def connect_ssl(ip, port=443, timeout=5, check_cert=True): ip_port = (ip, port) if config.PROXY_ENABLE: sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6) else: sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) # resize socket recv buffer 8K->32K to improve browser releated application performance sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32*1024) sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True) sock.settimeout(timeout) ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip) ssl_sock.set_connect_state() time_begin = time.time() ssl_sock.connect(ip_port) time_connected = time.time() ssl_sock.do_handshake() try: h2 = ssl_sock.get_alpn_proto_negotiated() if h2 == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False xlog.debug("%s alpn h2:%s", ip, h2) except Exception as e: #xlog.exception("alpn:%r", e) if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2": ssl_sock.h2 = True # xlog.debug("ip:%s http/2", ip) else: ssl_sock.h2 = False # xlog.debug("ip:%s http/1.1", ip) time_handshaked = time.time() # report network ok check_local_network.network_stat = "OK" check_local_network.last_check_time = time_handshaked check_local_network.continue_fail_count = 0 cert = ssl_sock.get_peer_certificate() if not cert: raise socket.error(' certficate is none') if check_cert: issuer_commonname = next((v for k, v in cert.get_issuer().get_components() if k == 'CN'), '') if __name__ == "__main__": xlog.debug("issued by:%s", issuer_commonname) if not issuer_commonname.startswith('Google'): raise socket.error(' certficate is issued by %r, not Google' % ( issuer_commonname)) connct_time = int((time_connected - time_begin) * 1000) handshake_time = int((time_handshaked - time_connected) * 1000) #xlog.debug("conn: %d handshake:%d", connct_time, handshake_time) # sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket. ssl_sock._sock = sock ssl_sock.connct_time = connct_time ssl_sock.handshake_time = handshake_time return ssl_sock
def connect_ssl(ip, port=443, timeout=5, check_cert=True, close_cb=None): if check_local_network.network_stat != "OK": with network_fail_lock: time.sleep(0.1) ip_port = (ip, port) sni = sni_generater.get() if config.PROXY_ENABLE: sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6) else: sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) # resize socket recv buffer 8K->32K to improve browser releated application performance sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32*1024) sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True) sock.settimeout(timeout) ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip, close_cb) ssl_sock.set_connect_state() ssl_sock.set_tlsext_host_name(sni) time_begin = time.time() ssl_sock.connect(ip_port) time_connected = time.time() ssl_sock.do_handshake() try: h2 = ssl_sock.get_alpn_proto_negotiated() if h2 == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False xlog.debug("%s alpn h2:%s", ip, h2) except Exception as e: #xlog.exception("alpn:%r", e) if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2": ssl_sock.h2 = True # xlog.debug("ip:%s http/2", ip) else: ssl_sock.h2 = False # xlog.debug("ip:%s http/1.1", ip) time_handshaked = time.time() # report network ok check_local_network.network_stat = "OK" check_local_network.last_check_time = time_handshaked check_local_network.continue_fail_count = 0 def verify_SSL_certificate_issuer(ssl_sock): # cert = ssl_sock.get_peer_certificate() # if not cert: # #google_ip.report_bad_ip(ssl_sock.ip) # #connect_control.fall_into_honeypot() # raise socket.error(' certficate is none') # issuer_commonname = next((v for k, v in cert.get_issuer().get_components() if k == 'CN'), '') # if not issuer_commonname.startswith('Google'): # google_ip.report_connect_fail(ip, force_remove=True) # raise socket.error(' certficate is issued by %r, not Google' % ( issuer_commonname)) certs = ssl_sock.get_peer_cert_chain() if not certs: # google_ip.report_bad_ip(ssl_sock.ip) # connect_control.fall_into_honeypot() raise socket.error(' certficate is none') if len(certs) < 3: # google_ip.report_connect_fail(ip, force_remove=True) raise Cert_Exception('No intermediate CA was found.') if hasattr(OpenSSL.crypto, "dump_publickey"): # old OpenSSL not support this function. if OpenSSL.crypto.dump_publickey(OpenSSL.crypto.FILETYPE_PEM, certs[1].get_pubkey()) not in GoogleG23PKP: # google_ip.report_connect_fail(ip, force_remove=True) raise Cert_Exception('The intermediate CA is mismatching.') issuer_commonname = next((v for k, v in certs[0].get_issuer().get_components() if k == 'CN'), '') if not issuer_commonname.startswith('Google'): # google_ip.report_connect_fail(ip, force_remove=True) raise Cert_Exception(' certficate is issued by %r, not Google' % (issuer_commonname)) if check_cert: verify_SSL_certificate_issuer(ssl_sock) connct_time = int((time_connected - time_begin) * 1000) handshake_time = int((time_handshaked - time_connected) * 1000) #xlog.debug("conn: %d handshake:%d", connct_time, handshake_time) # sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket. ssl_sock._sock = sock ssl_sock.connct_time = connct_time ssl_sock.handshake_time = handshake_time ssl_sock.fd = sock.fileno() ssl_sock.create_time = time_begin ssl_sock.last_use_time = time_begin ssl_sock.received_size = 0 ssl_sock.load = 0 ssl_sock.sni = sni ssl_sock.host = "" return ssl_sock
def connect_ssl(ip, sni=None, port=443, timeout=5, top_domain=None): if sni is None: top_domain, subs = random.choice(ns) sni = random.choice(subs) xlog.debug("sni:%s", sni) if config.PROXY_ENABLE: sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6) else: sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) # resize socket recv buffer 8K->32K to improve browser releated application performance sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32 * 1024) sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True) sock.settimeout(timeout) ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip) ssl_sock.set_connect_state() ssl_sock.set_tlsext_host_name(sni) time_begin = time.time() ip_port = (ip, port) ssl_sock.connect(ip_port) time_connected = time.time() ssl_sock.do_handshake() try: h2 = ssl_sock.get_alpn_proto_negotiated() if h2 == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False except Exception as e: #xlog.exception("alpn:%r", e) if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False time_handshaked = time.time() # report network ok check_local_network.network_stat = "OK" check_local_network.last_check_time = time_handshaked check_local_network.continue_fail_count = 0 cert = ssl_sock.get_peer_certificate() if not cert: raise socket.error(' certficate is none') issuer_commonname = next( (v for k, v in cert.get_issuer().get_components() if k == 'CN'), '') if not issuer_commonname.startswith('COMODO'): # and issuer_commonname not in ['DigiCert ECC Extended Validation Server CA'] raise socket.error(' certficate is issued by %r, not COMODO' % (issuer_commonname)) connect_time = int((time_connected - time_begin) * 1000) handshake_time = int((time_handshaked - time_connected) * 1000) if __name__ == "__main__": xlog.debug("h2:%s", ssl_sock.h2) xlog.debug("issued by:%s", issuer_commonname) xlog.debug("conn: %d handshake:%d", connect_time, handshake_time) alt_names = get_subj_alt_name(cert) xlog.debug("alt names:%s", alt_names) # sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket. ssl_sock.ip = ip ssl_sock._sock = sock ssl_sock.fd = sock.fileno() ssl_sock.create_time = time_begin ssl_sock.connect_time = connect_time ssl_sock.handshake_time = handshake_time ssl_sock.sni = sni ssl_sock.top_domain = top_domain return ssl_sock
def connect_ssl(self, ip, port=443, sni="", close_cb=None): if sni: host = sni else: sni, host = self.host_manager.get_sni_host(ip) host = str(host) sni = str(sni) if int(self.config.PROXY_ENABLE): sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6) else: sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) # resize socket recv buffer ->64 above to improve browser releated application performance sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, self.config.connect_receive_buffer) sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True) sock.settimeout(self.timeout) ssl_sock = openssl_wrap.SSLConnection(self.openssl_context.context, sock, ip, on_close=close_cb) ssl_sock.set_connect_state() if sni: if self.debug: self.logger.debug("sni:%s", sni) try: ssl_sock.set_tlsext_host_name(sni) except: pass time_begin = time.time() ip_port = (ip, port) try: ssl_sock.connect(ip_port) time_connected = time.time() ssl_sock.do_handshake() except Exception as e: #raise socket.error('conn fail, sni:%s, top:%s e:%r' % (sni, host, e)) pass if self.connect_force_http1: ssl_sock.h2 = False elif self.connect_force_http2: ssl_sock.h2 = True else: try: h2 = ssl_sock.get_alpn_proto_negotiated() if h2 == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False except Exception as e: # xlog.exception("alpn:%r", e) if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False time_handshaked = time.time() ssl_sock.sni = sni self.check_cert(ssl_sock) connect_time = int((time_connected - time_begin) * 1000) handshake_time = int((time_handshaked - time_begin) * 1000) # sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket. ssl_sock.ip = ip ssl_sock._sock = sock ssl_sock.fd = sock.fileno() ssl_sock.create_time = time_begin ssl_sock.connect_time = connect_time ssl_sock.handshake_time = handshake_time ssl_sock.last_use_time = time_handshaked ssl_sock.host = host ssl_sock.received_size = 0 return ssl_sock
def connect_ssl(ip, port=443, timeout=5, check_cert=True, close_cb=None): if check_local_network.is_ok(ip): with network_fail_lock: time.sleep(0.1) ip_port = (ip, port) sni = sni_generater.get() if config.PROXY_ENABLE: sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6) else: sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) # resize socket recv buffer 8K->32K to improve browser releated application performance sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32 * 1024) sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True) sock.settimeout(timeout) ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip, close_cb) ssl_sock.set_connect_state() ssl_sock.set_tlsext_host_name(sni) time_begin = time.time() ssl_sock.connect(ip_port) time_connected = time.time() ssl_sock.do_handshake() try: h2 = ssl_sock.get_alpn_proto_negotiated() if h2 == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False except Exception as e: if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False time_handshaked = time.time() # report network ok check_local_network.report_ok(ip) cert = ssl_sock.get_peer_certificate() if not cert: raise socket.error(' certficate is none') if check_cert: issuer_commonname = next( (v for k, v in cert.get_issuer().get_components() if k == 'CN'), '') if not issuer_commonname.startswith('Google'): raise socket.error(' certficate is issued by %r, not Google' % (issuer_commonname)) connct_time = int((time_connected - time_begin) * 1000) handshake_time = int((time_handshaked - time_connected) * 1000) # sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket. ssl_sock._sock = sock ssl_sock.connct_time = connct_time ssl_sock.handshake_time = handshake_time ssl_sock.fd = sock.fileno() ssl_sock.create_time = time_begin ssl_sock.last_use_time = time_begin ssl_sock.received_size = 0 ssl_sock.load = 0 ssl_sock.sni = sni ssl_sock.host = "" return ssl_sock