Esempio n. 1
0
    def test05_open_with_subj_alt_names_verification(self):
        ctx = SSL.Context(SSL.TLSv1_2_METHOD)

        # Set wildcard hostname for subject alternative name matching -
        # setting a minimum of two name components for hostname
        split_hostname = Constants.HOSTNAME.split('.', 1)
        if len(split_hostname) > 1:
            _hostname = '*.' + split_hostname[-1]
        else:
            _hostname = Constants.HOSTNAME

        server_ssl_verify = ServerSSLCertVerification(hostname=_hostname)
        verify_callback_ = server_ssl_verify.get_verify_server_cert_func()
        ctx.set_verify(SSL.VERIFY_PEER, verify_callback_)

        # Set default verify paths if testing with peer that has corresponding
        # CA cert in bundle provided with the OS.  In this case, load verify
        # locations is not needed.
        #ctx.set_default_verify_paths()

        ctx.set_verify_depth(9)

        # Set correct location for CA certs to verify with
        ctx.load_verify_locations(None, Constants.CACERT_DIR)

        opener = build_opener(ssl_context=ctx)
        res = opener.open(Constants.TEST_URI)
        self.assertTrue(res)
        print("res = %s" % res.read())
Esempio n. 2
0
def set_peer_verification_for_url_hostname(ssl_context, url, 
                                           if_verify_enabled=False):
    '''Convenience routine to set peer verification callback based on
    ServerSSLCertVerification class'''
    if not if_verify_enabled or (ssl_context.get_verify_mode() & SSL.VERIFY_PEER):
        urlObj = urlparse.urlparse(url)
        hostname = urlObj.hostname
        server_ssl_cert_verif = ServerSSLCertVerification(hostname=hostname)
        verify_callback_ = server_ssl_cert_verif.get_verify_server_cert_func()
        ssl_context.set_verify(SSL.VERIFY_PEER, verify_callback_)
Esempio n. 3
0
def set_peer_verification_for_url_hostname(ssl_context, url, 
                                           if_verify_enabled=False):
    '''Convenience routine to set peer verification callback based on
    ServerSSLCertVerification class'''
    if not if_verify_enabled or (ssl_context.get_verify_mode() & SSL.VERIFY_PEER):
        urlObj = urlparse_.urlparse(url)
        hostname = urlObj.hostname
        server_ssl_cert_verif = ServerSSLCertVerification(hostname=hostname)
        verify_callback_ = server_ssl_cert_verif.get_verify_server_cert_func()
        ssl_context.set_verify(SSL.VERIFY_PEER, verify_callback_)
Esempio n. 4
0
 def test04_ssl_verification_with_subj_alt_name(self):
     ctx = SSL.Context(SSL.TLSv1_METHOD)
     
     verification = ServerSSLCertVerification(hostname='localhost')
     verify_callback = verification.get_verify_server_cert_func()
     
     ctx.set_verify(SSL.VERIFY_PEER, verify_callback)
     ctx.set_verify_depth(9)
     
     # Set correct location for CA certs to verify with
     ctx.load_verify_locations(None, Constants.CACERT_DIR)
     
     conn = HTTPSConnection(Constants.HOSTNAME, port=Constants.PORT,
                            ssl_context=ctx)
     conn.connect()
     conn.request('GET', '/')
     resp = conn.getresponse()
     print('Response = %s' % resp.read())
Esempio n. 5
0
    def test04_ssl_verification_with_subj_alt_name(self):
        ctx = SSL.Context(SSL.TLSv1_METHOD)

        verification = ServerSSLCertVerification(hostname='localhost')
        verify_callback = verification.get_verify_server_cert_func()

        ctx.set_verify(SSL.VERIFY_PEER, verify_callback)
        ctx.set_verify_depth(9)

        # Set correct location for CA certs to verify with
        ctx.load_verify_locations(None, Constants.CACERT_DIR)

        conn = HTTPSConnection(Constants.HOSTNAME,
                               port=Constants.PORT,
                               ssl_context=ctx)
        conn.connect()
        conn.request('GET', '/')
        resp = conn.getresponse()
        print('Response = %s' % resp.read())
Esempio n. 6
0
    def test04_ssl_verification_with_subj_common_name(self):
        ctx = SSL.Context(SSL.SSLv3_METHOD)

        # Explicitly set verification of peer hostname using peer certificate
        # subject common name
        verify_callback = ServerSSLCertVerification(hostname='localhost',
                                                    subj_alt_name_match=False)

        ctx.set_verify(SSL.VERIFY_PEER, verify_callback)
        ctx.set_verify_depth(9)

        # Set correct location for CA certs to verify with
        ctx.load_verify_locations(None, Constants.CACERT_DIR)

        conn = HTTPSConnection(Constants.HOSTNAME,
                               port=Constants.PORT,
                               ssl_context=ctx)
        conn.connect()
        conn.request('GET', '/')
        resp = conn.getresponse()
        print('Response = %s' % resp.read())
Esempio n. 7
0
    def __call__(self):
        """Create an M2Crypto SSL Context from this objects properties
        :type depth: int
        :param depth: max. depth of certificate to verify against
        :type kw: dict
        :param kw: OpenSSL.SSL.Context keyword arguments
        :rtype: OpenSSL.SSL.Context
        :return: M2Crypto SSL context object
        """
        ctx = SSL.Context(self.__class__.SSL_PROTOCOL_METHOD)
        
        # Configure context according to this proxy's attributes
        if self.sslCertFilePath and self.sslPriKeyFilePath:
            # Pass client certificate (optionally with chain)
            ctx.use_certificate_chain_file(self.sslCertFilePath)
            
            with open(self.sslPriKeyFilePath, 'r') as prikey_file:
                prikey_content = prikey_file.read()
            prikey_file.close()
            
            prikey = crypto.load_privatekey(crypto.FILETYPE_PEM, 
                                            prikey_content, 
                                            self.sslPriKeyPwd)
            
            ctx.use_privatekey(prikey) 

            log.debug("Set client certificate and key in SSL Context")
        else:
            log.debug("No client certificate or key set in SSL Context")
            
        if self.sslCACertFilePath or self.sslCACertDir:
            # Set CA certificates in order to verify peer
            ctx.load_verify_locations(self.sslCACertFilePath, 
                                      self.sslCACertDir)
            mode = SSL.VERIFY_PEER
            ctx.set_verify_depth(self.__class__.SSL_VERIFY_DEPTH)
            
            verify_cb = lambda connection, peerCert, errorStatus, errorDepth, \
                 preverifyOK: preverifyOK
        else:
            mode = SSL.VERIFY_NONE
            log.warning('No CA certificate files set: mode set to '
                        '"verify_none"!  No verification of the server '
                        'certificate will be enforced')
            
        n_ssl_valid_x509_subj_names = len(self.ssl_valid_x509_subj_names)
        if n_ssl_valid_x509_subj_names > 0 or self.ssl_valid_hostname:
            # Set custom callback in order to verify peer certificate DN 
            # against whitelist
            mode = SSL.VERIFY_PEER
            
            if n_ssl_valid_x509_subj_names == 0:
                cert_dn = None
            else:
                cert_dn = self.ssl_valid_x509_subj_names[0]
                
            # Nb. limit - this verification callback can only validate against
            # a single DN not multiples as allowed by the interface class
            ssl_cert_verification = ServerSSLCertVerification(
                                    hostname=self.ssl_valid_hostname,
                                    certDN=cert_dn)
            
            verify_cb = ssl_cert_verification.get_verify_server_cert_func()
            
            log.debug('Set peer certificate Distinguished Name check set in '
                      'SSL Context')
        else:
            log.warning('No peer certificate Distinguished Name check set in '
                        'SSL Context')
            
        ctx.set_verify(mode, verify_cb)
                   
        return ctx