def __str__(self): parts = [ "Application Layer Protocol: %s" % self.alp, "Cipher: %s, %s bit, %s" % self.cipher, "SSL certificate chain:" ] for i in self.certchain: parts.append("\tSubject: ") for cn in i.get_subject().get_components(): parts.append("\t\t%s=%s" % cn) parts.append("\tIssuer: ") for cn in i.get_issuer().get_components(): parts.append("\t\t%s=%s" % cn) parts.extend([ "\tVersion: %s" % i.get_version(), "\tValidity: %s - %s" % (i.get_notBefore(), i.get_notAfter()), "\tSerial: %s" % i.get_serial_number(), "\tAlgorithm: %s" % i.get_signature_algorithm() ]) pk = i.get_pubkey() types = { OpenSSL.crypto.TYPE_RSA: "RSA", OpenSSL.crypto.TYPE_DSA: "DSA" } t = types.get(pk.type(), "Uknown") parts.append("\tPubkey: %s bit %s" % (pk.bits(), t)) s = certutils.SSLCert(i) if s.altnames: parts.append("\tSANs: %s" % " ".join(s.altnames)) return "\n".join(parts)
def save_cert(conn_, cert, errno_, depth_, preverify_ok_): self.clientcert = certutils.SSLCert(cert) # Return true to prevent cert verification error return True
def convert_to_ssl(self, sni=None, alpn_protos=None, **sslctx_kwargs): """ cert: Path to a file containing both client cert and private key. options: A bit field consisting of OpenSSL.SSL.OP_* values verify_options: A bit field consisting of OpenSSL.SSL.VERIFY_* values ca_path: Path to a directory of trusted CA certificates prepared using the c_rehash tool ca_pemfile: Path to a PEM formatted trusted CA certificate """ verification_mode = sslctx_kwargs.get('verify_options', None) if verification_mode == SSL.VERIFY_PEER and not sni: raise exceptions.TlsException( "Cannot validate certificate hostname without SNI") context = self.create_ssl_context(alpn_protos=alpn_protos, sni=sni, **sslctx_kwargs) self.connection = SSL.Connection(context, self.connection) if sni: self.sni = sni self.connection.set_tlsext_host_name(sni.encode("idna")) self.connection.set_connect_state() try: self.connection.do_handshake() except SSL.Error as v: if self.ssl_verification_error: raise self.ssl_verification_error else: raise exceptions.TlsException("SSL handshake error: %s" % repr(v)) else: # Fix for pre v1.0 OpenSSL, which doesn't throw an exception on # certificate validation failure if verification_mode == SSL.VERIFY_PEER and self.ssl_verification_error: raise self.ssl_verification_error self.cert = certutils.SSLCert(self.connection.get_peer_certificate()) # Keep all server certificates in a list for i in self.connection.get_peer_cert_chain(): self.server_certs.append(certutils.SSLCert(i)) # Validate TLS Hostname try: crt = dict(subjectAltName=[("DNS", x.decode("ascii", "strict")) for x in self.cert.altnames]) if self.cert.cn: crt["subject"] = [[[ "commonName", self.cert.cn.decode("ascii", "strict") ]]] if sni: hostname = sni else: hostname = "no-hostname" ssl_match_hostname.match_hostname(crt, hostname) except (ValueError, ssl_match_hostname.CertificateError) as e: self.ssl_verification_error = exceptions.InvalidCertificateException( "Certificate Verification Error for {}: {}".format( sni or repr(self.address), str(e))) if verification_mode == SSL.VERIFY_PEER: raise self.ssl_verification_error self.ssl_established = True self.rfile.set_descriptor(self.connection) self.wfile.set_descriptor(self.connection)
if self.sslinfo: print >> fp, "Cipher: %s, %s bit, %s" % self.sslinfo.cipher print >> fp, "SSL certificate chain:\n" for i in self.sslinfo.certchain: print >> fp, "\tSubject: ", for cn in i.get_subject().get_components(): print >> fp, "%s=%s" % cn, print >> fp print >> fp, "\tIssuer: ", for cn in i.get_issuer().get_components(): print >> fp, "%s=%s" % cn, print >> fp print >> fp, "\tVersion: %s" % i.get_version() print >> fp, "\tValidity: %s - %s" % (i.get_notBefore(), i.get_notAfter()) print >> fp, "\tSerial: %s" % i.get_serial_number() print >> fp, "\tAlgorithm: %s" % i.get_signature_algorithm( ) pk = i.get_pubkey() types = { OpenSSL.crypto.TYPE_RSA: "RSA", OpenSSL.crypto.TYPE_DSA: "DSA" } t = types.get(pk.type(), "Uknown") print >> fp, "\tPubkey: %s bit %s" % (pk.bits(), t) s = certutils.SSLCert(i) if s.altnames: print >> fp, "\tSANs:", " ".join(s.altnames) print >> fp return True