def ssl_wrap_socket( sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None ): """ All arguments except `server_hostname` have the same meaning as for :func:`ssl.wrap_socket` :param server_hostname: Hostname of the expected certificate """ context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: try: context.load_verify_locations(ca_certs) # Py32 raises IOError # Py33 raises FileNotFoundError except Exception: # Reraise as SSLError e = sys.exc_info()[1] raise SSLError(e) if certfile: # FIXME: This block needs a test. context.load_cert_chain(certfile, keyfile) if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None): """ All arguments except `server_hostname` have the same meaning as for :func:`ssl.wrap_socket` :param server_hostname: Hostname of the expected certificate """ context = SSLContext(ssl_version) context.verify_mode = cert_reqs # Disable TLS compression to migitate CRIME attack (issue #309) OP_NO_COMPRESSION = 0x20000 context.options |= OP_NO_COMPRESSION if ca_certs: try: context.load_verify_locations(ca_certs) # Py32 raises IOError # Py33 raises FileNotFoundError except Exception as e: # Reraise as SSLError raise SSLError(e) if certfile: # FIXME: This block needs a test. context.load_cert_chain(certfile, keyfile) if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
def get_ssl_context(*args): """Create and return an SSLContext object.""" certfile, keyfile, passphrase, ca_certs, cert_reqs, crlfile = args # Note PROTOCOL_SSLv23 is about the most misleading name imaginable. # This configures the server and client to negotiate the # highest protocol version they both support. A very good thing. ctx = SSLContext(ssl.PROTOCOL_SSLv23) if hasattr(ctx, "options"): # Explicitly disable SSLv2 and SSLv3. Note that up to # date versions of MongoDB 2.4 and above already do this, # python disables SSLv2 by default in >= 2.7.7 and >= 3.3.4 # and SSLv3 in >= 3.4.3. There is no way for us to do this # explicitly for python 2.6 or 2.7 before 2.7.9. ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0) ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0) if certfile is not None: if passphrase is not None: vi = sys.version_info # Since python just added a new parameter to an existing method # this seems to be about the best we can do. if (vi[0] == 2 and vi < (2, 7, 9) or vi[0] == 3 and vi < (3, 3)): raise ConfigurationError( "Support for ssl_pem_passphrase requires " "python 2.7.9+ (pypy 2.5.1+) or 3.3+") ctx.load_cert_chain(certfile, keyfile, passphrase) else: ctx.load_cert_chain(certfile, keyfile) if crlfile is not None: if not hasattr(ctx, "verify_flags"): raise ConfigurationError( "Support for ssl_crlfile requires " "python 2.7.9+ (pypy 2.5.1+) or 3.4+") # Match the server's behavior. ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF ctx.load_verify_locations(crlfile) if ca_certs is not None: ctx.load_verify_locations(ca_certs) elif cert_reqs != ssl.CERT_NONE: # CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1 if hasattr(ctx, "load_default_certs"): ctx.load_default_certs() # Python >= 3.2.0, useless on Windows. elif (sys.platform != "win32" and hasattr(ctx, "set_default_verify_paths")): ctx.set_default_verify_paths() elif sys.platform == "win32" and HAVE_WINCERTSTORE: with _WINCERTSLOCK: if _WINCERTS is None: _load_wincerts() ctx.load_verify_locations(_WINCERTS.name) elif HAVE_CERTIFI: ctx.load_verify_locations(certifi.where()) else: raise ConfigurationError( "`ssl_cert_reqs` is not ssl.CERT_NONE and no system " "CA certificates could be loaded. `ssl_ca_certs` is " "required.") ctx.verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs return ctx
def connect_cassandra(is_client_encryption_enable): connected = False attempt = 0 session = None _ssl_context = None if is_client_encryption_enable: ssl_context = SSLContext(PROTOCOL_TLSv1) ssl_context.load_verify_locations(certfile) ssl_context.verify_mode = CERT_REQUIRED ssl_context.load_cert_chain(certfile=usercert, keyfile=userkey) _ssl_context = ssl_context while not connected and attempt < 10: try: cluster = Cluster(contact_points=["127.0.0.1"], ssl_context=_ssl_context) session = cluster.connect() connected = True except cassandra.cluster.NoHostAvailable: attempt += 1 time.sleep(10) return session
def create_urllib3_context(ssl_version=None, cert_reqs=None, options=None, ciphers=None): """All arguments have the same meaning as ``ssl_wrap_socket``. By default, this function does a lot of the same work that ``ssl.create_default_context`` does on Python 3.4+. It: - Disables SSLv2, SSLv3, and compression - Sets a restricted set of server ciphers If you wish to enable SSLv3, you can do:: from urllib3.util import ssl_ context = ssl_.create_urllib3_context() context.options &= ~ssl_.OP_NO_SSLv3 You can do the same to enable compression (substituting ``COMPRESSION`` for ``SSLv3`` in the last line above). :param ssl_version: The desired protocol version to use. This will default to PROTOCOL_SSLv23 which will negotiate the highest protocol that both the server and your installation of OpenSSL support. :param cert_reqs: Whether to require the certificate verification. This defaults to ``ssl.CERT_REQUIRED``. :param options: Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``, ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``. :param ciphers: Which cipher suites to allow the server to select. :returns: Constructed SSLContext object with specified options :rtype: SSLContext """ context = SSLContext(ssl_version or ssl.PROTOCOL_SSLv23) context.set_ciphers(ciphers or DEFAULT_CIPHERS) # Setting the default here, as we may have no ssl module on import cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs if options is None: options = 0 # SSLv2 is easily broken and is considered harmful and dangerous options |= OP_NO_SSLv2 # SSLv3 has several problems and is now dangerous options |= OP_NO_SSLv3 # Disable compression to prevent CRIME attacks for OpenSSL 1.0+ # (issue #309) options |= OP_NO_COMPRESSION context.options |= options context.verify_mode = cert_reqs if getattr(context, 'check_hostname', None) is not None: # Platform-specific: Python 3.2 # We do our own verification, including fingerprints and alternative # hostnames. So disable it here context.check_hostname = False return context
def adminLogin(): if flask.request.method == 'GET': # Just render the initial form, to get input return (flask.render_template('adminLogin.html')) if flask.request.method == 'POST': u_id = flask.request.form['uid'] pwd = flask.request.form['pwd'] ssl_context = SSLContext(PROTOCOL_TLSv1_2) ssl_context.verify_mode = CERT_NONE auth_provider = PlainTextAuthProvider(username=cfg.config['username'], password=cfg.config['password']) cluster = Cluster([cfg.config['contactPoint']], port=cfg.config['port'], auth_provider=auth_provider, ssl_context=ssl_context) session = cluster.connect() #</authenticateAndConnect> rows = session.execute( "SELECT * FROM miniproj.admins WHERE admin_id=" + u_id + " AND password='******' ALLOW FILTERING") cluster.shutdown() if len(rows.current_rows) == 0: result = 'Wrong Username or Password' else: result = 'Login Successful' return flask.render_template('adminLogin.html', result=result)
def resetAdminPassword(): if flask.request.method == 'GET': # Just render the initial form, to get input return (flask.render_template('resetAdminPassword.html')) if flask.request.method == 'POST': subid = flask.request.form['subid'] pwd = flask.request.form['pwd'] ssl_context = SSLContext(PROTOCOL_TLSv1_2) ssl_context.verify_mode = CERT_NONE auth_provider = PlainTextAuthProvider(username=cfg.config['username'], password=cfg.config['password']) cluster = Cluster([cfg.config['contactPoint']], port=cfg.config['port'], auth_provider=auth_provider, ssl_context=ssl_context) session = cluster.connect() rows = session.execute( "SELECT * FROM miniproj.admins WHERE admin_id=" + subid) if len(rows.current_rows) == 0: cluster.shutdown() return flask.render_template('resetAdminPassword.html', result='Invalid Admin ID') #</authenticateAndConnect> try: rows = session.execute("UPDATE miniproj.admins SET password='******' WHERE admin_id = " + subid) result = 'Updated Successfully' except Exception as e: result = 'Error updating record' cluster.shutdown() return flask.render_template('resetAdminPassword.html', result=result)
def insertAdmin(): if flask.request.method == 'GET': # Just render the initial form, to get input return (flask.render_template('insertAdmin.html')) if flask.request.method == 'POST': name = flask.request.form['name'] pwd = flask.request.form['pwd'] ssl_context = SSLContext(PROTOCOL_TLSv1_2) ssl_context.verify_mode = CERT_NONE auth_provider = PlainTextAuthProvider(username=cfg.config['username'], password=cfg.config['password']) cluster = Cluster([cfg.config['contactPoint']], port=cfg.config['port'], auth_provider=auth_provider, ssl_context=ssl_context) session = cluster.connect() rows = session.execute("SELECT * FROM miniproj.admins") next_id = 0 for t in rows: if next_id < t.admin_id: next_id = t.admin_id next_id = int(next_id) + 1 #</authenticateAndConnect> try: rows = session.execute( "INSERT INTO miniproj.admins (admin_id, admin_name , password) VALUES (%s,%s,%s)", [next_id, name, pwd]) result = 'Inserted successfully. User ID of new record is ' + str( next_id) except: result = 'Failed to insert' cluster.shutdown() return flask.render_template('insertAdmin.html', result=result)
def get_connection(self): """ Returns Cassandra session """ auth_provider = None if self.ssl: ssl_context = SSLContext(PROTOCOL_TLSv1) ssl_context.load_verify_locations(path_cert) ssl_context.verify_mode = CERT_REQUIRED #ssl_options = { # 'ca_certs' : self.ssl, # 'ssl_version' : PROTOCOL_TLSv1_2 #} else: ssl_context = None if (self.username and self.password): auth_provider = PlainTextAuthProvider(self.username, self.password) node1_profile = ExecutionProfile( load_balancing_policy=WhiteListRoundRobinPolicy( [self.endpoint_name])) profiles = {'node1': node1_profile} cluster = Cluster([self.endpoint_name], port=self.port, auth_provider=auth_provider, ssl_context=ssl_context, control_connection_timeout=360, execution_profiles=profiles) session = cluster.connect() return session
def create_context(keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None): """ All arguments except `server_hostname` have the same meaning as for :func:`ssl.wrap_socket` :param server_hostname: Hostname of the expected certificate """ context = SSLContext(ssl_version) context.verify_mode = cert_reqs # Disable TLS compression to migitate CRIME attack (issue #309) OP_NO_COMPRESSION = 0x20000 context.options |= OP_NO_COMPRESSION if ca_certs: try: context.load_verify_locations(ca_certs) # Py32 raises IOError # Py33 raises FileNotFoundError except Exception as e: # Reraise as SSLError raise SSLError(e) if certfile: # FIXME: This block needs a test. context.load_cert_chain(certfile, keyfile) return context
def wrap(client, _socket): """ Wrap socket in SSL wrapper. """ if client.init_kwargs.get('use_ssl', None): keyfile = client.init_kwargs.get('ssl_keyfile', None) certfile = client.init_kwargs.get('ssl_certfile', None) if keyfile and not certfile: raise ValueError("certfile must be specified") password = client.init_kwargs.get('ssl_keyfile_password', None) ssl_version = client.init_kwargs.get('ssl_version', SSL_DEFAULT_VERSION) ciphers = client.init_kwargs.get('ssl_ciphers', SSL_DEFAULT_CIPHERS) cert_reqs = client.init_kwargs.get('ssl_cert_reqs', ssl.CERT_NONE) ca_certs = client.init_kwargs.get('ssl_ca_certfile', None) context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: context.load_verify_locations(ca_certs) if certfile: context.load_cert_chain(certfile, keyfile, password) if ciphers: context.set_ciphers(ciphers) _socket = context.wrap_socket(sock=_socket) return _socket
def __init__(self, ip_addresses, cassandra_config): self._ip_addresses = ip_addresses self._auth_provider = None self._ssl_context = None self._cassandra_config = cassandra_config if cassandra_config.cql_username is not None and cassandra_config.cql_password is not None: auth_provider = PlainTextAuthProvider( username=cassandra_config.cql_username, password=cassandra_config.cql_password) self._auth_provider = auth_provider if cassandra_config.certfile is not None and cassandra_config.usercert is not None and \ cassandra_config.userkey is not None: ssl_context = SSLContext(PROTOCOL_TLSv1) ssl_context.load_verify_locations(cassandra_config.certfile) ssl_context.verify_mode = CERT_REQUIRED ssl_context.load_cert_chain(certfile=cassandra_config.usercert, keyfile=cassandra_config.userkey) self._ssl_context = ssl_context load_balancing_policy = WhiteListRoundRobinPolicy(ip_addresses) self._execution_profiles = { 'local': ExecutionProfile(load_balancing_policy=load_balancing_policy) }
def create_ssl_context(ssl_params): if not ssl_params.get('use_ssl'): return None keyfile = ssl_params.get('ssl_keyfile', None) certfile = ssl_params.get('ssl_certfile', None) if keyfile and not certfile: raise ValueError("certfile must be specified") password = ssl_params.get('ssl_keyfile_password', None) ssl_version = ssl_params.get('ssl_version', SSL_DEFAULT_VERSION) ciphers = ssl_params.get('ssl_ciphers', SSL_DEFAULT_CIPHERS) cert_reqs = ssl_params.get('ssl_cert_reqs', ssl.CERT_NONE) ca_certs = ssl_params.get('ssl_ca_certfile', None) context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: context.load_verify_locations(ca_certs) if certfile: context.load_cert_chain(certfile, keyfile, password) if ciphers: context.set_ciphers(ciphers) return context
def _ssl_context_from_cert(ca_cert_location, cert_location, key_location): ssl_context = SSLContext(PROTOCOL_TLS) ssl_context.load_verify_locations(ca_cert_location) ssl_context.verify_mode = CERT_REQUIRED ssl_context.load_cert_chain(certfile=cert_location, keyfile=key_location) return ssl_context
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None): """ All arguments except `server_hostname` have the same meaning as for :func:`ssl.wrap_socket` :param server_hostname: Hostname of the expected certificate """ context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: try: context.load_verify_locations(ca_certs) # Py32 raises IOError # Py33 raises FileNotFoundError except Exception as e: # Reraise as SSLError raise SSLError(e) if certfile: # FIXME: This block needs a test. context.load_cert_chain(certfile, keyfile) if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
def create_urllib3_context(ssl_version=None, cert_reqs=ssl.CERT_REQUIRED, options=None, ciphers=None): """All arguments have the same meaning as ``ssl_wrap_socket``. By default, this function does a lot of the same work that ``ssl.create_default_context`` does on Python 3.4+. It: - Disables SSLv2, SSLv3, and compression - Sets a restricted set of server ciphers If you wish to enable SSLv3, you can do:: from urllib3.util import ssl_ context = ssl_.create_urllib3_context() context.options &= ~ssl_.OP_NO_SSLv3 You can do the same to enable compression (substituting ``COMPRESSION`` for ``SSLv3`` in the last line above). :param ssl_version: The desired protocol version to use. This will default to PROTOCOL_SSLv23 which will negotiate the highest protocol that both the server and your installation of OpenSSL support. :param cert_reqs: Whether to require the certificate verification. This defaults to ``ssl.CERT_REQUIRED``. :param options: Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``, ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``. :param ciphers: Which cipher suites to allow the server to select. :returns: Constructed SSLContext jeeObject with specified options :rtype: SSLContext """ context = SSLContext(ssl_version or ssl.PROTOCOL_SSLv23) if options is None: options = 0 # SSLv2 is easily broken and is considered harmful and dangerous options |= OP_NO_SSLv2 # SSLv3 has several problems and is now dangerous options |= OP_NO_SSLv3 # Disable compression to prevent CRIME attacks for OpenSSL 1.0+ # (issue #309) options |= OP_NO_COMPRESSION context.options |= options if getattr(context, 'supports_set_ciphers', True): # Platform-specific: Python 2.6 context.set_ciphers(ciphers or _DEFAULT_CIPHERS) context.verify_mode = cert_reqs if getattr(context, 'check_hostname', None) is not None: # Platform-specific: Python 3.2 context.check_hostname = (context.verify_mode == ssl.CERT_REQUIRED) return context
def sslContext(trustStore: str, keyStore: str) -> SSLContext: sslContext = SSLContext(PROTOCOL_TLSv1_2) sslContext.verify_mode = CERT_REQUIRED storePath = "../../certificates/" sslContext.load_verify_locations(storePath + trustStore) sslContext.load_cert_chain(storePath + keyStore, password="******") sslContext.set_ciphers("AES128-SHA") return sslContext
def __init__(self, ssl_context: ssl.SSLContext, port: int): ssl_context.verify_mode = ssl.CERT_REQUIRED self.ssl_context = ssl_context self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) self.port = port self.sock.bind(("", port)) self.sock.listen(10) self.worker_thread = threading.Thread(target=self.worker_func)
def secure(self, verify=True, hostname=None): """ Apply a layer of security onto this connection. """ from ssl import SSLContext, PROTOCOL_TLS, CERT_NONE, CERT_REQUIRED context = SSLContext(PROTOCOL_TLS) if verify: context.verify_mode = CERT_REQUIRED context.check_hostname = bool(hostname) else: context.verify_mode = CERT_NONE context.load_default_certs() try: self.__socket = context.wrap_socket(self.__socket, server_hostname=hostname) except (IOError, OSError): # TODO: add connection failure/diagnostic callback raise WireError( "Unable to establish secure connection with remote peer")
def getSSLContext(capath, crtpath, keypath, keypass=None): ctx = SSLContext(PROTOCOL_TLSv1_2) ctx.set_ciphers('HIGH:!SSLv3:!TLSv1:!aNULL:@STRENGTH') # client certificate is required ctx.verify_mode = CERT_REQUIRED ctx.options |= OP_NO_COMPRESSION ctx.load_verify_locations(capath) ctx.load_cert_chain(crtpath, keypath, password=keypass) return ctx
def __init__(self, host: str, port: int, nicks: list, pwd: str, chans: list, op_pass: str, use_ssl: bool=False, ssl_options: ssl.SSLContext=None, encoding: str='utf-8'): """ Asynchronous IRC client :param host: Server address :param port: IRC Port :param nicks: List of nicknames to try :param pwd: NickServ password :param use_ssl: Enable/Disable SSL :param ssl_options: SSLContext object :param encoding: Character encoding to use """ self.host = host self.port = port self.nicks = nicks self.pwd = pwd self.chans = chans self.oper_pass = op_pass self.ssl = use_ssl self.encoding = encoding self.__nickidx = 0 self.__handlers = { b'PING': self.__ping, b'NOTICE': self.__notice, b'PRIVMSG': self.__privmsg, b'PART': self.__part, b'JOIN': self.__join, b'MODE': self.__mode, b'NICK': self.__nick, b'QUIT': self.__quit, b'KICK': self.__kick, b'001': self.__welcome, b'251': self.__user_count, b'252': self.__op_count, b'353': self.__namreply, b'372': self.__motd, b'376': self.__end_motd, b'433': self.__nick_in_use, b'900': self.__logged_in } sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) if use_ssl: if not ssl_options: ssl_options = ssl.SSLContext(ssl.PROTOCOL_SSLv23) # IRC often has unsigned certs, by default do not verify ssl_options.verify_mode = ssl.CERT_NONE sock = ssl.wrap_socket(sock, do_handshake_on_connect=False) self.stream = tornado.iostream.SSLIOStream(sock, ssl_options=ssl_options) else: self.stream = tornado.iostream.IOStream(sock) self.stream.connect((self.host, self.port), self.__initial_auth, server_hostname=self.host)
def __get_ssl_context(cls, sslca=None): """Make an SSLConext for this Python version using public or sslca """ if ((version_info[0] == 2 and (version_info[1] >= 7 and version_info[2] >= 9)) or (version_info[0] == 3 and version_info[1] >= 4)): logger.debug('SSL method for 2.7.9+ / 3.4+') # pylint: disable=no-name-in-module from ssl import SSLContext, PROTOCOL_TLSv1_2, CERT_REQUIRED, OP_NO_COMPRESSION ctx = SSLContext(PROTOCOL_TLSv1_2) ctx.set_ciphers('HIGH:!SSLv3:!TLSv1:!aNULL:@STRENGTH') # see CRIME security exploit ctx.options |= OP_NO_COMPRESSION # the following options are used to verify the identity of the broker if sslca: ctx.load_verify_locations(sslca) ctx.verify_mode = CERT_REQUIRED ctx.check_hostname = False else: # Verify public certifcates if sslca is None (default) from ssl import Purpose # pylint: disable=no-name-in-module ctx.load_default_certs(purpose=Purpose.SERVER_AUTH) ctx.verify_mode = CERT_REQUIRED ctx.check_hostname = True elif version_info[0] == 3 and version_info[1] < 4: logger.debug('Using SSL method for 3.2+, < 3.4') # pylint: disable=no-name-in-module from ssl import SSLContext, CERT_REQUIRED, PROTOCOL_SSLv23, OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_TLSv1 ctx = SSLContext(PROTOCOL_SSLv23) ctx.options |= (OP_NO_SSLv2 | OP_NO_SSLv3 | OP_NO_TLSv1) ctx.set_ciphers('HIGH:!SSLv3:!TLSv1:!aNULL:@STRENGTH') # the following options are used to verify the identity of the broker if sslca: ctx.load_verify_locations(sslca) ctx.verify_mode = CERT_REQUIRED else: # Verify public certifcates if sslca is None (default) ctx.set_default_verify_paths() ctx.verify_mode = CERT_REQUIRED else: raise Exception("Unsupported Python version %s" % '.'.join(str(item) for item in version_info[:3])) return ctx
def __get_ssl_context(cls, sslca=None): """Make an SSLConext for this Python version using public or sslca """ if ((version_info[0] == 2 and (version_info[1] >= 7 and version_info[2] >= 5)) or (version_info[0] == 3 and version_info[1] >= 4)): logger.debug('SSL method for 2.7.5+ / 3.4+') # pylint: disable=no-name-in-module,import-outside-toplevel from ssl import SSLContext, PROTOCOL_TLSv1_2, CERT_REQUIRED, OP_NO_COMPRESSION ctx = SSLContext(PROTOCOL_TLSv1_2) ctx.set_ciphers('HIGH:!SSLv3:!TLSv1:!aNULL:@STRENGTH') # see CRIME security exploit ctx.options |= OP_NO_COMPRESSION # the following options are used to verify the identity of the broker if sslca: ctx.load_verify_locations(sslca) ctx.verify_mode = CERT_REQUIRED ctx.check_hostname = False else: # Verify public certifcates if sslca is None (default) from ssl import Purpose # pylint: disable=no-name-in-module,import-outside-toplevel ctx.load_default_certs(purpose=Purpose.SERVER_AUTH) ctx.verify_mode = CERT_REQUIRED ctx.check_hostname = True elif version_info[0] == 3 and version_info[1] < 4: logger.debug('Using SSL method for 3.2+, < 3.4') # pylint: disable=no-name-in-module,import-outside-toplevel from ssl import SSLContext, CERT_REQUIRED, PROTOCOL_SSLv23, OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_TLSv1 ctx = SSLContext(PROTOCOL_SSLv23) ctx.options |= (OP_NO_SSLv2 | OP_NO_SSLv3 | OP_NO_TLSv1) ctx.set_ciphers('HIGH:!SSLv3:!TLSv1:!aNULL:@STRENGTH') # the following options are used to verify the identity of the broker if sslca: ctx.load_verify_locations(sslca) ctx.verify_mode = CERT_REQUIRED else: # Verify public certifcates if sslca is None (default) ctx.set_default_verify_paths() ctx.verify_mode = CERT_REQUIRED else: raise Exception("Unsupported Python version %s" % '.'.join(str(item) for item in version_info[:3])) return ctx
def to_ssl_context(self): # See https://docs.python.org/3.7/library/ssl.html#protocol-versions from ssl import SSLContext, PROTOCOL_TLS_CLIENT, OP_NO_TLSv1, OP_NO_TLSv1_1, CERT_REQUIRED ssl_context = SSLContext(PROTOCOL_TLS_CLIENT) ssl_context.options |= OP_NO_TLSv1 ssl_context.options |= OP_NO_TLSv1_1 if self.verify_cert: ssl_context.verify_mode = CERT_REQUIRED ssl_context.set_default_verify_paths() return ssl_context
def context(self) -> Optional[SSLContext]: if self.ssl: self.logger.info("Setting up SSL") context = SSLContext(PROTOCOL_TLS) if self.cert and self.key: self.logger.info("Using SSL Cert: %s", self.cert) try: context.load_cert_chain(str(self.cert), str(self.key), password=self.key_password) except FileNotFoundError as e: raise FileNotFoundError( better_file_not_found_error( self.cert, self.key, purpose='ssl cert loading')) if self.warn_if_expires_before_days: self._warn_expiry_task = create_task( self.check_cert_expiry()) set_task_name(self._warn_expiry_task, 'CheckSSLCertValidity') context.verify_mode = CERT_REQUIRED if self.cert_required else CERT_NONE context.check_hostname = self.check_hostname self.logger.info('%s, Check Hostname: %s' % (context.verify_mode, context.check_hostname)) if context.verify_mode != CERT_NONE: if self.cafile or self.capath or self.cadata: locations = { 'cafile': str(self.cafile) if self.cafile else None, 'capath': str(self.capath) if self.capath else None, 'cadata': self.cadata } try: context.load_verify_locations(**locations) self.logger.info("Verifying SSL certs with: %s", locations) except FileNotFoundError: raise FileNotFoundError( better_file_not_found_error( *locations.values(), purpose='CA ssl cert validation')) else: context.load_default_certs(self.purpose) self.logger.info("Verifying SSL certs with: %s", get_default_verify_paths()) self.logger.info("SSL Context loaded") # OpenSSL 1.1.1 keylog file if hasattr(context, 'keylog_filename'): keylogfile = os.environ.get('SSLKEYLOGFILE') if keylogfile and not sys.flags.ignore_environment: self.logger.warning( "TLS encryption secrets are being stored in %s", keylogfile) context.keylog_filename = keylogfile return context return None
def get_ssl_context(*args): """Create and return an SSLContext object.""" certfile, keyfile, ca_certs, cert_reqs = args ctx = SSLContext(ssl.PROTOCOL_SSLv23) if certfile is not None: ctx.load_cert_chain(certfile, keyfile) if ca_certs is not None: ctx.load_verify_locations(ca_certs) if cert_reqs is not None: ctx.verify_mode = cert_reqs return ctx
def load_TLS(self): context = SSLContext(PROTOCOL_TLS) context.minimum_version = TLSVersion.TLSv1_3 context.verify_mode = CERT_REQUIRED context.check_hostname = True if self.CA != 'default' and self.CA != '': context.load_verify_locations(self.CA) else: context.load_default_certs() self.server = create_connection((self.SERVER_HOST, self.SERVER_PORT)) self.server = context.wrap_socket(self.server, server_hostname=self.SERVER_HOST)
def __init__(self): ssl_context = SSLContext(PROTOCOL_TLSv1_2) ssl_context.load_verify_locations('.cassandra/AmazonRootCA1.pem') ssl_context.verify_mode = CERT_REQUIRED auth_provider = PlainTextAuthProvider(username='******', password='******') self.cluster = Cluster(['cassandra.us-east-1.amazonaws.com'], ssl_context=ssl_context, auth_provider=auth_provider, port=9142) self.session = self.cluster.connect("test_keyspace")
def __init__(self): user = os.getenv("PG_USER", 'postgres') password = os.getenv("PG_PASSWORD", None) self._database = os.getenv("PG_DATABASE", 'postgres') host = os.getenv("PG_HOST", 'localhost') port = int(os.getenv("PG_PORT", '5432')) ssl_context = SSLContext() ssl_context.check_hostname = False ssl_context.verify_mode = ssl.CERT_NONE self._con = pg8000.connect(user, host, self._database, port, password) self._con.autocommit = True self._create_schema()
async def create_redis_pool(address: str, ssl_validation: SSLValidation) -> Redis: ssl_context: Union[SSLContext, bool] if ssl_validation == SSLValidation.SELF_SIGNED: ssl_context = SSLContext(ssl.PROTOCOL_TLS_CLIENT) ssl_context.check_hostname = False ssl_context.verify_mode = ssl.VerifyMode.CERT_NONE elif ssl_validation == SSLValidation.NONE: ssl_context = False else: ssl_context = ssl.create_default_context() return await aioredis.create_redis_pool(address, ssl=ssl_context)
def create_session(url: str, port: int, context: ssl.SSLContext = ssl.create_default_context()): """ Create a secure connection to any server on any port with a defined context on a specific timeout. :param url: url of the website :param context: ssl context :param port: port :return: created secure socket """ cert_verified = True context.check_hostname = True context.verify_mode = ssl.VerifyMode.CERT_REQUIRED sleep = 0 # Loop until there is a valid response or after 15 seconds # because of rate limiting on some servers while True: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) # in seconds # context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ssl_socket = context.wrap_socket(sock, server_hostname=url) try: logging.debug(f'connecting... (main connection)') ssl_socket.connect((url, port)) break except ssl.SSLCertVerificationError: cert_verified = False context.check_hostname = False context.verify_mode = ssl.CERT_NONE except socket.timeout: raise ConnectionTimeoutError() except socket.gaierror: raise DNSError() except ConnectionResetError as e: raise UnknownConnectionError(e) except socket.error as e: ssl_socket.close() sleep = incremental_sleep(sleep, e, 1) return ssl_socket, cert_verified
def instance(cls, keyspace_name: str = None): if cls._instance is None: print('Creating new instance of Cosmos Factory') cls._instance = cls.__new__(cls) # Put any initialization here. ssl_opts = { 'ca_certs': DEFAULT_CA_BUNDLE_PATH, 'ssl_version': PROTOCOL_TLSv1_2, } if 'certpath' in cfg.config: ssl_opts['ca_certs'] = cfg.config['certpath'] ssl_context = SSLContext(PROTOCOL_TLSv1_2) ssl_context.verify_mode = CERT_NONE auth_provider = PlainTextAuthProvider( username=cfg.config['username'], password=cfg.config['password']) # cluster = Cluster([cfg.config['contactPoint']], port=int(cfg.config['port']), auth_provider=auth_provider, # ssl_options=ssl_opts, connect_timeout=600) cluster = Cluster([cfg.config['contactPoint']], port=int(cfg.config['port']), auth_provider=auth_provider, ssl_context=ssl_context, connect_timeout=600) cls._instance.session = cluster.connect() # self.create_keyspace(name='bitemporaldb', strategy_type='NetworkTopologyStrategy', dc_name='datacenter',repl_factor=1) if keyspace_name == None and 'keyspace' in cfg.config and not cfg.config[ 'keyspace']: cls._instance.name = "_" + timestamp_helper.get_timestamp() cls._instance.create_keyspace( name=cls._instance.name, strategy_type='NetworkTopologyStrategy', dc_name='datacenter', repl_factor=1) else: if keyspace_name == None and 'keyspace' in cfg.config and cfg.config[ 'keyspace']: cls._instance.name = cfg.config['keyspace'] else: cls._instance.name = keyspace_name return cls._instance
def __init__(self): ssl_context = SSLContext(PROTOCOL_TLSv1_2) ssl_context.verify_mode = CERT_NONE auth_provider = PlainTextAuthProvider( username=cfg.config['username'], password=cfg.config['password']) self.cluster = Cluster([cfg.config['contactPoint']], port=cfg.config['port'], auth_provider=auth_provider, ssl_context=ssl_context) self.session = None self.keyspace = None self.log = None
def create_urllib3_context(ssl_version = None, cert_reqs = None, options = None, ciphers = None): context = SSLContext(ssl_version or ssl.PROTOCOL_SSLv23) cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs if options is None: options = 0 options |= OP_NO_SSLv2 options |= OP_NO_SSLv3 options |= OP_NO_COMPRESSION context.options |= options if getattr(context, 'supports_set_ciphers', True): context.set_ciphers(ciphers or DEFAULT_CIPHERS) context.verify_mode = cert_reqs if getattr(context, 'check_hostname', None) is not None: context.check_hostname = False return context
def create_thriftpy_context(server_side=False, ciphers=None): """Backport create_default_context for older python versions. The SSLContext has some default security options, you can disable them manually, for example:: from thriftpy.transport import _ssl context = _ssl.create_thriftpy_context() context.options &= ~_ssl.OP_NO_SSLv3 You can do the same to enable compression. """ if MODERN_SSL: if server_side: context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) else: context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH) if ciphers: context.set_ciphers(ciphers) else: context = SSLContext(ssl.PROTOCOL_SSLv23) context.options |= OP_NO_SSLv2 context.options |= OP_NO_SSLv3 context.options |= OP_NO_COMPRESSION # server/client default options if server_side: context.options |= OP_CIPHER_SERVER_PREFERENCE context.options |= OP_SINGLE_DH_USE context.options |= OP_SINGLE_ECDH_USE else: context.verify_mode = ssl.CERT_REQUIRED # context.check_hostname = True warnings.warn( "ssl check hostname support disabled, upgrade your python", InsecurePlatformWarning) # Platform-specific: Python 2.6 if getattr(context, 'supports_set_ciphers', True): if ciphers: context.set_ciphers(ciphers) else: warnings.warn("ssl ciphers support disabled, upgrade your python", InsecurePlatformWarning) return context
def updateSubject(): if flask.request.method == 'GET': # Just render the initial form, to get input return (flask.render_template('updateSubject.html')), 200 if flask.request.method == 'POST': subid = flask.request.form['subid'] name = flask.request.form['name'] year = flask.request.form['year'] time = flask.request.form['time'] ssl_context = SSLContext(PROTOCOL_TLSv1_2) ssl_context.verify_mode = CERT_NONE auth_provider = PlainTextAuthProvider(username=cfg.config['username'], password=cfg.config['password']) cluster = Cluster([cfg.config['contactPoint']], port=cfg.config['port'], auth_provider=auth_provider, ssl_context=ssl_context) session = cluster.connect() # Retreive data with existing subjects from the DB rows = session.execute( "SELECT * FROM miniproj.subjects WHERE subject_id=" + subid) if len(rows.current_rows) == 0: cluster.shutdown() return flask.render_template('updateSubject.html', result='Invalid Subject ID'), 400 # Retreive data with existing subjects and schedule from the DB rows = session.execute("SELECT * FROM miniproj.subjects WHERE year='" + year + "' AND time='" + time + "' ALLOW FILTERING") # Check for clashes between subjects if len(rows.current_rows) > 0: cluster.shutdown() return flask.render_template( 'insertSubject.html', result='Clash detected. Please enter a new time.'), 400 #</authenticateAndConnect> try: # Edit selected subject information (name, year, time, subject id) rows = session.execute( "UPDATE miniproj.subjects SET subject_name='" + name + "', year='" + year + "', time='" + time + "' WHERE subject_id = " + subid) result = 'Updated Successfully' except Exception as e: result = 'Error updating record' cluster.shutdown() return flask.render_template('updateStudent.html', result=result), 200
def ssl_wrap_socket(sock, keyfile = None, certfile = None, cert_reqs = None, ca_certs = None, server_hostname = None, ssl_version = None): context = SSLContext(ssl_version) context.verify_mode = cert_reqs OP_NO_COMPRESSION = 131072 context.options |= OP_NO_COMPRESSION if ca_certs: try: context.load_verify_locations(ca_certs) except Exception as e: raise SSLError(e) if certfile: context.load_cert_chain(certfile, keyfile) if HAS_SNI: return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
def get_ssl_context(*args): """Create and return an SSLContext object.""" certfile, keyfile, ca_certs, cert_reqs = args # Note PROTOCOL_SSLv23 is about the most misleading name imaginable. # This configures the server and client to negotiate the # highest protocol version they both support. A very good thing. ctx = SSLContext(ssl.PROTOCOL_SSLv23) if hasattr(ctx, "options"): # Explicitly disable SSLv2 and SSLv3. Note that up to # date versions of MongoDB 2.4 and above already do this, # python disables SSLv2 by default in >= 2.7.7 and >= 3.3.4 # and SSLv3 in >= 3.4.3. There is no way for us to do this # explicitly for python 2.6 or 2.7 before 2.7.9. ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0) ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0) if certfile is not None: ctx.load_cert_chain(certfile, keyfile) if ca_certs is not None: ctx.load_verify_locations(ca_certs) elif cert_reqs != ssl.CERT_NONE: # CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1 if hasattr(ctx, "load_default_certs"): ctx.load_default_certs() # Python >= 3.2.0, useless on Windows. elif (sys.platform != "win32" and hasattr(ctx, "set_default_verify_paths")): ctx.set_default_verify_paths() elif sys.platform == "win32" and HAVE_WINCERTSTORE: with _WINCERTSLOCK: if _WINCERTS is None: _load_wincerts() ctx.load_verify_locations(_WINCERTS.name) elif HAVE_CERTIFI: ctx.load_verify_locations(certifi.where()) else: raise ConfigurationError( "`ssl_cert_reqs` is not ssl.CERT_NONE and no system " "CA certificates could be loaded. `ssl_ca_certs` is " "required.") ctx.verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs return ctx
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None): context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: try: context.load_verify_locations(ca_certs) # Py32 raises IOError # Py33 raises FileNotFoundError except Exception as e: # Reraise as SSLError raise SSLError(e) if certfile: # FIXME: This block needs a test. context.load_cert_chain(certfile, keyfile) if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI return (context, context.wrap_socket(sock, server_hostname=server_hostname)) return (context, context.wrap_socket(sock))
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=CERT_NONE, ca_certs=None, server_hostname=None, ssl_version=PROTOCOL_SSLv23): """ All arguments except `server_hostname` have the same meaning as for :func:`ssl.wrap_socket` :param server_hostname: Hostname of the expected certificate """ context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: try: context.load_verify_locations(ca_certs) except TypeError as e: # Reraise as SSLError # FIXME: This block needs a test. raise SSLError(e) if certfile: # FIXME: This block needs a test. context.load_cert_chain(certfile, keyfile) if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
def get_ssl_context(*args): """Create and return an SSLContext object.""" certfile, keyfile, passphrase, ca_certs, cert_reqs, crlfile = args # Note PROTOCOL_SSLv23 is about the most misleading name imaginable. # This configures the server and client to negotiate the # highest protocol version they both support. A very good thing. # PROTOCOL_TLS_CLIENT was added in CPython 3.6, deprecating # PROTOCOL_SSLv23. ctx = SSLContext( getattr(ssl, "PROTOCOL_TLS_CLIENT", ssl.PROTOCOL_SSLv23)) # SSLContext.check_hostname was added in CPython 2.7.9 and 3.4. # PROTOCOL_TLS_CLIENT enables it by default. Using it # requires passing server_hostname to wrap_socket, which we already # do for SNI support. To support older versions of Python we have to # call match_hostname directly, so we disable check_hostname explicitly # to avoid calling match_hostname twice. if hasattr(ctx, "check_hostname"): ctx.check_hostname = False if hasattr(ctx, "options"): # Explicitly disable SSLv2, SSLv3 and TLS compression. Note that # up to date versions of MongoDB 2.4 and above already disable # SSLv2 and SSLv3, python disables SSLv2 by default in >= 2.7.7 # and >= 3.3.4 and SSLv3 in >= 3.4.3. There is no way for us to do # any of this explicitly for python 2.6 or 2.7 before 2.7.9. ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0) ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0) # OpenSSL >= 1.0.0 ctx.options |= getattr(ssl, "OP_NO_COMPRESSION", 0) if certfile is not None: try: if passphrase is not None: vi = sys.version_info # Since python just added a new parameter to an existing method # this seems to be about the best we can do. if (vi[0] == 2 and vi < (2, 7, 9) or vi[0] == 3 and vi < (3, 3)): raise ConfigurationError( "Support for ssl_pem_passphrase requires " "python 2.7.9+ (pypy 2.5.1+) or 3.3+") ctx.load_cert_chain(certfile, keyfile, passphrase) else: ctx.load_cert_chain(certfile, keyfile) except ssl.SSLError as exc: raise ConfigurationError( "Private key doesn't match certificate: %s" % (exc,)) if crlfile is not None: if not hasattr(ctx, "verify_flags"): raise ConfigurationError( "Support for ssl_crlfile requires " "python 2.7.9+ (pypy 2.5.1+) or 3.4+") # Match the server's behavior. ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF ctx.load_verify_locations(crlfile) if ca_certs is not None: ctx.load_verify_locations(ca_certs) elif cert_reqs != ssl.CERT_NONE: # CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1 if hasattr(ctx, "load_default_certs"): ctx.load_default_certs() # Python >= 3.2.0, useless on Windows. elif (sys.platform != "win32" and hasattr(ctx, "set_default_verify_paths")): ctx.set_default_verify_paths() elif sys.platform == "win32" and HAVE_WINCERTSTORE: with _WINCERTSLOCK: if _WINCERTS is None: _load_wincerts() ctx.load_verify_locations(_WINCERTS.name) elif HAVE_CERTIFI: ctx.load_verify_locations(certifi.where()) else: raise ConfigurationError( "`ssl_cert_reqs` is not ssl.CERT_NONE and no system " "CA certificates could be loaded. `ssl_ca_certs` is " "required.") ctx.verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs return ctx
def get_ssl_context(*args): """Create and return an SSLContext object.""" (certfile, keyfile, passphrase, ca_certs, cert_reqs, crlfile, match_hostname) = args verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs # Note PROTOCOL_SSLv23 is about the most misleading name imaginable. # This configures the server and client to negotiate the # highest protocol version they both support. A very good thing. # PROTOCOL_TLS_CLIENT was added in CPython 3.6, deprecating # PROTOCOL_SSLv23. ctx = SSLContext( getattr(ssl, "PROTOCOL_TLS_CLIENT", ssl.PROTOCOL_SSLv23)) # SSLContext.check_hostname was added in CPython 2.7.9 and 3.4. # PROTOCOL_TLS_CLIENT (added in Python 3.6) enables it by default. if hasattr(ctx, "check_hostname"): if _PY37PLUS and verify_mode != ssl.CERT_NONE: # Python 3.7 uses OpenSSL's hostname matching implementation # making it the obvious version to start using this with. # Python 3.6 might have been a good version, but it suffers # from https://bugs.python.org/issue32185. # We'll use our bundled match_hostname for older Python # versions, which also supports IP address matching # with Python < 3.5. ctx.check_hostname = match_hostname else: ctx.check_hostname = False if hasattr(ctx, "options"): # Explicitly disable SSLv2, SSLv3 and TLS compression. Note that # up to date versions of MongoDB 2.4 and above already disable # SSLv2 and SSLv3, python disables SSLv2 by default in >= 2.7.7 # and >= 3.3.4 and SSLv3 in >= 3.4.3. There is no way for us to do # any of this explicitly for python 2.7 before 2.7.9. ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0) ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0) # OpenSSL >= 1.0.0 ctx.options |= getattr(ssl, "OP_NO_COMPRESSION", 0) # Python 3.7+ with OpenSSL >= 1.1.0h ctx.options |= getattr(ssl, "OP_NO_RENEGOTIATION", 0) if certfile is not None: try: if passphrase is not None: vi = sys.version_info # Since python just added a new parameter to an existing method # this seems to be about the best we can do. if (vi[0] == 2 and vi < (2, 7, 9) or vi[0] == 3 and vi < (3, 3)): raise ConfigurationError( "Support for ssl_pem_passphrase requires " "python 2.7.9+ (pypy 2.5.1+) or 3.3+") ctx.load_cert_chain(certfile, keyfile, passphrase) else: ctx.load_cert_chain(certfile, keyfile) except ssl.SSLError as exc: raise ConfigurationError( "Private key doesn't match certificate: %s" % (exc,)) if crlfile is not None: if not hasattr(ctx, "verify_flags"): raise ConfigurationError( "Support for ssl_crlfile requires " "python 2.7.9+ (pypy 2.5.1+) or 3.4+") # Match the server's behavior. ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF ctx.load_verify_locations(crlfile) if ca_certs is not None: ctx.load_verify_locations(ca_certs) elif cert_reqs != ssl.CERT_NONE: # CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1 if hasattr(ctx, "load_default_certs"): ctx.load_default_certs() # Python >= 3.2.0, useless on Windows. elif (sys.platform != "win32" and hasattr(ctx, "set_default_verify_paths")): ctx.set_default_verify_paths() elif sys.platform == "win32" and HAVE_WINCERTSTORE: with _WINCERTSLOCK: if _WINCERTS is None: _load_wincerts() ctx.load_verify_locations(_WINCERTS.name) elif HAVE_CERTIFI: ctx.load_verify_locations(certifi.where()) else: raise ConfigurationError( "`ssl_cert_reqs` is not ssl.CERT_NONE and no system " "CA certificates could be loaded. `ssl_ca_certs` is " "required.") ctx.verify_mode = verify_mode return ctx
def open_url(url, data=None, headers=None, method=None, use_proxy=True, force=False, last_mod_time=None, timeout=10, validate_certs=True, url_username=None, url_password=None, http_agent=None, force_basic_auth=False): ''' Fetches a file from an HTTP/FTP server using urllib2 ''' handlers = [] # FIXME: change the following to use the generic_urlparse function # to remove the indexed references for 'parsed' parsed = urlparse.urlparse(url) if parsed[0] == 'https' and validate_certs: if not HAS_SSL: raise NoSSLError('SSL validation is not available in your version of python. You can use validate_certs=False, however this is unsafe and not recommended') # do the cert validation netloc = parsed[1] if '@' in netloc: netloc = netloc.split('@', 1)[1] if ':' in netloc: hostname, port = netloc.split(':', 1) port = int(port) else: hostname = netloc port = 443 # create the SSL validation handler and # add it to the list of handlers ssl_handler = SSLValidationHandler(hostname, port) handlers.append(ssl_handler) if parsed[0] != 'ftp': username = url_username if username: password = url_password netloc = parsed[1] elif '@' in parsed[1]: credentials, netloc = parsed[1].split('@', 1) if ':' in credentials: username, password = credentials.split(':', 1) else: username = credentials password = '' parsed = list(parsed) parsed[1] = netloc # reconstruct url without credentials url = urlparse.urlunparse(parsed) if username and not force_basic_auth: passman = urllib2.HTTPPasswordMgrWithDefaultRealm() # this creates a password manager passman.add_password(None, netloc, username, password) # because we have put None at the start it will always # use this username/password combination for urls # for which `theurl` is a super-url authhandler = urllib2.HTTPBasicAuthHandler(passman) # create the AuthHandler handlers.append(authhandler) elif username and force_basic_auth: if headers is None: headers = {} headers["Authorization"] = "Basic %s" % base64.b64encode("%s:%s" % (username, password)) if not use_proxy: proxyhandler = urllib2.ProxyHandler({}) handlers.append(proxyhandler) # pre-2.6 versions of python cannot use the custom https # handler, since the socket class is lacking create_connection. # Some python builds lack HTTPS support. if hasattr(socket, 'create_connection') and CustomHTTPSHandler: handlers.append(CustomHTTPSHandler) opener = urllib2.build_opener(*handlers) urllib2.install_opener(opener) if method: if method.upper() not in ('OPTIONS','GET','HEAD','POST','PUT','DELETE','TRACE','CONNECT','PATCH'): raise ConnectionError('invalid HTTP request method; %s' % method.upper()) request = RequestWithMethod(url, method.upper(), data) else: request = urllib2.Request(url, data) # add the custom agent header, to help prevent issues # with sites that block the default urllib agent string request.add_header('User-agent', http_agent) # if we're ok with getting a 304, set the timestamp in the # header, otherwise make sure we don't get a cached copy if last_mod_time and not force: tstamp = last_mod_time.strftime('%a, %d %b %Y %H:%M:%S +0000') request.add_header('If-Modified-Since', tstamp) else: request.add_header('cache-control', 'no-cache') # user defined headers now, which may override things we've set above if headers: if not isinstance(headers, dict): raise ValueError("headers provided to fetch_url() must be a dict") for header in headers: request.add_header(header, headers[header]) urlopen_args = [request, None] if sys.version_info >= (2,6,0): # urlopen in python prior to 2.6.0 did not # have a timeout parameter urlopen_args.append(timeout) if HAS_SSLCONTEXT and not validate_certs: # In 2.7.9, the default context validates certificates context = SSLContext(ssl.PROTOCOL_SSLv23) context.options |= ssl.OP_NO_SSLv2 context.options |= ssl.OP_NO_SSLv3 context.verify_mode = ssl.CERT_NONE context.check_hostname = False urlopen_args += (None, None, None, context) r = urllib2.urlopen(*urlopen_args) return r
from __future__ import absolute_import, division, print_function from ssl import CERT_NONE, PROTOCOL_SSLv23, SSLContext from psphere.client import Client if __name__ == '__main__': context = SSLContext(PROTOCOL_SSLv23) context.verify_mode = CERT_NONE test_client = Client('localhost:8989', 'user', 'pass', sslcontext=context) print(test_client.si.CurrentTime()) test_client.logout()
def open_url(url, data=None, headers=None, method=None, use_proxy=True, force=False, last_mod_time=None, timeout=10, validate_certs=True, url_username=None, url_password=None, http_agent=None, force_basic_auth=False, follow_redirects='urllib2'): ''' Sends a request via HTTP(S) or FTP using urllib2 (Python2) or urllib (Python3) Does not require the module environment ''' handlers = [] ssl_handler = maybe_add_ssl_handler(url, validate_certs) if ssl_handler: handlers.append(ssl_handler) # FIXME: change the following to use the generic_urlparse function # to remove the indexed references for 'parsed' parsed = urlparse(url) if parsed[0] != 'ftp': username = url_username if headers is None: headers = {} if username: password = url_password netloc = parsed[1] elif '@' in parsed[1]: credentials, netloc = parsed[1].split('@', 1) if ':' in credentials: username, password = credentials.split(':', 1) else: username = credentials password = '' parsed = list(parsed) parsed[1] = netloc # reconstruct url without credentials url = urlunparse(parsed) if username and not force_basic_auth: passman = urllib_request.HTTPPasswordMgrWithDefaultRealm() # this creates a password manager passman.add_password(None, netloc, username, password) # because we have put None at the start it will always # use this username/password combination for urls # for which `theurl` is a super-url authhandler = urllib_request.HTTPBasicAuthHandler(passman) # create the AuthHandler handlers.append(authhandler) elif username and force_basic_auth: headers["Authorization"] = basic_auth_header(username, password) else: try: rc = netrc.netrc(os.environ.get('NETRC')) login = rc.authenticators(parsed[1]) except IOError: login = None if login: username, _, password = login if username and password: headers["Authorization"] = basic_auth_header(username, password) if not use_proxy: proxyhandler = urllib_request.ProxyHandler({}) handlers.append(proxyhandler) if HAS_SSLCONTEXT and not validate_certs: # In 2.7.9, the default context validates certificates context = SSLContext(ssl.PROTOCOL_SSLv23) context.options |= ssl.OP_NO_SSLv2 context.options |= ssl.OP_NO_SSLv3 context.verify_mode = ssl.CERT_NONE context.check_hostname = False handlers.append(urllib_request.HTTPSHandler(context=context)) # pre-2.6 versions of python cannot use the custom https # handler, since the socket class is lacking create_connection. # Some python builds lack HTTPS support. if hasattr(socket, 'create_connection') and CustomHTTPSHandler: handlers.append(CustomHTTPSHandler) handlers.append(RedirectHandlerFactory(follow_redirects, validate_certs)) opener = urllib_request.build_opener(*handlers) urllib_request.install_opener(opener) if method: if method.upper() not in ('OPTIONS','GET','HEAD','POST','PUT','DELETE','TRACE','CONNECT','PATCH'): raise ConnectionError('invalid HTTP request method; %s' % method.upper()) request = RequestWithMethod(url, method.upper(), data) else: request = urllib_request.Request(url, data) # add the custom agent header, to help prevent issues # with sites that block the default urllib agent string request.add_header('User-agent', http_agent) # if we're ok with getting a 304, set the timestamp in the # header, otherwise make sure we don't get a cached copy if last_mod_time and not force: tstamp = last_mod_time.strftime('%a, %d %b %Y %H:%M:%S +0000') request.add_header('If-Modified-Since', tstamp) else: request.add_header('cache-control', 'no-cache') # user defined headers now, which may override things we've set above if headers: if not isinstance(headers, dict): raise ValueError("headers provided to fetch_url() must be a dict") for header in headers: request.add_header(header, headers[header]) urlopen_args = [request, None] if sys.version_info >= (2,6,0): # urlopen in python prior to 2.6.0 did not # have a timeout parameter urlopen_args.append(timeout) r = urllib_request.urlopen(*urlopen_args) return r