Example #1
0
    def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
                        ca_certs=None, server_hostname=None,
                        ssl_version=None, ciphers=None):
        """
        All arguments except `server_hostname` have the same meaning as for
        :func:`ssl.wrap_socket`

        :param server_hostname:
            Hostname of the expected certificate
        """
        context = SSLContext(ssl_version)
        context.verify_mode = cert_reqs

        # Disable TLS compression to migitate CRIME attack (issue #309)
        OP_NO_COMPRESSION = 0x20000
        context.options |= OP_NO_COMPRESSION

        if ca_certs:
            try:
                context.load_verify_locations(ca_certs)
            # Py32 raises IOError
            # Py33 raises FileNotFoundError
            except Exception as e:  # Reraise as SSLError
                raise SSLError(e)
        if certfile:
            # FIXME: This block needs a test.
            context.load_cert_chain(certfile, keyfile)
        if ciphers:
            context.set_ciphers(ciphers)
        if HAS_SNI:  # Platform-specific: OpenSSL with enabled SNI
            return context.wrap_socket(sock, server_hostname=server_hostname)
        return context.wrap_socket(sock)
Example #2
0
File: ssl_.py Project: Ddoudou/test
def create_urllib3_context(ssl_version=None, cert_reqs=None,
                           options=None, ciphers=None):
    """All arguments have the same meaning as ``ssl_wrap_socket``.

    By default, this function does a lot of the same work that
    ``ssl.create_default_context`` does on Python 3.4+. It:

    - Disables SSLv2, SSLv3, and compression
    - Sets a restricted set of server ciphers

    If you wish to enable SSLv3, you can do::

        from urllib3.util import ssl_
        context = ssl_.create_urllib3_context()
        context.options &= ~ssl_.OP_NO_SSLv3

    You can do the same to enable compression (substituting ``COMPRESSION``
    for ``SSLv3`` in the last line above).

    :param ssl_version:
        The desired protocol version to use. This will default to
        PROTOCOL_SSLv23 which will negotiate the highest protocol that both
        the server and your installation of OpenSSL support.
    :param cert_reqs:
        Whether to require the certificate verification. This defaults to
        ``ssl.CERT_REQUIRED``.
    :param options:
        Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``,
        ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``.
    :param ciphers:
        Which cipher suites to allow the server to select.
    :returns:
        Constructed SSLContext object with specified options
    :rtype: SSLContext
    """
    context = SSLContext(ssl_version or ssl.PROTOCOL_SSLv23)

    context.set_ciphers(ciphers or DEFAULT_CIPHERS)

    # Setting the default here, as we may have no ssl module on import
    cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs

    if options is None:
        options = 0
        # SSLv2 is easily broken and is considered harmful and dangerous
        options |= OP_NO_SSLv2
        # SSLv3 has several problems and is now dangerous
        options |= OP_NO_SSLv3
        # Disable compression to prevent CRIME attacks for OpenSSL 1.0+
        # (issue #309)
        options |= OP_NO_COMPRESSION

    context.options |= options

    context.verify_mode = cert_reqs
    if getattr(context, 'check_hostname', None) is not None:  # Platform-specific: Python 3.2
        # We do our own verification, including fingerprints and alternative
        # hostnames. So disable it here
        context.check_hostname = False
    return context
Example #3
0
def factory(uri, ssl=False, **init_args):
    from urllib.parse import urlparse, unquote, parse_qs
    o = urlparse(uri)

    srv = None

    if o.scheme == "irc" or o.scheme == "ircs":
        # https://www.w3.org/Addressing/draft-mirashi-url-irc-01.txt
        # https://www-archive.mozilla.org/projects/rt-messaging/chatzilla/irc-urls.html
        args = init_args

        if o.scheme == "ircs": ssl = True
        if o.hostname is not None: args["host"] = o.hostname
        if o.port is not None: args["port"] = o.port
        if o.username is not None: args["username"] = o.username
        if o.password is not None: args["password"] = o.password

        modifiers = o.path.split(",")
        target = unquote(modifiers.pop(0)[1:])

        # Read query string
        params = parse_qs(o.query)

        if "msg" in params:
            if "on_connect" not in args:
                args["on_connect"] = []
            args["on_connect"].append("PRIVMSG %s :%s" % (target, params["msg"]))

        if "key" in params:
            if "channels" not in args:
                args["channels"] = []
            args["channels"].append((target, params["key"]))

        if "pass" in params:
            args["password"] = params["pass"]

        if "charset" in params:
            args["encoding"] = params["charset"]

        #
        if "channels" not in args and "isnick" not in modifiers:
            args["channels"] = [ target ]

        from nemubot.server.IRC import IRC as IRCServer
        srv = IRCServer(**args)

        if ssl:
            try:
                from ssl import create_default_context
                context = create_default_context()
            except ImportError:
                # Python 3.3 compat
                from ssl import SSLContext, PROTOCOL_TLSv1
                context = SSLContext(PROTOCOL_TLSv1)
            from ssl import wrap_socket
            srv._fd = context.wrap_socket(srv._fd, server_hostname=o.hostname)


    return srv
Example #4
0
    def __init__(self, server_address, HandlerClass, dir):
        super().__init__(server_address, HandlerClass, bind_and_activate=False)
        ctx = SSLContext(PROTOCOL_TLSv1)
        ctx.load_cert_chain(join(dir, 'server-cert.pem'), join(dir, 'server-key.pem'))
#        ctx.load_verify_locations(join(dir, 'ca-cert.pem'))
        self.socket = ctx.wrap_socket(self.socket, server_side=True)
        self.server_bind()
        self.server_activate()
Example #5
0
    def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
                        ca_certs=None, server_hostname=None,
                        ssl_version=None):
        """
        All arguments except `server_hostname` have the same meaning as for
        :func:`ssl.wrap_socket`

        :param server_hostname:
            Hostname of the expected certificate
        """
        context = SSLContext(ssl_version)
        context.verify_mode = cert_reqs
        if ca_certs:
            try:
                context.load_verify_locations(ca_certs)
            # Py32 raises IOError
            # Py33 raises FileNotFoundError
            except Exception as e:  # Reraise as SSLError
                raise SSLError(e)
        if certfile:
            # FIXME: This block needs a test.
            context.load_cert_chain(certfile, keyfile)
        if HAS_SNI:  # Platform-specific: OpenSSL with enabled SNI
            return context.wrap_socket(sock, server_hostname=server_hostname)
        return context.wrap_socket(sock)
Example #6
0
def sslContext(trustStore: str, keyStore: str) -> SSLContext:
    sslContext = SSLContext(PROTOCOL_TLSv1_2)
    sslContext.verify_mode = CERT_REQUIRED
    storePath = "../../certificates/"
    sslContext.load_verify_locations(storePath + trustStore)
    sslContext.load_cert_chain(storePath + keyStore, password="******")
    sslContext.set_ciphers("AES128-SHA")
    return sslContext
Example #7
0
def create_thriftpy_context(server_side=False, ciphers=None):
    """Backport create_default_context for older python versions.

    The SSLContext has some default security options, you can disable them
    manually, for example::

        from thriftpy.transport import _ssl
        context = _ssl.create_thriftpy_context()
        context.options &= ~_ssl.OP_NO_SSLv3

    You can do the same to enable compression.
    """
    if MODERN_SSL:
        if server_side:
            context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
        else:
            context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)

        if ciphers:
            context.set_ciphers(ciphers)

    else:
        context = SSLContext(ssl.PROTOCOL_SSLv23)
        context.options |= OP_NO_SSLv2
        context.options |= OP_NO_SSLv3
        context.options |= OP_NO_COMPRESSION

        # server/client default options
        if server_side:
            context.options |= OP_CIPHER_SERVER_PREFERENCE
            context.options |= OP_SINGLE_DH_USE
            context.options |= OP_SINGLE_ECDH_USE
        else:
            context.verify_mode = ssl.CERT_REQUIRED
            # context.check_hostname = True
            warnings.warn(
                "ssl check hostname support disabled, upgrade your python",
                InsecurePlatformWarning)

        # Platform-specific: Python 2.6
        if getattr(context, 'supports_set_ciphers', True):
            if ciphers:
                context.set_ciphers(ciphers)
        else:
            warnings.warn("ssl ciphers support disabled, upgrade your python",
                          InsecurePlatformWarning)

    return context
Example #8
0
class secureStream(stream):
    def __init__(self):
        stream.createsocket(stream)
        self.contxt = SSLContext(PROTOCOL_TLSv1_2)
        self.contxt.verify_mode = CERT_REQUIRED
        self.contxt.load_default_certs()

    def connect(self,host,port):
        self.connection.settimeout(15)
        self.connection.connect((host,port))
        self.connection = self.contxt.wrap_socket(self.connection)#stream.connection
        self.connection.settimeout(0)

    def twitchconnect(self):
        self.connect('api.twitch.tv',443)

    def receive(self,buffer=4096):
        try:
            data = self.connection.recv(buffer).decode()
            #print(data)#temporary
        except:
            return(None)
        else:
            return(data)

    def transmit(self,data):
        junk = self.receive()
        data = data.encode()
        try:
            self.connection.sendall(data)
        except ConnectionAbortedError:
            print('Break detected!')
            self.connection = None
            self.connection = socket(AF_INET,SOCK_STREAM)
            self.twitchconnect()
            self.connection.settimeout(0)
        except ConnectionResetError:
            print('Break detected!')
            self.connection = None
            self.connection = socket(AF_INET,SOCK_STREAM)
            self.twitchconnect()
            self.connection.settimeout(0)


        junk = None

    def close(self):
        self.connection.close()
Example #9
0
    def __init__(self, host: str, port: int, nicks: list, pwd: str, chans: list, op_pass: str,
                 use_ssl: bool=False, ssl_options: ssl.SSLContext=None,
                 encoding: str='utf-8'):
        """
        Asynchronous IRC client
        :param host: Server address
        :param port: IRC Port
        :param nicks: List of nicknames to try
        :param pwd: NickServ password
        :param use_ssl: Enable/Disable SSL
        :param ssl_options: SSLContext object
        :param encoding: Character encoding to use
        """
        self.host = host
        self.port = port
        self.nicks = nicks
        self.pwd = pwd
        self.chans = chans
        self.oper_pass = op_pass
        self.ssl = use_ssl
        self.encoding = encoding
        self.__nickidx = 0
        self.__handlers = {
            b'PING': self.__ping,
            b'NOTICE': self.__notice,
            b'PRIVMSG': self.__privmsg,
            b'PART': self.__part,
            b'JOIN': self.__join,
            b'MODE': self.__mode,
            b'NICK': self.__nick,
            b'QUIT': self.__quit,
            b'KICK': self.__kick,
            b'001': self.__welcome,
            b'251': self.__user_count,
            b'252': self.__op_count,
            b'353': self.__namreply,
            b'372': self.__motd,
            b'376': self.__end_motd,
            b'433': self.__nick_in_use,
            b'900': self.__logged_in
        }

        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)

        if use_ssl:
            if not ssl_options:
                ssl_options = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
                # IRC often has unsigned certs, by default do not verify
                ssl_options.verify_mode = ssl.CERT_NONE
            sock = ssl.wrap_socket(sock, do_handshake_on_connect=False)
            self.stream = tornado.iostream.SSLIOStream(sock, ssl_options=ssl_options)
        else:
            self.stream = tornado.iostream.IOStream(sock)

        self.stream.connect((self.host, self.port),
                            self.__initial_auth,
                            server_hostname=self.host)
Example #10
0
def create_server(
        callback=None,
        host='127.0.0.1',
        port=8000,
        ssl=None,
        loop=None,
        **kargs
        ):
    """
    This is a function to assist in the creation of a growler HTTP server.

    @param host str: hostname or ip address on which to bind
    @param port: the port on which the server will listen
    @param ssl ssl.SSLContext: The SSLContext for using TLS over the connection
    @param loop asyncio.BaseEventLoop: The event loop to
    @param kargs: Extra parameters passed to the HTTPServer instance created.
                  If there is an ssl parameter passed to this function, kargs
                  will require the value 'key' to be present, and an optional
                  'cert' parameter to pass to load_cert_chain.
    @return An HTTPServer instance
    """

    loop = asyncio.get_event_loop() if loop is None else loop

    if ssl:
        sslctx = SSLContext(ssl.PROTOCOL_SSLv23)
        key = kargs.pop('key')
        try:
            sslctx.load_cert_chain(certfile=kargs.pop('cert'), keyfile=key)
        except KeyError:
            sslctx.load_cert_chain(certfile=key)
    else:
        sslctx = None

    # What do I use as a 'callback' here?
    srv = HTTPServer(cb=callback,
                     loop=loop,
                     ssl=sslctx,
                     host=host,
                     port=port,
                     **kargs
                     )
    return srv
Example #11
0
    def ssl_wrap_socket(sock, keyfile = None, certfile = None, cert_reqs = None, ca_certs = None, server_hostname = None, ssl_version = None):
        context = SSLContext(ssl_version)
        context.verify_mode = cert_reqs
        OP_NO_COMPRESSION = 131072
        context.options |= OP_NO_COMPRESSION
        if ca_certs:
            try:
                context.load_verify_locations(ca_certs)
            except Exception as e:
                raise SSLError(e)

        if certfile:
            context.load_cert_chain(certfile, keyfile)
        if HAS_SNI:
            return context.wrap_socket(sock, server_hostname=server_hostname)
        return context.wrap_socket(sock)
Example #12
0
 def __init__(self, localaddr, remoteaddr, ssl=False, certfile=None, keyfile=None, ssl_version=ssl.PROTOCOL_SSLv23, require_authentication=False, credential_validator=None, maximum_execution_time=30, process_count=5):
     smtpd.SMTPServer.__init__(self, localaddr, remoteaddr)
     self.logger = logging.getLogger( secure_smtpd.LOG_NAME )
     self.certfile = certfile
     self.keyfile = keyfile
     self.ssl_version = ssl_version
     self.subprocesses = []
     self.require_authentication = require_authentication
     self.credential_validator = credential_validator
     self.ssl = ssl
     self.maximum_execution_time = maximum_execution_time
     self.process_count = process_count
     self.process_pool = None
     self.context = SSLContext(ssl_version)
     self.context.load_cert_chain(certfile=certfile, keyfile=keyfile)
Example #13
0
def onclickBtn1():
    # Loop
    while True:
        # Read the video frame from the url
        gcontext = SSLContext(PROTOCOL_TLSv1)  # Only for gangstars
        info = urlopen(url, context=gcontext).read()

        imgNp = np.array(bytearray(info), dtype=np.uint8)
        im = cv2.imdecode(imgNp, -1)

        # Convert the captured frame into grayscale
        gray = cv2.cvtColor(im, cv2.COLOR_BGR2GRAY)

        # Get all face from the video frame
        faces = faceCascade.detectMultiScale(gray, 1.3, 5)

        # For each face in faces
        for (x, y, w, h) in faces:

            # Create rectangle around the face
            cv2.rectangle(im, (x - 20, y - 20), (x + w + 20, y + h + 20),
                          (0, 255, 0), 4)

            # Recognize the face belongs to which ID
            Id, conf = recognizer.predict(gray[y:y + h, x:x + w])

            # Check the ID if exist
            if (Id == 1):
                Id = "M.Samanci"
            # # Uncomment this block if you want to recognize other faces, and replace with the id provided in face_datasets
            elif (Id == 2):
                Id = "Y.Emre.Kilic"  # # Name of the other person you want to recognize
            # #If not exist, then it is Unknown
            # else:
            #     Id = "Unknown"

            # Put text describe who is in the picture
            cv2.rectangle(im, (x - 22, y - 90), (x + w + 22, y - 22),
                          (0, 255, 0), -1)
            cv2.putText(im, str(Id), (x, y - 40), font, 1, (255, 255, 255), 3)

        # Display the video frame with the bounded rectangle
        cv2.imshow('im', im)

        # If 'q' is pressed, close program
        if cv2.waitKey(10) & 0xFF == ord('q'):
            break
Example #14
0
 def secure(self, verify=True, hostname=None):
     """ Apply a layer of security onto this connection.
     """
     from ssl import SSLContext, PROTOCOL_TLS, CERT_NONE, CERT_REQUIRED
     context = SSLContext(PROTOCOL_TLS)
     if verify:
         context.verify_mode = CERT_REQUIRED
         context.check_hostname = bool(hostname)
     else:
         context.verify_mode = CERT_NONE
     context.load_default_certs()
     try:
         self.__socket = context.wrap_socket(self.__socket,
                                             server_hostname=hostname)
     except (IOError, OSError):
         # TODO: add connection failure/diagnostic callback
         raise WireError(
             "Unable to establish secure connection with remote peer")
Example #15
0
 def get_ssl_context(*args):
     """Create and return an SSLContext object."""
     certfile, keyfile, ca_certs, cert_reqs = args
     ctx = SSLContext(ssl.PROTOCOL_SSLv23)
     if certfile is not None:
         ctx.load_cert_chain(certfile, keyfile)
     if ca_certs is not None:
         ctx.load_verify_locations(ca_certs)
     if cert_reqs is not None:
         ctx.verify_mode = cert_reqs
     return ctx
Example #16
0
def ssl_wrap_socket(sock,
                    keyfile=None,
                    certfile=None,
                    cert_reqs=None,
                    ca_certs=None,
                    server_hostname=None,
                    ssl_version=None):
    context = SSLContext(ssl_version)
    context.verify_mode = cert_reqs

    if ca_certs:
        try:
            context.load_verify_locations(ca_certs)
        except Exception as e:
            raise SSLError(e)
    if certfile:
        context.load_cert_chain(certfile, keyfile)

    if HAS_SNI:  #OpenSSL enabled SNI
        return context.wrap_socket(sock, server_hostname=server_hostname)

    return context.wrap_socket(sock)
Example #17
0
 async def on_ready(self):
     print('Logged in as {0.id}/{0}'.format(self.user))
     print('Dev mode state: ' + ('enabled' if dev else 'disabled'))
     print('------')
     self.dev = dev
     self.load_extension("cogs.music")
     self.load_extension("cogs.config")
     self.pool = await asyncpg.create_pool(db, min_size=4, max_size=9, ssl=SSLContext())
     query = """
         SELECT * FROM config
     """
     self.config = {r['guild_id']: dict(r) for r in await self.pool.fetch(query)}
     if os.name != 'nt':
         try:
             discord.opus.load_opus("libopus.so.0.5.3")
         except Exception as e:
             print(f"Couldnt load opus:\n    {e}\nThe bot might not work.")
Example #18
0
    def __init__(
        self,
        socket: SyncSocketStream,
        backend: SyncBackend,
        ssl_context: SSLContext = None,
    ):
        self.socket = socket
        self.ssl_context = SSLContext() if ssl_context is None else ssl_context

        self.backend = backend
        self.h2_state = h2.connection.H2Connection(config=self.CONFIG)

        self.sent_connection_init = False
        self.streams = {}  # type: Dict[int, SyncHTTP2Stream]
        self.events = {}  # type: Dict[int, List[h2.events.Event]]

        self.state = ConnectionState.ACTIVE
Example #19
0
 def __init__(
     self,
     ssl_context: SSLContext = None,
     max_connections: int = None,
     max_keepalive: int = None,
     keepalive_expiry: float = None,
     http2: bool = False,
 ):
     self.ssl_context = SSLContext() if ssl_context is None else ssl_context
     self.max_connections = max_connections
     self.max_keepalive = max_keepalive
     self.keepalive_expiry = keepalive_expiry
     self.http2 = http2
     self.connections: Dict[Origin, Set[SyncHTTPConnection]] = {}
     self.thread_lock = ThreadLock()
     self.backend = SyncBackend()
     self.next_keepalive_check = 0.0
Example #20
0
def check_authorization(request_handler):
    """
    Assert whether the authorization header is valid by checking it against
    the cache first and if unsuccessful, the oauth server. Sets the 'user'
    field of the request_handler object.

    :return: When successful returns user's name. Returns None on failure.
    """
    auth_header = request_handler.headers.getheader('Authorization')
    if auth_header is None:
        getLogger('auth').debug(
            "authentication failed: no Authorization header available",
            extra=request_handler.get_log_dict())
        return None
    auth_url = config.get('oauth', 'verify_url', default=defaults.VERIFY_URL)
    getLogger('auth').debug("verify_url: %s" % auth_url,
                            extra=request_handler.get_log_dict())
    cache = TimedCache(timeout=0)  # FIXME: Cache is broken
    name = cache.get(auth_header)
    if name is not None:
        return name
    auth_request = Request(auth_url, None, {'Authorization': auth_header})
    try:
        ctx = SSLContext(SSL_PROTOCOL)
        response = urlopen(auth_request, context=ctx)
        name = response.read()
    except HTTPError as error:
        if error.code == 403:
            getLogger('auth').debug(
                "authentication failed: Wrong/expired code",
                extra=request_handler.get_log_dict())
        else:
            getLogger('auth').debug("authentication failed: HttpError %s" %
                                    error,
                                    extra=request_handler.get_log_dict())
        name = ''
    if name == '':
        name = None
        getLogger('auth').debug('authentication failed: response %s' % name,
                                extra=request_handler.get_log_dict())
    else:
        getLogger('auth').debug('Authenticated user: ' + name,
                                extra=request_handler.get_log_dict())
        cache.add(auth_header, name)
    return name
Example #21
0
def get_remote_file(filename, verbose=True):
    """
    INPUT:

    - ``filename`` -- the URL of a file on the web, e.g.,
      ``"http://modular.math.washington.edu/myfile.txt"``

    - ``verbose`` -- whether to display download status

    OUTPUT:

    creates a file in the temp directory and returns the absolute path
    to that file.

    EXAMPLES::

        sage: url = 'https://www.sagemath.org/files/loadtest.py'
        sage: g = get_remote_file(url, verbose=False)      # optional - internet
        sage: with open(g) as f: print(f.read())           # optional - internet
        print("hi from the net")
        <BLANKLINE>
        print(2 + 3)

    """
    if verbose:
        print("Attempting to load remote file: " + filename)

    from sage.misc.temporary_file import tmp_filename
    temp_name = tmp_filename() + '.' + os.path.splitext(filename)[1][1:]
    # IMPORTANT -- urllib takes a long time to load,
    # so do not import it in the module scope.

    req = Request(filename, headers={"User-Agent": "sage-doctest"})

    if verbose:
        print("Loading started")

    content = urlopen(req, timeout=1, context=SSLContext())
    with open(temp_name, 'wb') as f:
        f.write(content.read())

    if verbose:
        print("Loading ended")

    return temp_name
Example #22
0
    def __init__(
        self,
        ssl_context: SSLContext = None,
        max_connections: int = None,
        max_keepalive_connections: int = None,
        keepalive_expiry: float = None,
        http2: bool = False,
        uds: str = None,
        local_address: str = None,
        retries: int = 0,
        max_keepalive: int = None,
        backend: Union[AsyncBackend, str] = "auto",
    ):
        if max_keepalive is not None:
            warnings.warn(
                "'max_keepalive' is deprecated. Use 'max_keepalive_connections'.",
                DeprecationWarning,
            )
            max_keepalive_connections = max_keepalive

        if isinstance(backend, str):
            backend = lookup_async_backend(backend)

        self._ssl_context = SSLContext(
        ) if ssl_context is None else ssl_context
        self._max_connections = max_connections
        self._max_keepalive_connections = max_keepalive_connections
        self._keepalive_expiry = keepalive_expiry
        self._http2 = http2
        self._uds = uds
        self._local_address = local_address
        self._retries = retries
        self._connections: Dict[Origin, Set[AsyncHTTPConnection]] = {}
        self._thread_lock = ThreadLock()
        self._backend = backend
        self._next_keepalive_check = 0.0

        if http2:
            try:
                import h2  # noqa: F401
            except ImportError:
                raise ImportError(
                    "Attempted to use http2=True, but the 'h2' "
                    "package is not installed. Use 'pip install httpcore[http2]'."
                )
    def store_vv_file(self, vmid, ticket):
        """
            Description: Connecting to the machine involves two steps, the second one is obtaining a 'vv' file with the
                         connection parameters, which we can later pipe to virt-viewer and the connection will be opened.
            Arguments: 1. vmid: The VM UUID in oVirt-format.
                       2. ticket: The ticket obtained in the first step (method get_viewer_ticket)
            Returns: The temporary filename with all the parameters to connect to the machine (piped to virt-viewer)
        """

        global conf

        if not ticket:
            return False

        req = urllib.request.Request(
            '%s/%s/%s/%s/%s' %
            (conf.CONFIG['ovirturl'], 'vms', vmid, 'graphicsconsoles', ticket))
        # Python 2 -> 3 conversion: encodestring expects a byte-like string, not str
        base64str = encodestring(
            ('%s:%s' % (conf.USERNAME + '@' + conf.CONFIG['ovirtdomain'],
                        conf.PASSWORD)).encode()).decode().replace('\n', '')
        req.add_header('Authorization', 'Basic ' + base64str)
        req.add_header('Content-Type', 'application/xml')
        req.add_header('Accept', 'application/x-virt-viewer')
        req.add_header('filter', 'true')

        unverified_ctxt = SSLContext(PROTOCOL_TLSv1)
        try:
            contents = urllib.request.urlopen(req,
                                              context=unverified_ctxt).read()
            if conf.CONFIG['fullscreen'] == '1':
                contents = contents.replace('fullscreen=0', 'fullscreen=1')
            filename = '/tmp/viewer-' + str(randint(10000, 99999))
            f = open(filename, 'wb')
            f.write(contents)
            f.close()

            return filename
        except urllib.request.HTTPError as em:
            QMessageBox.critical(
                None,
                _('apptitle') + ': ' + _('error'),
                _('unexpected_request_error') + '(' + str(em.code) + '): ' +
                em.reason + '. ' + _('check_vm_config_updated'))
            return None
Example #24
0
    def __init__(
        self,
        auto_reconnect: bool = True,
        ssl: Optional[Union[bool, ssl.SSLContext]] = None,
        loop: Optional[asyncio.AbstractEventLoop] = None,
    ) -> None:
        """Initialize a ThingsDB client.

        Args:
            auto_reconnect (bool, optional):
                When set to `True`, the client will automatically
                reconnect when a connection is lost. If set to `False` and the
                connection gets lost, one may call the `reconnect()` method to
                make a new connection. The auto-reconnect option can act on
                node changes and does so automatically if the connected user
                has the required `WATCH` privileges on the `@node` scope.
                Defaults to `True`.
            ssl (SSLContext or bool, optional):
                Accepts an ssl.SSLContext for creating a secure connection
                using SSL/TLS. This argument may simply be set to `True` in
                which case a context using `ssl.PROTOCOL_TLS` is created.
                Defaults to None.
            loop (AbstractEventLoop, optional):
                Can be used to run the client on a specific event loop.
                If this argument is not used, the default event loop will be
                used. Defaults to `None`.
        """

        self._loop = loop if loop else asyncio.get_event_loop()
        self._auth = None
        self._pool = None
        self._protocol = None
        self._pid = 0
        self._write_pkg = self._ensure_write if auto_reconnect else self._write
        self._reconnect = auto_reconnect
        self._scope = '@t'  # default to thingsdb scope
        self._pool_idx = 0
        self._reconnecting = False
        if ssl is True:
            self._ssl = SSLContext(PROTOCOL_TLS)
        elif ssl is False:
            self._ssl = None
        else:
            self._ssl = ssl
        self._event_handlers = []
Example #25
0
 async def start_tls(self, context: ssl.SSLContext,
                     server_hostname: Optional[str] = None,
                     suppress_ragged_eofs: bool = False) -> None:
     plain_socket = self._raw_socket
     self._raw_socket = context.wrap_socket(
         self._raw_socket, server_side=not server_hostname, do_handshake_on_connect=False,
         server_hostname=server_hostname, suppress_ragged_eofs=suppress_ragged_eofs)
     while True:
         try:
             self._raw_socket.do_handshake()
             return
         except ssl.SSLWantReadError:
             await self._wait_readable()
         except ssl.SSLWantWriteError:
             await self._wait_writable()
         except BaseException:
             self._raw_socket = plain_socket
             raise
Example #26
0
def scrape():
    sslcontext = SSLContext()
    curr_time = datetime.now().time()

    for page in range(ord('A'), ord('Z') + 1):
        for row in get_rows_from_page(page, sslcontext):
            if row.find('tr').text == "No classes to display":
                continue
            else:
                for idx, tr in enumerate(row.find_all('tr')):
                    cell = tr.find_all('td')
                    if idx == 0:
                        build_class_schedule(cell, curr_time)
                    else:
                        # for blocks but i'll ignore muna
                        pass

    print('database updated')
Example #27
0
    async def send_json():

        #log.debug('send_json')
        try:
            if secure:
                async with websockets.connect(url) as websocket:
                    await websocket.send(msg_json)
            else:
                context = SSLContext(protocol=PROTOCOL_TLS)
                async with websockets.connect(url, ssl=context) as websocket:
                    await websocket.send(msg_json)

        except NameError as n:
            log.debug(f'{str(n)} in send_json')
            raise

        except Exception as e:
            log.debug(e)
            raise
Example #28
0
    async def _startup():
        if psql_uri:
            import asyncpg

            kwargs = {"min_size": 3, "max_size": 8, "command_timeout": 5}
            if "localhost" not in psql_uri:
                kwargs["ssl"] = SSLContext()
            if psql_pool_args:
                kwargs.update(psql_pool_args)
            app.db = await asyncpg.create_pool(psql_uri, **kwargs)
        else:
            app.db = None

        if mongo_uri:
            from motor.motor_asyncio import AsyncIOMotorClient

            app.mdb = AsyncIOMotorClient(mongo_uri)
        else:
            app.mdb = None
Example #29
0
    async def test_send_eof_not_implemented(self,
                                            server_context: ssl.SSLContext,
                                            ca: CA,
                                            force_tlsv12: bool) -> None:
        def serve_sync() -> None:
            conn, addr = server_sock.accept()
            conn.sendall(b"hello")
            conn.unwrap()
            conn.close()

        client_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
        ca.configure_trust(client_context)
        if force_tlsv12:
            expected_pattern = r"send_eof\(\) requires at least TLSv1.3"
            if hasattr(ssl, "TLSVersion"):
                client_context.maximum_version = ssl.TLSVersion.TLSv1_2
            else:  # Python 3.6
                client_context.options |= ssl.OP_NO_TLSv1_3
        else:
            expected_pattern = (
                r"send_eof\(\) has not yet been implemented for TLS streams")

        server_sock = server_context.wrap_socket(socket.socket(),
                                                 server_side=True,
                                                 suppress_ragged_eofs=False)
        server_sock.settimeout(1)
        server_sock.bind(("127.0.0.1", 0))
        server_sock.listen()
        server_thread = Thread(target=serve_sync, daemon=True)
        server_thread.start()

        stream = await connect_tcp(*server_sock.getsockname())
        async with await TLSStream.wrap(stream,
                                        hostname="localhost",
                                        ssl_context=client_context) as wrapper:
            assert await wrapper.receive() == b"hello"
            with pytest.raises(NotImplementedError) as exc:
                await wrapper.send_eof()

            exc.match(expected_pattern)

        server_thread.join()
        server_sock.close()
Example #30
0
    def __init__(self,
                 hote_imap,
                 nom_utilisateur,
                 mot_de_passe,
                 dossier_cible='INBOX',
                 verify_peer=True,
                 use_secure_socket=True,
                 legacy_secure_protocol=False):

        super().__init__('IMAPFactory via {}'.format(hote_imap))

        self._ssl_context = SSLContext(
            protocol=PROTOCOL_TLS) if use_secure_socket else None
        self._use_secure_socket = use_secure_socket

        if verify_peer is False and use_secure_socket is True:
            # don't check if certificate hostname doesn't match target hostname
            self._ssl_context.check_hostname = False
            # don't check if the certificate is trusted by a certificate authority
            self._ssl_context.verify_mode = CERT_NONE

        if legacy_secure_protocol and use_secure_socket:
            self._ssl_context.options = OP_ALL

        self._hote_imap = Session.UNIVERSELLE.retranscrire(hote_imap)
        self._client = IMAPClient(host=self._hote_imap,
                                  port=993 if self._use_secure_socket else 143,
                                  ssl=self._use_secure_socket,
                                  ssl_context=self._ssl_context)
        self._nom_utilisateur = Session.UNIVERSELLE.retranscrire(
            nom_utilisateur)
        self._verify_peer = verify_peer
        self._dossier_cible = dossier_cible
        self._mot_de_passe = mot_de_passe

        self._client.login(
            self._nom_utilisateur,
            Session.UNIVERSELLE.retranscrire(self._mot_de_passe))

        self._echec = False

        MailToolbox.INSTANCES.append(self)
Example #31
0
 def __init__(
     self,
     ssl_context: SSLContext = None,
     max_connections: int = None,
     max_keepalive: int = None,
     keepalive_expiry: float = None,
     http2: bool = False,
     local_addr: bytes = None,
 ):
     self._ssl_context = SSLContext(
     ) if ssl_context is None else ssl_context
     self._max_connections = max_connections
     self._max_keepalive = max_keepalive
     self._keepalive_expiry = keepalive_expiry
     self._http2 = http2
     self._local_addr = local_addr
     self._connections: Dict[Origin, Set[AsyncHTTPConnection]] = {}
     self._thread_lock = ThreadLock()
     self._backend = AutoBackend()
     self._next_keepalive_check = 0.0
Example #32
0
    def _is_present(self):
        r"""
        Test whether Internet is available.

        EXAMPLES::

            sage: from sage.features.internet import Internet
            sage: Internet()._is_present()  # random, optional - internet
            FeatureTestResult('internet', True)
        """
        import urllib.error
        from urllib.request import Request, urlopen
        from ssl import SSLContext

        req = Request("https://www.sagemath.org", headers={"User-Agent": "sage-doctest"})
        try:
            urlopen(req, timeout=1, context=SSLContext())
            return FeatureTestResult(self, True)
        except urllib.error.URLError:
            return FeatureTestResult(self, False)
Example #33
0
async def send_to_station(device: dict, message: dict = None):
    device_token = get_device_token(device['yandex_token'], device['id'],
                                    device['platform'])

    uri = f"wss://{device['host']}:{device['port']}"
    try:
        async with websockets.connect(uri, ssl=SSLContext()) as ws:
            await ws.send(
                json.dumps({
                    'conversationToken': device_token,
                    'payload': message
                }))
            res = json.loads(await ws.recv())
            _LOGGER.debug(res)
            return res

    except Exception as e:
        _LOGGER.error(f"Station connect error: {e}")

        return None
Example #34
0
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
                    ca_certs=None, server_hostname=None,
                    ssl_version=None):
    context = SSLContext(ssl_version)
    context.verify_mode = cert_reqs

    if ca_certs:
        try:
            context.load_verify_locations(ca_certs)
        # Py32 raises IOError   
        # Py33 raises FileNotFoundError
        except Exception as e:  # Reraise as SSLError
            raise SSLError(e)

    if certfile:
        # FIXME: This block needs a test.
        context.load_cert_chain(certfile, keyfile)

    if HAS_SNI:  # Platform-specific: OpenSSL with enabled SNI
        return (context, context.wrap_socket(sock, server_hostname=server_hostname))

    return (context, context.wrap_socket(sock))
Example #35
0
def create_urllib3_context(ssl_version = None, cert_reqs = None, options = None, ciphers = None):
    context = SSLContext(ssl_version or ssl.PROTOCOL_SSLv23)
    cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
    if options is None:
        options = 0
        options |= OP_NO_SSLv2
        options |= OP_NO_SSLv3
        options |= OP_NO_COMPRESSION
    context.options |= options
    if getattr(context, 'supports_set_ciphers', True):
        context.set_ciphers(ciphers or DEFAULT_CIPHERS)
    context.verify_mode = cert_reqs
    if getattr(context, 'check_hostname', None) is not None:
        context.check_hostname = False
    return context
Example #36
0
def send_email_alert_notification(email_message_content):

	# Creating an email object
	msg = EmailMessage()

	# Set the sender address
	msg['From'] = FROM_EMAIL_ADDRESS_VALUE

	# Set the destination addresses
	recipients = RECIPIENTS_EMAIL_ADDRESS_VALUES
	# recipients = ['*****@*****.**'] # Example single recipient
	# Join the recipients addresses into one string and set the destination values
	msg['To'] = ", ".join(recipients)
	# msg['To'] = recipients # Use with only single recipient and no .join()
	# 
	# Set the message subject by slicing the message body content down
	# msg['Subject'] = email_message_content[0:33] 
	# SMS message typically have no subject
	msg['Subject'] = ""

	# Append the tag line to the message body
	email_message_content = email_message_content + EMAIL_MESSAGE_TAG_LINE
	print (email_message_content)

	# Populate the message content with message body
	msg.set_content(email_message_content) 

	# Send the email via smtp
	with SMTP(host=EMAIL_SMTP_SERVER_HOST_NAME, port=587) as smtp_server:

		try:
			# Define a secure SSL connection
			smtp_server.starttls(context=SSLContext(PROTOCOL_TLSv1_2))
			# Supply authentication credentials
			smtp_server.login(user=SMTP_SERVER_LOGIN_NAME, password=SMTP_SERVER_LOGIN_PASSWORD)
			# Send the email message
			smtp_server.send_message(msg)

		except Exception as e:

			print('Error sending email. Details: {} - {}'.format(e.__class__, e))
Example #37
0
 def _load_client_certs(self, ssl_context: ssl.SSLContext) -> None:
     """
     Loads client certificates into our SSLContext object
     """
     if self.cert is not None:
         if isinstance(self.cert, str):
             ssl_context.load_cert_chain(certfile=self.cert)
         elif isinstance(self.cert, tuple) and len(self.cert) == 2:
             ssl_context.load_cert_chain(certfile=self.cert[0], keyfile=self.cert[1])
         elif isinstance(self.cert, tuple) and len(self.cert) == 3:
             ssl_context.load_cert_chain(
                 certfile=self.cert[0],
                 keyfile=self.cert[1],
                 password=self.cert[2],  # type: ignore
             )
Example #38
0
def create_socket(ip: str, port: int, context: ssl.SSLContext = None,
                  verify_hostname: bool = True, timeout: int = 10) -> ssl.SSLSocket:
    """
    Creates a new SSL-wrapped socket.
    :param ip: The IP to connect to.
    :param port: The port to connect to.
    :param context: The SSL context to use, or None for a default one to be created.
    :param verify_hostname: Ignored
    :param timeout: The timeout for recv().
    :return: A new SSLSocket.
    """
    verify_hostname = current_app.conf["SERVER_LOGIN_ON_CLIENT_VERIFY"]

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(timeout)
    if context:
        sock = context.wrap_socket(s)
    else:
        sock = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED if verify_hostname else ssl.CERT_NONE)
    sock.connect((ip, port))
    return sock
Example #39
0
 def _config_ssl_context(config):
     if config.get_ssl_context() is not None:
         return
     if config.get_service_url().scheme == 'https':
         try:
             if config.get_ssl_protocol() is None:
                 ctx = create_default_context()
             else:
                 ctx = SSLContext(config.get_ssl_protocol())
             if config.get_ssl_cipher_suites() is not None:
                 ctx.set_ciphers(config.get_ssl_cipher_suites())
             if config.get_ssl_ca_certs() is not None:
                 ctx.load_verify_locations(config.get_ssl_ca_certs())
             config.set_ssl_context(ctx)
         except (SSLError, ValueError) as err:
             raise IllegalArgumentException(str(err))
Example #40
0
    async def test_ragged_eof_on_receive(
            self, server_context: ssl.SSLContext,
            client_context: ssl.SSLContext) -> None:
        server_exc = None

        def serve_sync() -> None:
            nonlocal server_exc
            conn, addr = server_sock.accept()
            try:
                conn.settimeout(1)
                conn.sendall(b"hello")
            except BaseException as exc:
                server_exc = exc
            finally:
                conn.close()

        server_sock = server_context.wrap_socket(socket.socket(),
                                                 server_side=True,
                                                 suppress_ragged_eofs=True)
        server_sock.settimeout(1)
        server_sock.bind(("127.0.0.1", 0))
        server_sock.listen()
        server_thread = Thread(target=serve_sync, daemon=True)
        server_thread.start()
        try:
            async with await connect_tcp(*server_sock.getsockname()) as stream:
                wrapper = await TLSStream.wrap(
                    stream,
                    hostname="localhost",
                    ssl_context=client_context,
                    standard_compatible=False,
                )
                assert await wrapper.receive() == b"hello"
                with pytest.raises(EndOfStream):
                    await wrapper.receive()
        finally:
            server_thread.join()
            server_sock.close()

        assert server_exc is None
Example #41
0
    def __init__(self, bot, name, nick, *, channels=None, config=None,
                 server, port=6667, use_ssl=False, ignore_cert_errors=True, timeout=300, local_bind=False):
        """
        :type bot: cloudbot.bot.CloudBot
        :type name: str
        :type nick: str
        :type channels: list[str]
        :type config: dict[str, unknown]
        :type server: str
        :type port: int
        :type use_ssl: bool
        :type ignore_cert_errors: bool
        :type timeout: int
        """
        super().__init__(bot, name, nick, channels=channels, config=config)

        self.use_ssl = use_ssl
        self._ignore_cert_errors = ignore_cert_errors
        self._timeout = timeout
        self.server = server
        self.port = port
        self.local_bind = local_bind
        # create SSL context
        if self.use_ssl:
            self.ssl_context = SSLContext(PROTOCOL_SSLv23)
            if self._ignore_cert_errors:
                self.ssl_context.verify_mode = ssl.CERT_NONE
            else:
                self.ssl_context.verify_mode = ssl.CERT_REQUIRED
        else:
            self.ssl_context = None

        # if we're connected
        self._connected = False
        # if we've quit
        self._quit = False

        # transport and protocol
        self._transport = None
        self._protocol = None
Example #42
0
    def _get_connector(verify_host_certificate: bool,
                       client_key: Optional[Path],
                       client_cert: Optional[Path]) -> TCPConnector:
        """Return an aiohttp ClientSession based on the options."""
        ssl_context = SSLContext()

        if not verify_host_certificate:
            ssl_context.check_hostname = False
            ssl_context.verify_mode = CERT_NONE

        cert = client_cert
        key = client_key
        if cert is not None:
            ssl_context.load_cert_chain(cert, key)

        return TCPConnector(ssl=ssl_context)
    def _connect_with_pymysql(self, ip_address: str, ctx: ssl.SSLContext,
                              **kwargs):
        """Helper function to create a pymysql DB-API connection object.

        :type ca_filepath: str
        :param ca_filepath: A string representing the path to the server's
            certificate authority.

        :type cert_filepath: str
        :param cert_filepath: A string representing the path to the ephemeral
            certificate.

        :type key_filepath: str
        :param key_filepath: A string representing the path to the private key file.

        :type ip_addresses: Dict[str, str]
        :param ip_addresses: A Dictionary containing the different IP addresses
            of the Cloud SQL instance.

        :rtype: pymysql.Connection
        :returns: A PyMySQL Connection object for the Cloud SQL instance.
        """
        try:
            import pymysql
        except ImportError:
            raise ImportError(
                'Unable to import module "pymysql." Please install and try again.'
            )

        # Create socket and wrap with context.
        sock = ctx.wrap_socket(socket.create_connection((ip_address, 3307)),
                               server_hostname=ip_address)

        # Create pymysql connection object and hand in pre-made connection
        conn = pymysql.Connection(host=ip_address,
                                  defer_connect=True,
                                  **kwargs)
        conn.connect(sock)
        return conn
Example #44
0
 def __init__(self, config):
     super().__init__()
     self.setName('Connection thread.')
     self.daemon = True
     self.__config = config
     self.__host = config["host"]
     self.__port = config.get("port", 1883)
     self.__default_quality_of_service = config.get("qos", 1)
     credentials = config["security"]
     self.__min_reconnect_delay = 1
     self.__tls = bool(
         credentials.get('tls', False) or credentials.get('caCert', False))
     self.__ca_cert = None
     self.__private_key = None
     self.__cert = None
     self.__token = None
     self.__is_connected = False
     self.__stopped = False
     self.__paused = False
     if credentials.get("accessToken") is not None:
         self.__token = str(credentials["accessToken"])
     if self.__tls:
         self.__ca_cert = credentials.get("caCert")
         self.__private_key = credentials.get("privateKey")
         self.__cert = credentials.get("cert")
     self.client = TBGatewayMqttClient(
         self.__host,
         self.__port,
         self.__token,
         self,
         quality_of_service=self.__default_quality_of_service)
     if self.__tls and self.__ca_cert is None and self.__private_key is None and self.__cert is None:
         # pylint: disable=protected-access
         self.client._client.tls_set_context(SSLContext(PROTOCOL_TLSv1_2))
     # Adding callbacks
     self.client._client._on_connect = self._on_connect
     self.client._client._on_disconnect = self._on_disconnect
     # self.client._client._on_log = self._on_log
     self.start()
Example #45
0
    def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=CERT_NONE,
                        ca_certs=None, server_hostname=None,
                        ssl_version=PROTOCOL_SSLv23):
        """
        All arguments except `server_hostname` have the same meaning as for
        :func:`ssl.wrap_socket`

        :param server_hostname:
            Hostname of the expected certificate
        """
        context = SSLContext(ssl_version)
        context.verify_mode = cert_reqs
        if ca_certs:
            try:
                context.load_verify_locations(ca_certs)
            except TypeError as e:  # Reraise as SSLError
                # fixme: This block needs a test.
                raise SSLError(e)
        if certfile:
            # fixme: This block needs a test.
            context.load_cert_chain(certfile, keyfile)
        if HAS_SNI:  # Platform-specific: OpenSSL with enabled SNI
            return context.wrap_socket(sock, server_hostname=server_hostname)
        return context.wrap_socket(sock)
Example #46
0
def lambda_handler(event, context):
    username = os.environ['CASSANDRA_USER']
    password = os.environ['CASSANDRA_PWD']
    ssl_context = SSLContext(PROTOCOL_TLSv1_2)
    auth_provider = PlainTextAuthProvider(username=username, password=password)
    cluster = Cluster(['cassandra.us-east-1.amazonaws.com'],
                      ssl_context=ssl_context,
                      auth_provider=auth_provider,
                      port=9142)
    session = cluster.connect()
    stmt = session.prepare(
        "INSERT INTO neighborhood_stops.stops (stop_id, stop_code, stop_name, lat, lon, neighborhood) VALUES (?, ?, ?, ?, ?, ?)"
    )
    execution_profile = session.execution_profile_clone_update(
        session.get_execution_profile(EXEC_PROFILE_DEFAULT))
    execution_profile.consistency_level = ConsistencyLevel.LOCAL_QUORUM

    bucket = 'bigdatafilippo'
    key = 'quartieri.csv'
    response = s3.get_object(Bucket=bucket, Key=key)
    content = response.get('Body').read().decode('utf-8')
    reader = csv.reader(content.splitlines(), delimiter=',')
    rows = list(reader)
    count = 0
    for row in rows:
        stop_id = row[1]
        stop_code = row[2]
        stop_name = row[3]
        lat = row[4]
        lon = row[5]
        neighborhood = row[6]
        notFound = 'Non trovato'
        if (neighborhood != notFound):
            session.execute(
                stmt, (stop_id, stop_code, stop_name, lat, lon, neighborhood),
                execution_profile=execution_profile)
        count += 1
    print('count ' + str(count))
 def secure_socket(s, host):
     ssl_context = SSLContext(PROTOCOL_SSLv23)
     ssl_context.options |= OP_NO_SSLv2
     return ssl_context.wrap_socket(s, server_hostname=host if HAS_SNI else None)
Example #48
0
 def get_ssl_context(*args):
     """Create and return an SSLContext object."""
     certfile, keyfile, ca_certs, cert_reqs = args
     # Note PROTOCOL_SSLv23 is about the most misleading name imaginable.
     # This configures the server and client to negotiate the
     # highest protocol version they both support. A very good thing.
     ctx = SSLContext(ssl.PROTOCOL_SSLv23)
     if hasattr(ctx, "options"):
         # Explicitly disable SSLv2 and SSLv3. Note that up to
         # date versions of MongoDB 2.4 and above already do this,
         # python disables SSLv2 by default in >= 2.7.7 and >= 3.3.4
         # and SSLv3 in >= 3.4.3. There is no way for us to do this
         # explicitly for python 2.6 or 2.7 before 2.7.9.
         ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0)
         ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0)
     if certfile is not None:
         ctx.load_cert_chain(certfile, keyfile)
     if ca_certs is not None:
         ctx.load_verify_locations(ca_certs)
     elif cert_reqs != ssl.CERT_NONE:
         # CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1
         if hasattr(ctx, "load_default_certs"):
             ctx.load_default_certs()
         # Python >= 3.2.0, useless on Windows.
         elif (sys.platform != "win32" and
               hasattr(ctx, "set_default_verify_paths")):
             ctx.set_default_verify_paths()
         elif sys.platform == "win32" and HAVE_WINCERTSTORE:
             with _WINCERTSLOCK:
                 if _WINCERTS is None:
                     _load_wincerts()
             ctx.load_verify_locations(_WINCERTS.name)
         elif HAVE_CERTIFI:
             ctx.load_verify_locations(certifi.where())
         else:
             raise ConfigurationError(
                 "`ssl_cert_reqs` is not ssl.CERT_NONE and no system "
                 "CA certificates could be loaded. `ssl_ca_certs` is "
                 "required.")
     ctx.verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
     return ctx
Example #49
0
    def __get_ssl_context(cls, sslca=None):
        """Make an SSLConext for this Python version using public or sslca
        """
        if ((version_info[0] == 2 and (version_info[1] >= 7 and version_info[2] >= 9)) or
                (version_info[0] == 3 and version_info[1] >= 4)):
            logger.debug('SSL method for 2.7.9+ / 3.4+')
            # pylint: disable=no-name-in-module
            from ssl import SSLContext, PROTOCOL_TLSv1_2, CERT_REQUIRED, OP_NO_COMPRESSION
            ctx = SSLContext(PROTOCOL_TLSv1_2)
            ctx.set_ciphers('HIGH:!SSLv3:!TLSv1:!aNULL:@STRENGTH')
            # see CRIME security exploit
            ctx.options |= OP_NO_COMPRESSION
            # the following options are used to verify the identity of the broker
            if sslca:
                ctx.load_verify_locations(sslca)
                ctx.verify_mode = CERT_REQUIRED
                ctx.check_hostname = False
            else:
                # Verify public certifcates if sslca is None (default)
                from ssl import Purpose  # pylint: disable=no-name-in-module
                ctx.load_default_certs(purpose=Purpose.SERVER_AUTH)
                ctx.verify_mode = CERT_REQUIRED
                ctx.check_hostname = True

        elif version_info[0] == 3 and version_info[1] < 4:
            logger.debug('Using SSL method for 3.2+, < 3.4')
            # pylint: disable=no-name-in-module
            from ssl import SSLContext, CERT_REQUIRED, PROTOCOL_SSLv23, OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_TLSv1
            ctx = SSLContext(PROTOCOL_SSLv23)
            ctx.options |= (OP_NO_SSLv2 | OP_NO_SSLv3 | OP_NO_TLSv1)
            ctx.set_ciphers('HIGH:!SSLv3:!TLSv1:!aNULL:@STRENGTH')
            # the following options are used to verify the identity of the broker
            if sslca:
                ctx.load_verify_locations(sslca)
                ctx.verify_mode = CERT_REQUIRED
            else:
                # Verify public certifcates if sslca is None (default)
                ctx.set_default_verify_paths()
                ctx.verify_mode = CERT_REQUIRED

        else:
            raise Exception("Unsupported Python version %s" % '.'.join(str(item) for item in version_info[:3]))

        return ctx
 def get_ssl_context(*args):
     """Create and return an SSLContext object."""
     certfile, keyfile, passphrase, ca_certs, cert_reqs, crlfile = args
     # Note PROTOCOL_SSLv23 is about the most misleading name imaginable.
     # This configures the server and client to negotiate the
     # highest protocol version they both support. A very good thing.
     ctx = SSLContext(ssl.PROTOCOL_SSLv23)
     if hasattr(ctx, "options"):
         # Explicitly disable SSLv2 and SSLv3. Note that up to
         # date versions of MongoDB 2.4 and above already do this,
         # python disables SSLv2 by default in >= 2.7.7 and >= 3.3.4
         # and SSLv3 in >= 3.4.3. There is no way for us to do this
         # explicitly for python 2.6 or 2.7 before 2.7.9.
         ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0)
         ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0)
     if certfile is not None:
         if passphrase is not None:
             vi = sys.version_info
             # Since python just added a new parameter to an existing method
             # this seems to be about the best we can do.
             if (vi[0] == 2 and vi < (2, 7, 9) or
                     vi[0] == 3 and vi < (3, 3)):
                 raise ConfigurationError(
                     "Support for ssl_pem_passphrase requires "
                     "python 2.7.9+ (pypy 2.5.1+) or 3.3+")
             ctx.load_cert_chain(certfile, keyfile, passphrase)
         else:
             ctx.load_cert_chain(certfile, keyfile)
     if crlfile is not None:
         if not hasattr(ctx, "verify_flags"):
             raise ConfigurationError(
                 "Support for ssl_crlfile requires "
                 "python 2.7.9+ (pypy 2.5.1+) or  3.4+")
         # Match the server's behavior.
         ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
         ctx.load_verify_locations(crlfile)
     if ca_certs is not None:
         ctx.load_verify_locations(ca_certs)
     elif cert_reqs != ssl.CERT_NONE:
         # CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1
         if hasattr(ctx, "load_default_certs"):
             ctx.load_default_certs()
         # Python >= 3.2.0, useless on Windows.
         elif (sys.platform != "win32" and
               hasattr(ctx, "set_default_verify_paths")):
             ctx.set_default_verify_paths()
         elif sys.platform == "win32" and HAVE_WINCERTSTORE:
             with _WINCERTSLOCK:
                 if _WINCERTS is None:
                     _load_wincerts()
             ctx.load_verify_locations(_WINCERTS.name)
         elif HAVE_CERTIFI:
             ctx.load_verify_locations(certifi.where())
         else:
             raise ConfigurationError(
                 "`ssl_cert_reqs` is not ssl.CERT_NONE and no system "
                 "CA certificates could be loaded. `ssl_ca_certs` is "
                 "required.")
     ctx.verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
     return ctx
Example #51
0
 def __init__(self):
     stream.createsocket(stream)
     self.contxt = SSLContext(PROTOCOL_TLSv1_2)
     self.contxt.verify_mode = CERT_REQUIRED
     self.contxt.load_default_certs()
 def get_ssl_context(*args):
     """Create and return an SSLContext object."""
     (certfile,
      keyfile,
      passphrase,
      ca_certs,
      cert_reqs,
      crlfile,
      match_hostname) = args
     verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
     # Note PROTOCOL_SSLv23 is about the most misleading name imaginable.
     # This configures the server and client to negotiate the
     # highest protocol version they both support. A very good thing.
     # PROTOCOL_TLS_CLIENT was added in CPython 3.6, deprecating
     # PROTOCOL_SSLv23.
     ctx = SSLContext(
         getattr(ssl, "PROTOCOL_TLS_CLIENT", ssl.PROTOCOL_SSLv23))
     # SSLContext.check_hostname was added in CPython 2.7.9 and 3.4.
     # PROTOCOL_TLS_CLIENT (added in Python 3.6) enables it by default.
     if hasattr(ctx, "check_hostname"):
         if _PY37PLUS and verify_mode != ssl.CERT_NONE:
             # Python 3.7 uses OpenSSL's hostname matching implementation
             # making it the obvious version to start using this with.
             # Python 3.6 might have been a good version, but it suffers
             # from https://bugs.python.org/issue32185.
             # We'll use our bundled match_hostname for older Python
             # versions, which also supports IP address matching
             # with Python < 3.5.
             ctx.check_hostname = match_hostname
         else:
             ctx.check_hostname = False
     if hasattr(ctx, "options"):
         # Explicitly disable SSLv2, SSLv3 and TLS compression. Note that
         # up to date versions of MongoDB 2.4 and above already disable
         # SSLv2 and SSLv3, python disables SSLv2 by default in >= 2.7.7
         # and >= 3.3.4 and SSLv3 in >= 3.4.3. There is no way for us to do
         # any of this explicitly for python 2.7 before 2.7.9.
         ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0)
         ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0)
         # OpenSSL >= 1.0.0
         ctx.options |= getattr(ssl, "OP_NO_COMPRESSION", 0)
         # Python 3.7+ with OpenSSL >= 1.1.0h
         ctx.options |= getattr(ssl, "OP_NO_RENEGOTIATION", 0)
     if certfile is not None:
         try:
             if passphrase is not None:
                 vi = sys.version_info
                 # Since python just added a new parameter to an existing method
                 # this seems to be about the best we can do.
                 if (vi[0] == 2 and vi < (2, 7, 9) or
                         vi[0] == 3 and vi < (3, 3)):
                     raise ConfigurationError(
                         "Support for ssl_pem_passphrase requires "
                         "python 2.7.9+ (pypy 2.5.1+) or 3.3+")
                 ctx.load_cert_chain(certfile, keyfile, passphrase)
             else:
                 ctx.load_cert_chain(certfile, keyfile)
         except ssl.SSLError as exc:
             raise ConfigurationError(
                 "Private key doesn't match certificate: %s" % (exc,))
     if crlfile is not None:
         if not hasattr(ctx, "verify_flags"):
             raise ConfigurationError(
                 "Support for ssl_crlfile requires "
                 "python 2.7.9+ (pypy 2.5.1+) or  3.4+")
         # Match the server's behavior.
         ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
         ctx.load_verify_locations(crlfile)
     if ca_certs is not None:
         ctx.load_verify_locations(ca_certs)
     elif cert_reqs != ssl.CERT_NONE:
         # CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1
         if hasattr(ctx, "load_default_certs"):
             ctx.load_default_certs()
         # Python >= 3.2.0, useless on Windows.
         elif (sys.platform != "win32" and
               hasattr(ctx, "set_default_verify_paths")):
             ctx.set_default_verify_paths()
         elif sys.platform == "win32" and HAVE_WINCERTSTORE:
             with _WINCERTSLOCK:
                 if _WINCERTS is None:
                     _load_wincerts()
             ctx.load_verify_locations(_WINCERTS.name)
         elif HAVE_CERTIFI:
             ctx.load_verify_locations(certifi.where())
         else:
             raise ConfigurationError(
                 "`ssl_cert_reqs` is not ssl.CERT_NONE and no system "
                 "CA certificates could be loaded. `ssl_ca_certs` is "
                 "required.")
     ctx.verify_mode = verify_mode
     return ctx
Example #53
0
def open_url(url, data=None, headers=None, method=None, use_proxy=True,
             force=False, last_mod_time=None, timeout=10, validate_certs=True,
             url_username=None, url_password=None, http_agent=None,
             force_basic_auth=False, follow_redirects='urllib2'):
    '''
    Sends a request via HTTP(S) or FTP using urllib2 (Python2) or urllib (Python3)

    Does not require the module environment
    '''
    handlers = []
    ssl_handler = maybe_add_ssl_handler(url, validate_certs)
    if ssl_handler:
        handlers.append(ssl_handler)

    # FIXME: change the following to use the generic_urlparse function
    #        to remove the indexed references for 'parsed'
    parsed = urlparse(url)
    if parsed[0] != 'ftp':
        username = url_username

        if headers is None:
            headers = {}

        if username:
            password = url_password
            netloc = parsed[1]
        elif '@' in parsed[1]:
            credentials, netloc = parsed[1].split('@', 1)
            if ':' in credentials:
                username, password = credentials.split(':', 1)
            else:
                username = credentials
                password = ''

            parsed = list(parsed)
            parsed[1] = netloc

            # reconstruct url without credentials
            url = urlunparse(parsed)

        if username and not force_basic_auth:
            passman = urllib_request.HTTPPasswordMgrWithDefaultRealm()

            # this creates a password manager
            passman.add_password(None, netloc, username, password)

            # because we have put None at the start it will always
            # use this username/password combination for  urls
            # for which `theurl` is a super-url
            authhandler = urllib_request.HTTPBasicAuthHandler(passman)

            # create the AuthHandler
            handlers.append(authhandler)

        elif username and force_basic_auth:
            headers["Authorization"] = basic_auth_header(username, password)

        else:
            try:
                rc = netrc.netrc(os.environ.get('NETRC'))
                login = rc.authenticators(parsed[1])
            except IOError:
                login = None

            if login:
                username, _, password = login
                if username and password:
                    headers["Authorization"] = basic_auth_header(username, password)

    if not use_proxy:
        proxyhandler = urllib_request.ProxyHandler({})
        handlers.append(proxyhandler)

    if HAS_SSLCONTEXT and not validate_certs:
        # In 2.7.9, the default context validates certificates
        context = SSLContext(ssl.PROTOCOL_SSLv23)
        context.options |= ssl.OP_NO_SSLv2
        context.options |= ssl.OP_NO_SSLv3
        context.verify_mode = ssl.CERT_NONE
        context.check_hostname = False
        handlers.append(urllib_request.HTTPSHandler(context=context))

    # pre-2.6 versions of python cannot use the custom https
    # handler, since the socket class is lacking create_connection.
    # Some python builds lack HTTPS support.
    if hasattr(socket, 'create_connection') and CustomHTTPSHandler:
        handlers.append(CustomHTTPSHandler)

    handlers.append(RedirectHandlerFactory(follow_redirects, validate_certs))

    opener = urllib_request.build_opener(*handlers)
    urllib_request.install_opener(opener)

    if method:
        if method.upper() not in ('OPTIONS','GET','HEAD','POST','PUT','DELETE','TRACE','CONNECT','PATCH'):
            raise ConnectionError('invalid HTTP request method; %s' % method.upper())
        request = RequestWithMethod(url, method.upper(), data)
    else:
        request = urllib_request.Request(url, data)

    # add the custom agent header, to help prevent issues
    # with sites that block the default urllib agent string
    request.add_header('User-agent', http_agent)

    # if we're ok with getting a 304, set the timestamp in the
    # header, otherwise make sure we don't get a cached copy
    if last_mod_time and not force:
        tstamp = last_mod_time.strftime('%a, %d %b %Y %H:%M:%S +0000')
        request.add_header('If-Modified-Since', tstamp)
    else:
        request.add_header('cache-control', 'no-cache')

    # user defined headers now, which may override things we've set above
    if headers:
        if not isinstance(headers, dict):
            raise ValueError("headers provided to fetch_url() must be a dict")
        for header in headers:
            request.add_header(header, headers[header])

    urlopen_args = [request, None]
    if sys.version_info >= (2,6,0):
        # urlopen in python prior to 2.6.0 did not
        # have a timeout parameter
        urlopen_args.append(timeout)

    r = urllib_request.urlopen(*urlopen_args)
    return r
Example #54
0
class SMTPServer(smtpd.SMTPServer):

    def __init__(self, localaddr, remoteaddr, ssl=False, certfile=None, keyfile=None, ssl_version=ssl.PROTOCOL_SSLv23, require_authentication=False, credential_validator=None, maximum_execution_time=30, process_count=5):
        smtpd.SMTPServer.__init__(self, localaddr, remoteaddr)
        self.logger = logging.getLogger( secure_smtpd.LOG_NAME )
        self.certfile = certfile
        self.keyfile = keyfile
        self.ssl_version = ssl_version
        self.subprocesses = []
        self.require_authentication = require_authentication
        self.credential_validator = credential_validator
        self.ssl = ssl
        self.maximum_execution_time = maximum_execution_time
        self.process_count = process_count
        self.process_pool = None
        self.context = SSLContext(ssl_version)
        self.context.load_cert_chain(certfile=certfile, keyfile=keyfile)

    def handle_accept(self):
        self.process_pool = ProcessPool(self._accept_subprocess, process_count=self.process_count)
        self.close()

    def _accept_subprocess(self, queue):
        while True:
            try:
                self.socket.setblocking(1)
                pair = self.accept()
                map = {}

                if pair is not None:

                    self.logger.info('_accept_subprocess(): smtp connection accepted within subprocess.')

                    newsocket, fromaddr = pair
                    newsocket.settimeout(self.maximum_execution_time)

                    if self.ssl:
                        newsocket = self.context.wrap_socket(
                            newsocket,
                            server_side=True,
                        )
                    channel = SMTPChannel(
                        self,
                        newsocket,
                        fromaddr,
                        require_authentication=self.require_authentication,
                        credential_validator=self.credential_validator,
                        map=map
                    )

                    self.logger.info('_accept_subprocess(): starting asyncore within subprocess.')

                    asyncore.loop(map=map)

                    self.logger.error('_accept_subprocess(): asyncore loop exited.')
            except (ExitNow, SSLError):
                self._shutdown_socket(newsocket)
                self.logger.info('_accept_subprocess(): smtp channel terminated asyncore.')
            except Exception as e:
                self._shutdown_socket(newsocket)
                self.logger.error('_accept_subprocess(): uncaught exception: %s' % str(e))

    def _shutdown_socket(self, s):
        try:
            s.shutdown(socket.SHUT_RDWR)
            s.close()
        except Exception as e:
            self.logger.error('_shutdown_socket(): failed to cleanly shutdown socket: %s' % str(e))


    def run(self):
        asyncore.loop()
        if hasattr(signal, 'SIGTERM'):
            def sig_handler(signal,frame):
                self.logger.info("Got signal %s, shutting down." % signal)
                sys.exit(0)
            signal.signal(signal.SIGTERM, sig_handler)
        while 1:
            time.sleep(1)
Example #55
0
import threading
import time
from threading import Thread


# Pypy compatability
try:
    from ssl import PROTOCOL_TLSv1_2 as PROTOCOL_TLSv1
except ImportError:
    from ssl import PROTOCOL_TLSv1 as PROTOCOL_TLSv1

run_http = config["insecure"]["enabled"]
run_https = config["secure"]["enabled"]

if run_https:
    context = SSLContext(PROTOCOL_TLSv1)
    context.load_cert_chain(
        config["secure"]["cert"],
        config["secure"]["key"]
    )

if run_http and run_https:
    if config["debug"]:
        raise Warning("Cannot run in debug mode with both https and http enabled due to flask limitations.")
    Thread(
        target=app.run,
        kwargs={
            "host": config["server"]["address"],
            "port": config["secure"]["port"],
            "debug": config["debug"],
            "ssl_context": context
Example #56
0
def open_url(url, data=None, headers=None, method=None, use_proxy=True,
        force=False, last_mod_time=None, timeout=10, validate_certs=True,
        url_username=None, url_password=None, http_agent=None, force_basic_auth=False):
    '''
    Fetches a file from an HTTP/FTP server using urllib2
    '''
    handlers = []
    # FIXME: change the following to use the generic_urlparse function
    #        to remove the indexed references for 'parsed'
    parsed = urlparse.urlparse(url)
    if parsed[0] == 'https' and validate_certs:
        if not HAS_SSL:
            raise NoSSLError('SSL validation is not available in your version of python. You can use validate_certs=False, however this is unsafe and not recommended')

        # do the cert validation
        netloc = parsed[1]
        if '@' in netloc:
            netloc = netloc.split('@', 1)[1]
        if ':' in netloc:
            hostname, port = netloc.split(':', 1)
            port = int(port)
        else:
            hostname = netloc
            port = 443
        # create the SSL validation handler and
        # add it to the list of handlers
        ssl_handler = SSLValidationHandler(hostname, port)
        handlers.append(ssl_handler)

    if parsed[0] != 'ftp':
        username = url_username

        if username:
            password = url_password
            netloc = parsed[1]
        elif '@' in parsed[1]:
            credentials, netloc = parsed[1].split('@', 1)
            if ':' in credentials:
                username, password = credentials.split(':', 1)
            else:
                username = credentials
                password = ''

            parsed = list(parsed)
            parsed[1] = netloc

            # reconstruct url without credentials
            url = urlparse.urlunparse(parsed)

        if username and not force_basic_auth:
            passman = urllib2.HTTPPasswordMgrWithDefaultRealm()

            # this creates a password manager
            passman.add_password(None, netloc, username, password)

            # because we have put None at the start it will always
            # use this username/password combination for  urls
            # for which `theurl` is a super-url
            authhandler = urllib2.HTTPBasicAuthHandler(passman)

            # create the AuthHandler
            handlers.append(authhandler)

        elif username and force_basic_auth:
            if headers is None:
                headers = {}

            headers["Authorization"] = "Basic %s" % base64.b64encode("%s:%s" % (username, password))

    if not use_proxy:
        proxyhandler = urllib2.ProxyHandler({})
        handlers.append(proxyhandler)

    # pre-2.6 versions of python cannot use the custom https
    # handler, since the socket class is lacking create_connection.
    # Some python builds lack HTTPS support.
    if hasattr(socket, 'create_connection') and CustomHTTPSHandler:
        handlers.append(CustomHTTPSHandler)

    opener = urllib2.build_opener(*handlers)
    urllib2.install_opener(opener)

    if method:
        if method.upper() not in ('OPTIONS','GET','HEAD','POST','PUT','DELETE','TRACE','CONNECT','PATCH'):
            raise ConnectionError('invalid HTTP request method; %s' % method.upper())
        request = RequestWithMethod(url, method.upper(), data)
    else:
        request = urllib2.Request(url, data)

    # add the custom agent header, to help prevent issues
    # with sites that block the default urllib agent string
    request.add_header('User-agent', http_agent)

    # if we're ok with getting a 304, set the timestamp in the
    # header, otherwise make sure we don't get a cached copy
    if last_mod_time and not force:
        tstamp = last_mod_time.strftime('%a, %d %b %Y %H:%M:%S +0000')
        request.add_header('If-Modified-Since', tstamp)
    else:
        request.add_header('cache-control', 'no-cache')

    # user defined headers now, which may override things we've set above
    if headers:
        if not isinstance(headers, dict):
            raise ValueError("headers provided to fetch_url() must be a dict")
        for header in headers:
            request.add_header(header, headers[header])

    urlopen_args = [request, None]
    if sys.version_info >= (2,6,0):
        # urlopen in python prior to 2.6.0 did not
        # have a timeout parameter
        urlopen_args.append(timeout)

    if HAS_SSLCONTEXT and not validate_certs:
        # In 2.7.9, the default context validates certificates
        context = SSLContext(ssl.PROTOCOL_SSLv23)
        context.options |= ssl.OP_NO_SSLv2
        context.options |= ssl.OP_NO_SSLv3
        context.verify_mode = ssl.CERT_NONE
        context.check_hostname = False
        urlopen_args += (None, None, None, context)

    r = urllib2.urlopen(*urlopen_args)
    return r
Example #57
0
 def get_ssl_context(*args):
     """Create and return an SSLContext object."""
     certfile, keyfile, passphrase, ca_certs, cert_reqs, crlfile = args
     # Note PROTOCOL_SSLv23 is about the most misleading name imaginable.
     # This configures the server and client to negotiate the
     # highest protocol version they both support. A very good thing.
     # PROTOCOL_TLS_CLIENT was added in CPython 3.6, deprecating
     # PROTOCOL_SSLv23.
     ctx = SSLContext(
         getattr(ssl, "PROTOCOL_TLS_CLIENT", ssl.PROTOCOL_SSLv23))
     # SSLContext.check_hostname was added in CPython 2.7.9 and 3.4.
     # PROTOCOL_TLS_CLIENT enables it by default. Using it
     # requires passing server_hostname to wrap_socket, which we already
     # do for SNI support. To support older versions of Python we have to
     # call match_hostname directly, so we disable check_hostname explicitly
     # to avoid calling match_hostname twice.
     if hasattr(ctx, "check_hostname"):
         ctx.check_hostname = False
     if hasattr(ctx, "options"):
         # Explicitly disable SSLv2, SSLv3 and TLS compression. Note that
         # up to date versions of MongoDB 2.4 and above already disable
         # SSLv2 and SSLv3, python disables SSLv2 by default in >= 2.7.7
         # and >= 3.3.4 and SSLv3 in >= 3.4.3. There is no way for us to do
         # any of this explicitly for python 2.6 or 2.7 before 2.7.9.
         ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0)
         ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0)
         # OpenSSL >= 1.0.0
         ctx.options |= getattr(ssl, "OP_NO_COMPRESSION", 0)
     if certfile is not None:
         try:
             if passphrase is not None:
                 vi = sys.version_info
                 # Since python just added a new parameter to an existing method
                 # this seems to be about the best we can do.
                 if (vi[0] == 2 and vi < (2, 7, 9) or
                         vi[0] == 3 and vi < (3, 3)):
                     raise ConfigurationError(
                         "Support for ssl_pem_passphrase requires "
                         "python 2.7.9+ (pypy 2.5.1+) or 3.3+")
                 ctx.load_cert_chain(certfile, keyfile, passphrase)
             else:
                 ctx.load_cert_chain(certfile, keyfile)
         except ssl.SSLError as exc:
             raise ConfigurationError(
                 "Private key doesn't match certificate: %s" % (exc,))
     if crlfile is not None:
         if not hasattr(ctx, "verify_flags"):
             raise ConfigurationError(
                 "Support for ssl_crlfile requires "
                 "python 2.7.9+ (pypy 2.5.1+) or  3.4+")
         # Match the server's behavior.
         ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
         ctx.load_verify_locations(crlfile)
     if ca_certs is not None:
         ctx.load_verify_locations(ca_certs)
     elif cert_reqs != ssl.CERT_NONE:
         # CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1
         if hasattr(ctx, "load_default_certs"):
             ctx.load_default_certs()
         # Python >= 3.2.0, useless on Windows.
         elif (sys.platform != "win32" and
               hasattr(ctx, "set_default_verify_paths")):
             ctx.set_default_verify_paths()
         elif sys.platform == "win32" and HAVE_WINCERTSTORE:
             with _WINCERTSLOCK:
                 if _WINCERTS is None:
                     _load_wincerts()
             ctx.load_verify_locations(_WINCERTS.name)
         elif HAVE_CERTIFI:
             ctx.load_verify_locations(certifi.where())
         else:
             raise ConfigurationError(
                 "`ssl_cert_reqs` is not ssl.CERT_NONE and no system "
                 "CA certificates could be loaded. `ssl_ca_certs` is "
                 "required.")
     ctx.verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
     return ctx
Example #58
0
from __future__ import absolute_import, division, print_function

from ssl import CERT_NONE, PROTOCOL_SSLv23, SSLContext

from psphere.client import Client

if __name__ == '__main__':
    context = SSLContext(PROTOCOL_SSLv23)
    context.verify_mode = CERT_NONE
    test_client = Client('localhost:8989', 'user', 'pass', sslcontext=context)
    print(test_client.si.CurrentTime())
    test_client.logout()
Example #59
0
    """
    CASSH add
    """
    pubkey = request.files['file']
    username = request.form['username']
    payload = {}
    payload.update({'realname': current_user['name'], 'password': current_user['password']})
    payload.update({'username': username})
    payload.update({'pubkey': pubkey.read().decode('UTF-8')})
    try:
        req = put(APP.config['CASSH_URL'] + '/client', \
                data=payload, \
                headers=APP.config['HEADERS'], \
                verify=False)
    except ConnectionError:
        return Response('Connection error : %s' % APP.config['CASSH_URL'])
    if 'Error' in req.text:
        return Response(req.text)
    return redirect('/status')

@APP.errorhandler(404)
def page_not_found(_):
    """ Display error page """
    return render_template('404.html'), 404

if __name__ == '__main__':
    CONTEXT = SSLContext(PROTOCOL_TLSv1_2)
    CONTEXT.load_cert_chain(APP.config['SSL_PUB_KEY'], APP.config['SSL_PRIV_KEY'])
    PORT = int(getenv('PORT', APP.config['PORT']))
    APP.run(debug=APP.config['DEBUG'], host='0.0.0.0', port=PORT, ssl_context=CONTEXT)