def test05_open_with_subj_alt_names_verification(self):
ctx = SSL.Context(SSL.TLSv1_2_METHOD)
# Set wildcard hostname for subject alternative name matching -
# setting a minimum of two name components for hostname
split_hostname = Constants.HOSTNAME.split('.', 1)
if len(split_hostname) > 1:
_hostname = '*.' + split_hostname[-1]
else:
_hostname = Constants.HOSTNAME
server_ssl_verify = ServerSSLCertVerification(hostname=_hostname)
verify_callback_ = server_ssl_verify.get_verify_server_cert_func()
ctx.set_verify(SSL.VERIFY_PEER, verify_callback_)
# Set default verify paths if testing with peer that has corresponding
# CA cert in bundle provided with the OS. In this case, load verify
# locations is not needed.
#ctx.set_default_verify_paths()
ctx.set_verify_depth(9)
# Set correct location for CA certs to verify with
ctx.load_verify_locations(None, Constants.CACERT_DIR)
opener = build_opener(ssl_context=ctx)
res = opener.open(Constants.TEST_URI)
self.assertTrue(res)
print("res = %s" % res.read())
def set_peer_verification_for_url_hostname(ssl_context, url,
if_verify_enabled=False):
'''Convenience routine to set peer verification callback based on
ServerSSLCertVerification class'''
if not if_verify_enabled or (ssl_context.get_verify_mode() & SSL.VERIFY_PEER):
urlObj = urlparse.urlparse(url)
hostname = urlObj.hostname
server_ssl_cert_verif = ServerSSLCertVerification(hostname=hostname)
verify_callback_ = server_ssl_cert_verif.get_verify_server_cert_func()
ssl_context.set_verify(SSL.VERIFY_PEER, verify_callback_)
def set_peer_verification_for_url_hostname(ssl_context, url,
if_verify_enabled=False):
'''Convenience routine to set peer verification callback based on
ServerSSLCertVerification class'''
if not if_verify_enabled or (ssl_context.get_verify_mode() & SSL.VERIFY_PEER):
urlObj = urlparse_.urlparse(url)
hostname = urlObj.hostname
server_ssl_cert_verif = ServerSSLCertVerification(hostname=hostname)
verify_callback_ = server_ssl_cert_verif.get_verify_server_cert_func()
ssl_context.set_verify(SSL.VERIFY_PEER, verify_callback_)
def test04_ssl_verification_with_subj_alt_name(self):
ctx = SSL.Context(SSL.TLSv1_METHOD)
verification = ServerSSLCertVerification(hostname='localhost')
verify_callback = verification.get_verify_server_cert_func()
ctx.set_verify(SSL.VERIFY_PEER, verify_callback)
ctx.set_verify_depth(9)
# Set correct location for CA certs to verify with
ctx.load_verify_locations(None, Constants.CACERT_DIR)
conn = HTTPSConnection(Constants.HOSTNAME, port=Constants.PORT,
ssl_context=ctx)
conn.connect()
conn.request('GET', '/')
resp = conn.getresponse()
print('Response = %s' % resp.read())
def test04_ssl_verification_with_subj_alt_name(self):
ctx = SSL.Context(SSL.TLSv1_METHOD)
verification = ServerSSLCertVerification(hostname='localhost')
verify_callback = verification.get_verify_server_cert_func()
ctx.set_verify(SSL.VERIFY_PEER, verify_callback)
ctx.set_verify_depth(9)
# Set correct location for CA certs to verify with
ctx.load_verify_locations(None, Constants.CACERT_DIR)
conn = HTTPSConnection(Constants.HOSTNAME,
port=Constants.PORT,
ssl_context=ctx)
conn.connect()
conn.request('GET', '/')
resp = conn.getresponse()
print('Response = %s' % resp.read())
def test04_ssl_verification_with_subj_common_name(self):
ctx = SSL.Context(SSL.SSLv3_METHOD)
# Explicitly set verification of peer hostname using peer certificate
# subject common name
verify_callback = ServerSSLCertVerification(hostname='localhost',
subj_alt_name_match=False)
ctx.set_verify(SSL.VERIFY_PEER, verify_callback)
ctx.set_verify_depth(9)
# Set correct location for CA certs to verify with
ctx.load_verify_locations(None, Constants.CACERT_DIR)
conn = HTTPSConnection(Constants.HOSTNAME,
port=Constants.PORT,
ssl_context=ctx)
conn.connect()
conn.request('GET', '/')
resp = conn.getresponse()
print('Response = %s' % resp.read())
def __call__(self):
"""Create an M2Crypto SSL Context from this objects properties
:type depth: int
:param depth: max. depth of certificate to verify against
:type kw: dict
:param kw: OpenSSL.SSL.Context keyword arguments
:rtype: OpenSSL.SSL.Context
:return: M2Crypto SSL context object
"""
ctx = SSL.Context(self.__class__.SSL_PROTOCOL_METHOD)
# Configure context according to this proxy's attributes
if self.sslCertFilePath and self.sslPriKeyFilePath:
# Pass client certificate (optionally with chain)
ctx.use_certificate_chain_file(self.sslCertFilePath)
with open(self.sslPriKeyFilePath, 'r') as prikey_file:
prikey_content = prikey_file.read()
prikey_file.close()
prikey = crypto.load_privatekey(crypto.FILETYPE_PEM,
prikey_content,
self.sslPriKeyPwd)
ctx.use_privatekey(prikey)
log.debug("Set client certificate and key in SSL Context")
else:
log.debug("No client certificate or key set in SSL Context")
if self.sslCACertFilePath or self.sslCACertDir:
# Set CA certificates in order to verify peer
ctx.load_verify_locations(self.sslCACertFilePath,
self.sslCACertDir)
mode = SSL.VERIFY_PEER
ctx.set_verify_depth(self.__class__.SSL_VERIFY_DEPTH)
verify_cb = lambda connection, peerCert, errorStatus, errorDepth, \
preverifyOK: preverifyOK
else:
mode = SSL.VERIFY_NONE
log.warning('No CA certificate files set: mode set to '
'"verify_none"! No verification of the server '
'certificate will be enforced')
n_ssl_valid_x509_subj_names = len(self.ssl_valid_x509_subj_names)
if n_ssl_valid_x509_subj_names > 0 or self.ssl_valid_hostname:
# Set custom callback in order to verify peer certificate DN
# against whitelist
mode = SSL.VERIFY_PEER
if n_ssl_valid_x509_subj_names == 0:
cert_dn = None
else:
cert_dn = self.ssl_valid_x509_subj_names[0]
# Nb. limit - this verification callback can only validate against
# a single DN not multiples as allowed by the interface class
ssl_cert_verification = ServerSSLCertVerification(
hostname=self.ssl_valid_hostname,
certDN=cert_dn)
verify_cb = ssl_cert_verification.get_verify_server_cert_func()
log.debug('Set peer certificate Distinguished Name check set in '
'SSL Context')
else:
log.warning('No peer certificate Distinguished Name check set in '
'SSL Context')
ctx.set_verify(mode, verify_cb)
return ctx
