def verify_cert(host, capath, timeout, cncheck=True):
server_ctx = Context(TLSv1_METHOD)
server_cert_chain = []
server_ctx.load_verify_locations(None, capath)
host = re.split("/*", host)[1]
if ':' in host:
host = host.split(':')
server = host[0]
port = int(host[1] if not '?' in host[1] else host[1].split('?')[0])
else:
server = host
port = 443
def verify_cb(conn, cert, errnum, depth, ok):
server_cert_chain.append(cert)
return ok
server_ctx.set_verify(VERIFY_PEER, verify_cb)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setblocking(1)
sock.settimeout(timeout)
sock.connect((server, port))
except (socket.error, socket.timeout) as e:
nagios_out(
'Critical', 'Connection error %s - %s' %
(server + ':' + str(port), errmsg_from_excp(e)), 2)
server_conn = Connection(server_ctx, sock)
server_conn.set_connect_state()
def iosock_try():
ok = True
try:
server_conn.do_handshake()
sleep(0.5)
except SSLWantReadError as e:
ok = False
pass
except Exception as e:
raise e
return ok
try:
while True:
if iosock_try():
break
if cncheck:
server_subject = server_cert_chain[-1].get_subject()
if server != server_subject.CN:
nagios_out(
'Critical', 'Server certificate CN %s does not match %s' %
(server_subject.CN, server), 2)
except SSLError as e:
if 'sslv3 alert handshake failure' in errmsg_from_excp(e):
pass
else:
nagios_out(
'Critical', 'Connection error %s - %s' %
(server + ':' + str(port), errmsg_from_excp(e, level=1)), 2)
finally:
server_conn.shutdown()
server_conn.close()
return True
This API offers somewhat more flexibility than
L{twisted.internet.interfaces.IReactorSSL}; for example, a
L{TLSMemoryBIOProtocol} instance can use another instance of
L{TLSMemoryBIOProtocol} as its transport, yielding TLS over TLS - useful to
implement onion routing. It can also be used to run TLS over unusual
transports, such as UNIX sockets and stdio.
"""
from __future__ import division, absolute_import
from OpenSSL.SSL import Error, ZeroReturnError, WantReadError
from OpenSSL.SSL import TLSv1_METHOD, Context, Connection
try:
Connection(Context(TLSv1_METHOD), None)
except TypeError as e:
if str(e) != "argument must be an int, or have a fileno() method.":
raise
raise ImportError(
"twisted.protocols.tls requires pyOpenSSL 0.10 or newer.")
from zope.interface import implementer, providedBy, directlyProvides
from twisted.python.compat import unicode
from twisted.python.failure import Failure
from twisted.python import log
from twisted.python.reflect import safe_str
from twisted.internet.interfaces import (
ISystemHandle,
INegotiated,
def getContext(self):
ctx = Context(TLSv1_METHOD)
ctx.use_certificate(self.flocker_credential.certificate.original)
ctx.use_privatekey(self.flocker_credential.keypair.keypair.original)
return ctx
msg[0]) + ' , Error message : ' + msg[1]
sys.exit()
print 'Socket Created'
host = 'www.google.com'
port = 80
try:
remote_ip = socket.gethostbyname(host)
except socket.gaierror:
#could not resolve
print 'Hostname could not be resolved. Exiting'
sys.exit()
client.connect((remote_ip, port))
print 'connected', client.getpeername()
client_ssl = Connection(Context(SSLv3_METHOD), client)
client_ssl.set_connect_state()
#client_ssl.set_tlsext_host_name(argv[1])
client_ssl.do_handshake()
print 'Server subject is', client_ssl.get_peer_certificate().get_subject()
client_ssl.close()
if __name__ == '__main__':
import client
raise SystemExit(client.main())
