def connect(self): # pylint: disable=too-many-branches """Connect to a host on a given (SSL) port.""" # Connect for M2Crypto ssl package if _HAVE_M2CRYPTO: # Calling httplib.HTTPSConnection.connect(self) does not work # because of its ssl.wrap_socket() call. So we copy the code of # that connect() method modulo the ssl.wrap_socket() call. # Another change is that we do not pass the timeout value # on to the socket call, because that does not work with # M2Crypto. if sys.version_info[0:2] >= (2, 7): # the source_address parameter was added in Python 2.7 self.sock = socket.create_connection( (self.host, self.port), None, self.source_address) else: self.sock = socket.create_connection( (self.host, self.port), None) # Removed code for tunneling support. # End of code from httplib.HTTPSConnection.connect(self). ctx = SSL.Context('sslv23') if self.cert_file: ctx.load_cert(self.cert_file, keyfile=self.key_file) if self.ca_certs: ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, depth=9, callback=verify_callback) if os.path.isdir(self.ca_certs): ctx.load_verify_locations(capath=self.ca_certs) else: ctx.load_verify_locations(cafile=self.ca_certs) try: self.sock = SSL.Connection(ctx, self.sock) # Below is a body of SSL.Connection.connect() method # except for the first line (socket connection). # Removed code for tunneling support. # Setting the timeout on the input socket does not work # with M2Crypto, with such a timeout set it calls a # different low level function (nbio instead of bio) # that does not work. The symptom is that reading the # response returns None. # Therefore, we set the timeout at the level of the outer # M2Crypto socket object. # pylint: disable=using-constant-test if self.timeout is not None: self.sock.set_socket_read_timeout( SSL.timeout(self.timeout)) self.sock.set_socket_write_timeout( SSL.timeout(self.timeout)) self.sock.addr = (self.host, self.port) self.sock.setup_ssl() self.sock.set_connect_state() ret = self.sock.connect_ssl() if self.ca_certs: check = getattr(self.sock, 'postConnectionCheck', self.sock.clientPostConnectionCheck) if check is not None: if not check(self.sock.get_peer_cert(), self.host): raise ConnectionError( 'SSL error: post connection check failed') return ret except (SSLError, SSL.SSLError, SSL.Checker.SSLVerificationError) as arg: raise ConnectionError("SSL error %s: %s" % (arg.__class__, arg)) # Connect using Python SSL module else: # Setup the socket context # Note: PROTOCOL_SSLv23 allows talking to servers with TLS but # not with SSL. For details, see the table in # https://docs.python.org/3/library/ssl.html#ssl.wrap_socket # Within the defined set of protocol versions, SSLv23 selects # the highest protocol version that both client and server # support. # TODO #893: Consider the use of default_context() ctx = SSL.SSLContext(SSL.PROTOCOL_SSLv23) if self.cert_file: ctx.load_cert(self.cert_file, keyfile=self.key_file) if self.ca_certs: # We need to use CERT_REQUIRED to require that the server # certificate is being validated by the client (against the # certificates in ca_certs). ctx.verify_mode = SSL.CERT_REQUIRED if os.path.isdir(self.ca_certs): ctx.load_verify_locations(capath=self.ca_certs) else: ctx.load_verify_locations(cafile=self.ca_certs) ctx.check_hostname = True else: ctx.check_hostname = False ctx.verify_mode = SSL.CERT_NONE # setup the socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(self.timeout) try: self.sock = ctx.wrap_socket(sock, server_hostname=self.host) return self.sock.connect((self.host, self.port)) except SSLError as arg: raise ConnectionError("SSL error %s: %s" % (arg.__class__, arg)) except CertificateError as arg: raise ConnectionError("SSL certificate error %s: %s" % (arg.__class__, arg))
def connect(self): self.sock = SSL.Connection(self.ssl_ctx) self.sock.connect((self.host, self.port))
tlsa_rdata_set = get_tlsa(port, "tcp", hostname) for (iptype, ipaddr) in get_addresses(hostname): print "Connecting to %s at address %s ..." % (hostname, ipaddr) ctx = SSL.Context() if iptype == "IPv4": sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) elif iptype == "IPv6": sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) else: raise ValueError, "Unknown address type: %s" % iptype sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) connection = SSL.Connection(ctx, sock=sock) # set TLS SNI extension if available in M2Crypto on this platform # Note: the official M2Crypto release does not yet (as of late 2014) # have support for SNI, sigh, but patches exist. try: connection.set_tlsext_host_name(hostname) except AttributeError: pass # Per https://tools.ietf.org/html/draft-ietf-dane-ops, for DANE-EE # usage, certificate identity checks are based solely on the TLSA # record, so we ignore name mismatch conditions in the certificate. try: connection.connect((ipaddr, port)) except SSL.Checker.WrongHost:
def test_set_ssl(self): # XXX leaks 64/1312 bytes ctx = SSL.Context() conn = SSL.Connection(ctx) self.sslbio.set_ssl(conn)
def connect(self, addr): self.sock = SSL.Connection(self.ctx) checker = PostConnectionChecker() self.sock.set_post_connection_check_callback(checker) self.sock.setblocking(1) self.sock.connect(addr)
def wrapSocket(self, sock): context = self.context return SSLSocket(SSL.Connection(context, sock=sock))
def _start_ssl(self): """ Make this connection's socket SSL-aware. """ self.sock = SSL.Connection(self.ssl_ctx, self.sock) self.sock.setup_ssl() self.sock.set_connect_state() self.sock.connect_ssl()
def test_no_connection(self): ctx = SSL.Context() s = SSL.Connection(ctx)
def _start_ssl(self): self.sock = SSL.Connection(self.ssl_ctx, self.sock) self.sock.settimeout(self.rhsm_timeout) self.sock.setup_ssl() self.sock.set_connect_state() self.sock.connect_ssl()