def tryProtocolCombo(server_protocol, client_protocol, expectedToWork, certsreqs=None): if certsreqs is None: certsreqs = ssl.CERT_NONE if certsreqs == ssl.CERT_NONE: certtype = "CERT_NONE" elif certsreqs == ssl.CERT_OPTIONAL: certtype = "CERT_OPTIONAL" elif certsreqs == ssl.CERT_REQUIRED: certtype = "CERT_REQUIRED" if test_support.verbose: formatstr = (expectedToWork and " %s->%s %s\n") or " {%s->%s} %s\n" sys.stdout.write( formatstr % (ssl.get_protocol_name(client_protocol), ssl.get_protocol_name(server_protocol), certtype) ) try: serverParamsTest(CERTFILE, server_protocol, certsreqs, CERTFILE, CERTFILE, client_protocol, chatty=False) except test_support.TestFailed: if expectedToWork: raise else: if not expectedToWork: raise test_support.TestFailed( "Client protocol %s succeeded with server protocol %s!" % (ssl.get_protocol_name(client_protocol), ssl.get_protocol_name(server_protocol)) )
def try_protocol_combo(server_protocol, client_protocol, expect_success, certsreqs=None): if certsreqs is None: certsreqs = ssl.CERT_NONE certtype = {ssl.CERT_NONE: "CERT_NONE", ssl.CERT_OPTIONAL: "CERT_OPTIONAL", ssl.CERT_REQUIRED: "CERT_REQUIRED"}[ certsreqs ] if test_support.verbose: formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n" sys.stdout.write( formatstr % (ssl.get_protocol_name(client_protocol), ssl.get_protocol_name(server_protocol), certtype) ) try: server_params_test(CERTFILE, server_protocol, certsreqs, CERTFILE, CERTFILE, client_protocol, chatty=False) # Protocol mismatch can result in either an SSLError, or a # "Connection reset by peer" error. except ssl.SSLError: if expect_success: raise except socket.error as e: if expect_success or e.errno != errno.ECONNRESET: raise else: if not expect_success: raise AssertionError( "Client protocol %s succeeded with server protocol %s!" % (ssl.get_protocol_name(client_protocol), ssl.get_protocol_name(server_protocol)) )
def tryProtocolCombo (server_protocol, client_protocol, expectedToWork, certsreqs=None): if certsreqs is None: certsreqs = ssl.CERT_NONE if certsreqs == ssl.CERT_NONE: certtype = "CERT_NONE" elif certsreqs == ssl.CERT_OPTIONAL: certtype = "CERT_OPTIONAL" elif certsreqs == ssl.CERT_REQUIRED: certtype = "CERT_REQUIRED" if support.verbose: formatstr = (expectedToWork and " %s->%s %s\n") or " {%s->%s} %s\n" sys.stdout.write(formatstr % (ssl.get_protocol_name(client_protocol), ssl.get_protocol_name(server_protocol), certtype)) try: serverParamsTest(CERTFILE, server_protocol, certsreqs, CERTFILE, CERTFILE, client_protocol, chatty=False, connectionchatty=False) except support.TestFailed: if expectedToWork: raise else: if not expectedToWork: raise support.TestFailed( "Client protocol %s succeeded with server protocol %s!" % (ssl.get_protocol_name(client_protocol), ssl.get_protocol_name(server_protocol)))
def accept(self): ''' modified ssl.SSLSocket.accept() of ssl.py. ''' #import pdb; pdb.set_trace() newsock, addr = socket.accept(self) self.logger.debug("Connection from {}".format(addr)) self.logger.debug("begin SSL handshake") newsock = self.context.wrap_socket( newsock, do_handshake_on_connect=self.do_handshake_on_connect, suppress_ragged_eofs=self.suppress_ragged_eofs, server_side=True) self.logger.debug("end SSL handshake: ssl_ver={}({})".format( ssl.get_protocol_name(self.ssl_version), self.ssl_version)) ''' if not server_side: print(self.getpeercert()) print(self.context.get_ca_certs()) #print(self.context.check_hostname) #print(type(self.cipher())) #print(type(self.shared_ciphers())) #print(type(self.compression())) #print(self.context.session_stats()) ''' return newsock, addr
def handle_failed_ssl_handshake(self): # TLS/SSL handshake failure, probably client's fault which # used a SSL version different from server's. # We can't rely on the control connection anymore so we just # disconnect the client without sending any response. ssl_version = ssl.get_protocol_name(self.socket.ssl_version) self.log("%s handshake failed." % ssl_version) self.close()
def handle_failed_ssl_handshake(self): # TLS/SSL handshake failure, probably client's fault which # used a SSL version different from server's. # RFC-4217, chapter 10.2 expects us to return 522 over the # command channel. proto = ssl.get_protocol_name(self.socket.ssl_version) self.cmd_channel.respond("522 %s handshake failed." % proto) self.close()
def _conn_request(self, conn, request_uri, method, body, headers): try: if DEBUG: print("Connecting to https://%s:%s%s using protocol %s" % ( conn.host, conn.port, request_uri, ssl.get_protocol_name(self.ssl_version))) ##if False and DEBUG and self.ssl_version != ssl.PROTOCOL_TLSv1: ## raise ssl.SSLError return httplib2.Http._conn_request(self, conn, request_uri, method, body, headers) except Exception as e: # fallback to previous protocols if hasattr(ssl, "PROTOCOL_TLSv1_2") and self.ssl_version == ssl.PROTOCOL_TLSv1_2: new_ssl_version = ssl.PROTOCOL_TLSv1 ##elif self.ssl_version == ssl.PROTOCOL_TLSv1: ## new_ssl_version = ssl.PROTOCOL_SSLv3 ##elif self.ssl_version == ssl.PROTOCOL_SSLv3: ## new_ssl_version = ssl.PROTOCOL_SSLv23 else: raise if DEBUG: warnings.warn("Protocol %s failed: %s; downgrading to %s" % (ssl.get_protocol_name(self.ssl_version), e, ssl.get_protocol_name(new_ssl_version))) self.ssl_version = new_ssl_version return Httplib2Transport._conn_request(self, conn, request_uri, method, body, headers)
def get_ssl_version_name(ssl_version): if ssl_version is None: # create_default_context added after the OpenSSL bugfix in # Python 2.7.9 etc. It's the best way to get the default SSL # protocol from Python ... otherwise, we just assume it's the # old default of PROTOCOL_SSLv23. if hasattr(ssl, 'create_default_context'): context = ssl.create_default_context() ssl_version = context.protocol else: ssl_version = ssl.PROTOCOL_TLSv1 # get_protocol_name is an undocumented method if hasattr(ssl, 'get_protocol_name'): return ssl.get_protocol_name(ssl_version) else: # Not all versions of Python support all protocols, # so we have to only accept those that are present. for protocol in ['SSLv2', 'SSLv23', 'SSLv3', 'TLSv1', 'TLSv1_1', 'TLSv1_2']: value = getattr(ssl, 'PROTOCOL_' + protocol, None) if ssl_version == value: return protocol return '<unknown>'
def run_server(args): 'Load app in a standalone Gunicorn container' # XXX from flask.logging import default_handler app.logger.removeHandler(default_handler) # Flask has default stream logging configuration in debug mode, so set # log parameters here only for production mode app_formatter = app.config['LOG_FORMATTER'] if not app.debug: stream_handler = logging.StreamHandler() stream_handler.setLevel((args.loglevel or app.config.get('LOGLEVEL')).upper()) stream_handler.setFormatter(app_formatter) app.logger.addHandler(stream_handler) app.logger.setLevel((args.loglevel or app.config.get('LOGLEVEL')).upper()) # Logging to the application logfile occurs regardless of debug mode if app.config.get('LOGFILE'): file_handler = logging.FileHandler(app.config['LOGFILE']) file_handler.setLevel((args.loglevel or app.config.get('LOGLEVEL')).upper()) file_handler.setFormatter(app_formatter) app.logger.addHandler(file_handler) app.logger.setLevel((args.loglevel or app.config.get('LOGLEVEL')).upper()) # Gunicorn options # Logging options: these settings apply to Gunicorn and not the application. # The server's access logs are always written to the app instance's # access logs and not sent to stdout. Error/etc. logs are always sent # to stdout. # Workers option: allow the number of workers to scale based on available # CPU count, but no more than a conservative MAX_WORKERS options = { 'bind': '%s:%s' % (args.listen_address or app.config['LISTEN_ADDRESS'], args.listen_port or app.config['LISTEN_PORT']), 'workers': CPU_WORKERS if CPU_WORKERS < MAX_WORKERS else MAX_WORKERS, 'proc_name': 'ampt-manager', 'certfile': app.config['SERVER_CERTIFICATE'], 'keyfile': app.config['SERVER_PRIVATE_KEY'], 'ssl_version': ssl.PROTOCOL_TLSv1_2, 'accesslog': app.config.get('ACCESS_LOGFILE') or '-', 'errorlog': '-', 'loglevel': args.loglevel or app.config['LOGLEVEL'], } sa = StandaloneApplication(app, options) ver_dep_msg = ('running on Python %s using Flask %s') py_version = '.'.join([str(x) for x in sys.version_info[:3]]) crypto_msg = ('configuring server for TLS using %s and cipher set %s (%s)') ssl_version = ssl.get_protocol_name(sa.cfg.ssl_options.get('ssl_version')) ciphers = sa.cfg.ssl_options.get('ciphers') app.logger.info('starting %s', get_version()) app.logger.debug(ver_dep_msg, py_version, flask_version) app.logger.info(crypto_msg, ssl_version, ciphers, ssl.OPENSSL_VERSION) sa.run()
def update_event(self, inp=-1): self.set_output_val(0, ssl.get_protocol_name(self.input(0)))