def serve(socket, get_secrets : Callable[[None], List[Tuple[bytes, bytes]]], handle_message : Callable[[str, str], None], running : bool) -> None: patch_context() ctx = Context(TLSv1_2_METHOD) ctx.set_cipher_list(b'ECDHE-PSK-CHACHA20-POLY1305') ctx.use_psk_identity_hint(b'our_chosen_server_identity_hint') partial_get_secret = partial(get_secret, get_secrets=get_secrets) ctx.set_psk_server_callback(partial_get_secret) server = Connection(ctx, socket) open_sockets = [] addr, port = socket.getsockname() print(f"Serving on: {addr}:{port}") while running: try: client_socket, from_addr = server.accept() except: continue addr, port = from_addr print(f"Accepted connection from {addr}:{port}") thread = Thread(target=handle_client, args=(client_socket, handle_message, )) thread.start() open_sockets.append(thread) for thread in open_sockets: if not thread.is_alive(): thread.join() for thread in open_sockets: thread.join()
def cacheContext(self): # Unfortunate code duplication. ctx = SSLContext(self.sslmethod) # Always disable SSLv2/SSLv3/Compression ctx.set_options(OP_NO_SSLv2) ctx.set_options(OP_NO_SSLv3) ctx.set_options(_OP_NO_COMPRESSION) if self.ciphers is not None: ctx.set_cipher_list(self.ciphers) ctx.set_options(OP_CIPHER_SERVER_PREFERENCE) if self.passwdCallback is not None: ctx.set_passwd_cb(self.passwdCallback) if self.keychainIdentity and hasattr(ctx, "use_keychain_identity"): ctx.use_keychain_identity(self.keychainIdentity) else: if self.certificateFileName: ctx.use_certificate_file(self.certificateFileName) if self.privateKeyFileName: ctx.use_privatekey_file(self.privateKeyFileName) if self.certificateChainFile: ctx.use_certificate_chain_file(self.certificateChainFile) verifyFlags = VERIFY_NONE if self.verifyClient: verifyFlags = VERIFY_PEER if self.requireClientCertificate: verifyFlags |= VERIFY_FAIL_IF_NO_PEER_CERT if self.verifyClientOnce: verifyFlags |= VERIFY_CLIENT_ONCE if self.clientCACertFileNames: store = ctx.get_cert_store() for cert in self.clientCACertFileNames: with open(cert) as f: certpem = f.read() cert = Certificate.loadPEM(certpem) store.add_cert(cert.original) if self.sendCAsToClient: ctx.add_client_ca(cert.original) # When a client certificate is used we also need to set a session context id # to avoid openssl SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED # errors ctx.set_session_id(str(uuid.uuid4()).replace("-", "")) # It'd be nice if pyOpenSSL let us pass None here for this behavior (as # the underlying OpenSSL API call allows NULL to be passed). It # doesn't, so we'll supply a function which does the same thing. def _verifyCallback(conn, cert, errno, depth, preverify_ok): return preverify_ok ctx.set_verify(verifyFlags, _verifyCallback) if self.verifyClientDepth is not None: ctx.set_verify_depth(self.verifyClientDepth) self._context = ctx
def testPFSCipher(host,port,cipher): try: # Construct the socket client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client.settimeout(10) client.connect((host, port)) # Define the method as serverpreferred and use the Cipher from the test contextToUse = Context(pfsCipherList[cipher]) contextToUse.set_cipher_list(cipher) # Estabilish a SSL connection using the server's preferred connection client_ssl = Connection(contextToUse, client) client_ssl.set_connect_state() client_ssl.set_tlsext_host_name(host) # Try to perform an SSL handshake client_ssl.do_handshake() # Close the connection client_ssl.close() client.close() return True except openSSLError as e: # Server may be down or avoiding SSL connection return False except ValueError as e: # Not configured or not allowed return False pass
def cacheContext(self): # Unfortunate code duplication. ctx = SSLContext(self.sslmethod) if self.ciphers is not None: ctx.set_cipher_list(self.ciphers) if self.passwdCallback is not None: ctx.set_passwd_cb(self.passwdCallback) ctx.use_certificate_file(self.certificateFileName) ctx.use_privatekey_file(self.privateKeyFileName) if self.certificateChainFile != "": ctx.use_certificate_chain_file(self.certificateChainFile) self._context = ctx
def configure_context(context: SSL.Context, config: HomeServerConfig) -> None: try: _ecCurve = crypto.get_elliptic_curve(_defaultCurveName) context.set_tmp_ecdh(_ecCurve) except Exception: logger.exception("Failed to enable elliptic curve for TLS") context.set_options( SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1 ) context.use_certificate_chain_file(config.tls.tls_certificate_file) assert config.tls.tls_private_key is not None context.use_privatekey(config.tls.tls_private_key) # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ context.set_cipher_list( b"ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM" )
def main(): port = socket() port.bind(('', 0)) port.listen(5) client = socket() client.setblocking(False) client.connect_ex(port.getsockname()) client.setblocking(True) server = port.accept()[0] clientCtx = Context(TLSv1_METHOD) clientCtx.set_cipher_list('ALL:ADH') clientCtx.load_tmp_dh('dhparam.pem') sslClient = Connection(clientCtx, client) sslClient.set_connect_state() serverCtx = Context(TLSv1_METHOD) serverCtx.set_cipher_list('ALL:ADH') serverCtx.load_tmp_dh('dhparam.pem') sslServer = Connection(serverCtx, server) sslServer.set_accept_state() t1 = Thread(target=send, args=(sslClient,)) t2 = Thread(target=send, args=(sslServer,)) t3 = Thread(target=recv, args=(sslClient,)) t4 = Thread(target=recv, args=(sslServer,)) t1.start() t2.start() t3.start() t4.start() t1.join() t2.join() t3.join() t4.join()
def main(): port = socket() port.bind(("", 0)) port.listen(5) client = socket() client.setblocking(False) client.connect_ex(port.getsockname()) client.setblocking(True) server = port.accept()[0] clientCtx = Context(TLSv1_METHOD) clientCtx.set_cipher_list("ALL:ADH") clientCtx.load_tmp_dh("dhparam.pem") sslClient = Connection(clientCtx, client) sslClient.set_connect_state() serverCtx = Context(TLSv1_METHOD) serverCtx.set_cipher_list("ALL:ADH") serverCtx.load_tmp_dh("dhparam.pem") sslServer = Connection(serverCtx, server) sslServer.set_accept_state() t1 = Thread(target=send, args=(sslClient, )) t2 = Thread(target=send, args=(sslServer, )) t3 = Thread(target=recv, args=(sslClient, )) t4 = Thread(target=recv, args=(sslServer, )) t1.start() t2.start() t3.start() t4.start() t1.join() t2.join() t3.join() t4.join()
def cacheContext(self): # Unfortunate code duplication. ctx = SSLContext(self.sslmethod) # Always disable SSLv2/SSLv3 ctx.set_options(OP_NO_SSLv2) ctx.set_options(OP_NO_SSLv3) if self.ciphers is not None: ctx.set_cipher_list(self.ciphers) ctx.set_options(OP_CIPHER_SERVER_PREFERENCE) if self.passwdCallback is not None: ctx.set_passwd_cb(self.passwdCallback) ctx.use_certificate_file(self.certificateFileName) ctx.use_privatekey_file(self.privateKeyFileName) if self.certificateChainFile != "": ctx.use_certificate_chain_file(self.certificateChainFile) self._context = ctx
from socket import socket from OpenSSL.SSL import Connection, Context, SSLv23_METHOD from OpenSSL import _util ssl_context = Context(SSLv23_METHOD) ssl_context.set_cipher_list("ALL:COMPLEMENT") conn = Connection(ssl_context) cipher_ptr = _util.lib.SSL_get_ciphers(conn._ssl) for i in range(_util.lib.sk_SSL_CIPHER_num(cipher_ptr)): cipher = _util.lib.sk_SSL_CIPHER_value(cipher_ptr, i) print _util.ffi.string(_util.lib.SSL_CIPHER_get_name(cipher)) ''' ssl_context.set_timeout(30) ip='113.57.133.147' port=443 s=socket() s.connect((ip,port)) c=Connection(ssl_context,s) c.set_connect_state() print "%s try to handshake" % (ip) c.do_handshake() cert = c.get_peer_certificate() print "issuer: ",cert.get_issuer() print "subject: ",cert.get_subject().get_components() c.shutdown() s.close() '''
def index(): form = ActionForm(request.form, csrf_context=session) if request.method == 'POST' and form.validate( ) and current_user.is_authenticated: comment_value = request.form['comment'] action_value = request.form['action'] user_name = current_user.username user_ip = get_client_ip() action_data = dict(comment=comment_value, action=action_value, user=user_name, ip=user_ip) rx = "" try: print('Creating socket', file=sys.stderr) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #s.settimeout(10.0) if repeater_listen_psk: ctx = Context(TLSv1_2_METHOD) ctx.set_cipher_list(b'PSK') ctx.set_psk_client_callback(client_callback) s = Connection(ctx, s) print('PSK Context created', file=sys.stderr) print('Connecting:', REPEATER_LISTENER) s.connect(REPEATER_LISTENER) print('Connected') try: hello_msg = s.recv(5) print(f'hello msg: {hello_msg}', file=sys.stderr) except socket.timeout: traceback.print_exc(file=sys.stderr) #send_delay = request.form.get('test_send_delay') or 0 #sleep(int(send_delay)) #if action_value == 'test_send': # msg = comment_value.encode() #else: # msg = json.dumps(action_data).encode() msg = json.dumps(action_data).encode() msg_len = len(msg) print(f'Sending {msg_len}b message: {msg}', file=sys.stderr) s.send(msg) #recv_delay = request.form.get('test_recv_delay') or 0 #sleep(int(recv_delay)) try: rx = s.recv(2) except ConnectionResetError: traceback.print_exc(file=sys.stderr) pass s.close() if len(rx) > 0: action_data['submitted'] = True action_data['submit_result'] = "Server reply: " + rx.decode() else: action_data['submitted'] = True action_data['submit_result'] = '<Unknown - no reply>' except Exception as e: traceback.print_exc(file=sys.stderr) action_data['submitted'] = False action_data[ 'submit_result'] = 'Unexpected error while sending: ' + str(e) ev = LogEvent.from_action(action_data, current_user) db.session.add(ev) db.session.commit() else: action_data = None connections = '' logs = [] if current_user.is_authenticated: if os.path.exists(LISTENER_FILE): with open(LISTENER_FILE) as f: connections = f.read() else: connections = 'No file' logs = LogEvent.query.order_by(LogEvent.ts.desc()).limit(10).all() return render_template("index.html", actions=REPEATER_ACTIONS, form=form, connections=connections, logs=logs, action=action_data)