def verify_cert(host, capath, timeout, cncheck=True): server_ctx = Context(TLSv1_METHOD) server_cert_chain = [] server_ctx.load_verify_locations(None, capath) host = re.split("/*", host)[1] if ':' in host: host = host.split(':') server = host[0] port = int(host[1] if not '?' in host[1] else host[1].split('?')[0]) else: server = host port = 443 def verify_cb(conn, cert, errnum, depth, ok): server_cert_chain.append(cert) return ok server_ctx.set_verify(VERIFY_PEER, verify_cb) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setblocking(1) sock.settimeout(timeout) sock.connect((server, port)) except (socket.error, socket.timeout) as e: nagios_out( 'Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)), 2) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() def iosock_try(): ok = True try: server_conn.do_handshake() sleep(0.5) except SSLWantReadError as e: ok = False pass except Exception as e: raise e return ok try: while True: if iosock_try(): break if cncheck: server_subject = server_cert_chain[-1].get_subject() if server != server_subject.CN: nagios_out( 'Critical', 'Server certificate CN %s does not match %s' % (server_subject.CN, server), 2) except SSLError as e: if 'sslv3 alert handshake failure' in errmsg_from_excp(e): pass else: nagios_out( 'Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e, level=1)), 2) finally: server_conn.shutdown() server_conn.close() return True
This API offers somewhat more flexibility than L{twisted.internet.interfaces.IReactorSSL}; for example, a L{TLSMemoryBIOProtocol} instance can use another instance of L{TLSMemoryBIOProtocol} as its transport, yielding TLS over TLS - useful to implement onion routing. It can also be used to run TLS over unusual transports, such as UNIX sockets and stdio. """ from __future__ import division, absolute_import from OpenSSL.SSL import Error, ZeroReturnError, WantReadError from OpenSSL.SSL import TLSv1_METHOD, Context, Connection try: Connection(Context(TLSv1_METHOD), None) except TypeError as e: if str(e) != "argument must be an int, or have a fileno() method.": raise raise ImportError( "twisted.protocols.tls requires pyOpenSSL 0.10 or newer.") from zope.interface import implementer, providedBy, directlyProvides from twisted.python.compat import unicode from twisted.python.failure import Failure from twisted.python import log from twisted.python.reflect import safe_str from twisted.internet.interfaces import ( ISystemHandle, INegotiated,
def getContext(self): ctx = Context(TLSv1_METHOD) ctx.use_certificate(self.flocker_credential.certificate.original) ctx.use_privatekey(self.flocker_credential.keypair.keypair.original) return ctx
msg[0]) + ' , Error message : ' + msg[1] sys.exit() print 'Socket Created' host = 'www.google.com' port = 80 try: remote_ip = socket.gethostbyname(host) except socket.gaierror: #could not resolve print 'Hostname could not be resolved. Exiting' sys.exit() client.connect((remote_ip, port)) print 'connected', client.getpeername() client_ssl = Connection(Context(SSLv3_METHOD), client) client_ssl.set_connect_state() #client_ssl.set_tlsext_host_name(argv[1]) client_ssl.do_handshake() print 'Server subject is', client_ssl.get_peer_certificate().get_subject() client_ssl.close() if __name__ == '__main__': import client raise SystemExit(client.main())