
try:
ssl_soc.do_handshake()
if root is True:
cert = ssl_soc.get_peer_cert_chain()[-1]
else:
cert = ssl_soc.get_peer_cert_chain()[0]
finally:
ssl_soc.shutdown()
soc.close()
# match the certificate in the chain to the respective root certificate using the common name
if cert is None:
print("Failed to fetch certificate on domain: " + address)
return None
# if we don't want the root cert, return the regular cert
if root is False:
return cert
cn_hash = cert.get_issuer().hash()
# if there is a respective certificate, return it
# else print an error and return None
if cn_hash not in certDict:
print("Could not find matching root certificate for domain: " + address)
return None
return certDict[cn_hash]
def start_server():
# context = SSL.Context(SSL.TLSv1_2_METHOD)
context = SSL.Context(SSL.TLSv1_METHOD)
context.use_privatekey_file('startssl.key')
context.use_certificate_file('startssl.cert')
context.use_certificate_chain_file('startssl.cert')
s_n = socket.socket()
s_n.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s_n.setsockopt(socket.SOL_SOCKET, socket.TCP_NODELAY, 1)
s = SSL.Connection(context, s_n)
s.bind(('', PORT))
s.listen(MAX_CLIENTS) # max clients
p.rint(
"[S_wss " + time.strftime("%H:%M:%S") +
"] Waiting on wss_clients on Port " + str(PORT), "l")
while 1:
conn, addr = s.accept()
try:
#connstream = ssl.wrap_socket(conn, server_side=True, certfile="cert", keyfile="key", ssl_version=ssl.PROTOCOL_TLSv1)
# generate new client
new_client = ws_clients(conn.getpeername()[1],
conn.getpeername()[0]) # port, ip
new_client.ws = WebSocket(conn)
# append it
clients.append(new_client)
p.rint(
"[S_wss " + time.strftime("%H:%M:%S") +
"] -> Connection from: " + str(addr[0]) + ". Serving " +
str(len(clients)) + " ws_clients now", "l")
threading.Thread(target=handle, args=(new_client, addr)).start()
# send every subscr
for callb in callback_con:
callb("connect", new_client)
except Exception as n:
p.rint(
"[S_wss " + time.strftime("%H:%M:%S") +
"] exception before starting connect thread", "d")
print(n)
def scan(address, version):
"""
Not finished yet, just analyzing if the web server supports
any CBC ciphers
:param address: tuple of an url and port
:param version: tls version in bytes
:return: if the server is vulnerable
"""
client_hello = construct_client_hello(version)
logging.info("Scanning Poodle vulnerability...")
server_hello, sock = send_client_hello(address, client_hello, 2)
# If no server hello is sent the server doesn't support
# CBC ciphers
if not is_server_hello(server_hello):
return False
sock.close()
unsafe_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_socket = SSL.Connection(SSL.Context(SSL.SSLv23_METHOD), unsafe_sock)
ssl_socket.connect(address)
ssl_socket.do_handshake()
for i in range(256):
try:
unsafe_sock.send(build_data(i))
ssl_socket.read(2048)
# Server didn't send an alert
except (SSL.ZeroReturnError, SSL.SysCallError):
continue
# Server broke connection
except BrokenPipeError:
return False
# Server sent an alert
except SSL.Error as e:
if e.args[0][0][2] == 'sslv3 alert bad record mac':
continue
# If there is an alert and its not bad record mac
else:
return True
# Unknown exception
except Exception as e:
raise e
logging.info("Poodle vulnerability scan done.")
return False
def run(self):
Logger.info("[WebApps] new process started")
signal.signal(signal.SIGINT, signal.SIG_IGN)
signal.signal(signal.SIGTERM, signal.SIG_IGN)
# close inherited father pipes
self.father_pipes[0].close()
self.father_pipes[1].close()
self.socks = Queue.Queue()
self.clean_timer = threading.Timer(Config.process_timeout, self.clean)
self.clean_timer.start()
self.f_control = ControlFatherProcess(self)
self.f_control.start()
while self.f_control.is_alive() or not self.socks.empty():
try:
sock = self.socks.get(timeout=0.01)
if Config.connection_secure:
ssl_conn = SSL.Connection(self.ssl_ctx, sock)
Logger.debug("[WebApps] new connection => %s" % str(ssl_conn.getpeername()))
ssl_conn.set_accept_state()
ProtocolDetectDispatcher(ssl_conn, self.f_control, self.ssl_ctx)
else:
HttpProtocolDetectDispatcher(sock, self.f_control)
except (IOError, Queue.Empty):
continue
# reload asyncore if stopped
if self.is_sleeping():
# timeout needed for more SSL layer reactivity
self.t_asyncore = threading.Thread(target=lambda:asyncore.loop(timeout=0.01))
self.t_asyncore.start()
if not self.is_sleeping():
asyncore.close_all()
self.t_asyncore.join()
Logger.info("[WebApps] child process stopped")
def scan_server(ip, port):
global vulnerable
print('Checking to {}:{}'.format(ip, port))
ctx = SSL.Context(DTLSv1_METHOD)
ctx.set_verify_depth(2)
ctx.set_verify(SSL.VERIFY_PEER, certificate_callback)
sock = SSL.Connection(ctx, socket.socket(socket.AF_INET,
socket.SOCK_DGRAM))
sock.connect((ip, int(port)))
sock.send(build_connect_packet(0, 65, b"A"))
data = sock.recv(1024)
if len(data) == 16:
error_code = struct.unpack('<L', data[12:])[0]
if error_code == 0x8000ffff:
vulnerable = True
