def cacheContext(self):
# Unfortunate code duplication.
ctx = SSLContext(self.sslmethod)
# Always disable SSLv2/SSLv3/Compression
ctx.set_options(OP_NO_SSLv2)
ctx.set_options(OP_NO_SSLv3)
ctx.set_options(_OP_NO_COMPRESSION)
if self.ciphers is not None:
ctx.set_cipher_list(self.ciphers)
ctx.set_options(OP_CIPHER_SERVER_PREFERENCE)
if self.passwdCallback is not None:
ctx.set_passwd_cb(self.passwdCallback)
if self.keychainIdentity and hasattr(ctx, "use_keychain_identity"):
ctx.use_keychain_identity(self.keychainIdentity)
else:
if self.certificateFileName:
ctx.use_certificate_file(self.certificateFileName)
if self.privateKeyFileName:
ctx.use_privatekey_file(self.privateKeyFileName)
if self.certificateChainFile:
ctx.use_certificate_chain_file(self.certificateChainFile)
verifyFlags = VERIFY_NONE
if self.verifyClient:
verifyFlags = VERIFY_PEER
if self.requireClientCertificate:
verifyFlags |= VERIFY_FAIL_IF_NO_PEER_CERT
if self.verifyClientOnce:
verifyFlags |= VERIFY_CLIENT_ONCE
if self.clientCACertFileNames:
store = ctx.get_cert_store()
for cert in self.clientCACertFileNames:
with open(cert) as f:
certpem = f.read()
cert = Certificate.loadPEM(certpem)
store.add_cert(cert.original)
if self.sendCAsToClient:
ctx.add_client_ca(cert.original)
# When a client certificate is used we also need to set a session context id
# to avoid openssl SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED
# errors
ctx.set_session_id(str(uuid.uuid4()).replace("-", ""))
# It'd be nice if pyOpenSSL let us pass None here for this behavior (as
# the underlying OpenSSL API call allows NULL to be passed). It
# doesn't, so we'll supply a function which does the same thing.
def _verifyCallback(conn, cert, errno, depth, preverify_ok):
return preverify_ok
ctx.set_verify(verifyFlags, _verifyCallback)
if self.verifyClientDepth is not None:
ctx.set_verify_depth(self.verifyClientDepth)
self._context = ctx
def __init__(self, HOST='130.236.216.131', PORT = 443):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
context = Context(TLSv1_METHOD)
context.use_certificate_file((self.certpath))
context.use_privatekey_file(self.keypath)
context.set_timeout(2)
conn = Connection(context,s)
conn.bind((HOST,PORT))
print 'Server is listening...'
conn.listen(5)
# self.client_table is a dictionary of clients
# where key = unique id and value = socket
self.client_table = {}
self.id_counter = 0
self.in_q = Queue.Queue()
self.out_q = Queue.Queue()
threading.Thread(target=self.sendinput).start()
threading.Thread(target=self.in_processor).start()
threading.Thread(target=self.out_processor).start()
try:
while True:
# Waiting for new client to accept, sslsocket is the socket that will be used for communication with this client after a client sets up a connection with the server
sslsocket, addr = conn.accept()
self.client_table[self.id_counter] = sslsocket
self.id_counter = self.id_counter + 1
threading.Thread(target=self.client_handler,args=(self.id_counter-1,)).start()
except KeyboardInterrupt:
for key, value in self.client_table.iteritems():
value.shutdown()
value.close()
sys.exit(0)
def test_set_passwd_cb(self):
"""
L{Context.set_passwd_cb} accepts a callable which will be invoked when
a private key is loaded from an encrypted PEM.
"""
key = PKey()
key.generate_key(TYPE_RSA, 128)
pemFile = self.mktemp()
fObj = file(pemFile, 'w')
passphrase = "foobar"
fObj.write(dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase))
fObj.close()
calledWith = []
def passphraseCallback(maxlen, verify, extra):
calledWith.append((maxlen, verify, extra))
return passphrase
context = Context(TLSv1_METHOD)
context.set_passwd_cb(passphraseCallback)
context.use_privatekey_file(pemFile)
self.assertTrue(len(calledWith), 1)
self.assertTrue(isinstance(calledWith[0][0], int))
self.assertTrue(isinstance(calledWith[0][1], int))
self.assertEqual(calledWith[0][2], None)
def send_request(
host,
port,
endpoint,
method,
token,
data=None,
cert=None,
key=None,
ca_cert=None,
check_ocsp=True,
):
def callback(conn, encoded_ocsp, data):
ocsp_resp = load_der_ocsp_response(encoded_ocsp)
return ocsp_resp.response_status == OCSPResponseStatus.SUCCESSFUL and ocsp_resp.certificate_status == OCSPCertStatus.GOOD
context = Context(TLSv1_2_METHOD)
context.load_client_ca(bytes(ca_cert, encoding="utf8"))
context.use_certificate_file(cert)
context.use_privatekey_file(key)
context.set_ocsp_client_callback(callback)
conn = Connection(context, socket.socket(socket.AF_INET,
socket.SOCK_STREAM))
conn.connect((host, port))
if check_ocsp:
conn.request_ocsp()
conn.send(
bytes(
f"{method} {endpoint} HTTP/1.1\nHost: {host}:{port}\n" +
f"Content-Type: text/plain\norigin: https://{host}:{port}\nToken: {token}\nContent-Length: {len(data)}\n\n{data}",
encoding="utf8"))
response = conn.read(2048)
conn.close()
def go():
def cb(a, b, c):
print count.next()
return "foobar"
c = Context(TLSv1_METHOD)
c.set_passwd_cb(cb)
while 1:
c.use_privatekey_file('pkey.pem')
def go():
def cb(a, b, c):
print count.next()
return "foobar"
c = Context(TLSv1_METHOD)
c.set_passwd_cb(cb)
while 1:
c.use_privatekey_file('pkey.pem')
def _gotcert(self, result, origconnection, origport):
self.certinfo = result
log.msg("conneccting to", origconnection.get_servername(), origport)
new_context = Context(self.convert_version2method(origconnection.get_protocol_version_name()))
new_context.use_privatekey_file(self.certinfo['key'])
new_context.use_certificate_file(self.certinfo['cert'])
origconnection.set_context(new_context)
def __init__(self, server_address, HandlerClass, bind_and_activate=True):
socketserver.TCPServer.__init__(self, server_address, HandlerClass)
ctx = Context(TLSv1_2_METHOD)
ctx.use_privatekey_file (settings.ssl_key_path)
ctx.use_certificate_file(settings.ssl_cert_path)
# only allow clients with cert:
ctx.set_verify(VERIFY_PEER | VERIFY_CLIENT_ONCE | VERIFY_FAIL_IF_NO_PEER_CERT, self._accept)
#ctx.set_verify(VERIFY_PEER | VERIFY_CLIENT_ONCE, self._accept)
self.socket = Connection(ctx, socket.socket(self.address_family, self.socket_type))
if bind_and_activate:
self.server_bind()
self.server_activate()
def __call__(self,connection):
try:
servername = re.sub('^[^.]*\.(?=\w+\.\w+$)','',connection.get_servername())
key,cert = self.certificates[servername]
except KeyError as e:
print e
except Exception as e:
print e
new_context = Context(TLSv1_METHOD)
new_context.use_privatekey_file(key)
new_context.use_certificate_file(cert)
connection.set_context(new_context)
def getContext(self):
"""Create an SSL context.
This is a sample implementation that loads a certificate from a file
called 'server.pem'."""
ctx = SSL_Context(SSLv23_METHOD)
ctx.use_certificate_file(self.certificateFileName)
ctx.use_privatekey_file(self.privateKeyFileName)
ctx.load_client_ca(self.certificateChainFile)
ctx.load_verify_locations(self.certificateChainFile)
ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT,
self._verify)
ctx.set_verify_depth(10)
return ctx
def main():
cert = "/etc/ssl/ihc/crt"
key = "/etc/ssl/ihc/key"
httpserver = webserver.Site(HTTPServer())
context = Context(TLSv1_METHOD)
context.use_certificate_chain_file(cert)
context.use_privatekey_file(key)
reactor.listenSSL(HTTP_PORT,
httpserver,
ContextFactory(context),
interface='192.168.102.130')
reactor.run()
def main():
resolver = DNSResolver()
factory = server.DNSServerFactory(clients=[resolver])
protocol = dns.DNSDatagramProtocol(controller=factory)
httpserver = webserver.Site(HTTPServer(resolver))
context = Context(TLSv1_METHOD)
context.use_certificate_chain_file(SERVER_CONFIG["ssl_crt"])
context.use_privatekey_file(SERVER_CONFIG["ssl_key"])
reactor.listenUDP(SERVER_CONFIG["dns_port"], protocol)
reactor.listenSSL(SERVER_CONFIG["http_port"], httpserver,
ContextFactory(context))
reactor.run()
def __init__(self, server_address, HandlerClass, bind_and_activate=True):
socketserver.TCPServer.__init__(self, server_address, HandlerClass)
ctx = Context(TLSv1_2_METHOD)
ctx.use_privatekey_file(settings.ssl_key_path)
ctx.use_certificate_file(settings.ssl_cert_path)
# only allow clients with cert:
ctx.set_verify(
VERIFY_PEER | VERIFY_CLIENT_ONCE | VERIFY_FAIL_IF_NO_PEER_CERT,
self._accept)
#ctx.set_verify(VERIFY_PEER | VERIFY_CLIENT_ONCE, self._accept)
self.socket = Connection(
ctx, socket.socket(self.address_family, self.socket_type))
if bind_and_activate:
self.server_bind()
self.server_activate()
def getContext(self):
ctx = Context(TLSv1_METHOD)
store = ctx.get_cert_store()
data = open("ssl-keys/ca.crt").read()
x509 = load_certificate(FILETYPE_PEM, data)
store.add_cert(x509)
ctx.use_privatekey_file('ssl-keys/server.key.insecure', FILETYPE_PEM)
ctx.use_certificate_file('ssl-keys/server.crt', FILETYPE_PEM)
# throws an error if private and public key not match
ctx.check_privatekey()
ctx.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, self.verifyHostname)
ctx.set_options(OP_NO_SSLv3)
return ctx
def cacheContext(self):
# Unfortunate code duplication.
ctx = SSLContext(self.sslmethod)
if self.ciphers is not None:
ctx.set_cipher_list(self.ciphers)
if self.passwdCallback is not None:
ctx.set_passwd_cb(self.passwdCallback)
ctx.use_certificate_file(self.certificateFileName)
ctx.use_privatekey_file(self.privateKeyFileName)
if self.certificateChainFile != "":
ctx.use_certificate_chain_file(self.certificateChainFile)
self._context = ctx
def getContext(self):
ctx = Context(TLSv1_METHOD)
store = ctx.get_cert_store()
data = open("ssl-keys/ca.crt").read()
x509 = load_certificate(FILETYPE_PEM, data)
store.add_cert(x509)
ctx.use_privatekey_file('ssl-keys/server.key.insecure', FILETYPE_PEM)
ctx.use_certificate_file('ssl-keys/server.crt', FILETYPE_PEM)
# throws an error if private and public key not match
ctx.check_privatekey()
ctx.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT,
self.verifyHostname)
ctx.set_options(OP_NO_SSLv3)
return ctx
def getContext(self):
"""Creates a context.
This will make contexts using ``SSLv23_METHOD``. This is
because OpenSSL thought it would be a good idea to have
``TLSv1_METHOD`` mean "only use TLSv1.0" -- specifically, it
disables TLSv1.2. Since we don't want to use SSLv2 and v3, we
set OP_NO_SSLv2|OP_NO_SSLv3. Additionally, we set
OP_SINGLE_DH_USE.
"""
ctx = Context(SSLv23_METHOD)
ctx.use_certificate_file("cert.pem")
ctx.use_privatekey_file("key.pem")
ctx.load_tmp_dh("dhparam.pem")
ctx.set_options(OP_SINGLE_DH_USE|OP_NO_SSLv2|OP_NO_SSLv3)
ctx.set_verify(VERIFY_PEER, self._verify)
return ctx
def cacheContext(self):
# Unfortunate code duplication.
ctx = SSLContext(self.sslmethod)
# Always disable SSLv2/SSLv3
ctx.set_options(OP_NO_SSLv2)
ctx.set_options(OP_NO_SSLv3)
if self.ciphers is not None:
ctx.set_cipher_list(self.ciphers)
ctx.set_options(OP_CIPHER_SERVER_PREFERENCE)
if self.passwdCallback is not None:
ctx.set_passwd_cb(self.passwdCallback)
ctx.use_certificate_file(self.certificateFileName)
ctx.use_privatekey_file(self.privateKeyFileName)
if self.certificateChainFile != "":
ctx.use_certificate_chain_file(self.certificateChainFile)
self._context = ctx
def test_set_passwd_cb(self):
"""
L{Context.set_passwd_cb} accepts a callable which will be invoked when
a private key is loaded from an encrypted PEM.
"""
key = PKey()
key.generate_key(TYPE_RSA, 128)
pemFile = self.mktemp()
fObj = file(pemFile, 'w')
passphrase = "foobar"
fObj.write(dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase))
fObj.close()
calledWith = []
def passphraseCallback(maxlen, verify, extra):
calledWith.append((maxlen, verify, extra))
return passphrase
context = Context(TLSv1_METHOD)
context.set_passwd_cb(passphraseCallback)
context.use_privatekey_file(pemFile)
self.assertTrue(len(calledWith), 1)
self.assertTrue(isinstance(calledWith[0][0], int))
self.assertTrue(isinstance(calledWith[0][1], int))
self.assertEqual(calledWith[0][2], None)
def Sockets(addresses, **args):
ssl_private_key = args.get('ssl_private_key', args.get('key_file' ))
ssl_certificate = args.get('ssl_certificate', args.get('cert_file'))
ssl = ssl_certificate and ssl_private_key
if ssl:
if not SSL:
raise ImportError('you must install pyOpenSSL to use https')
ctx = SSLContext(SSLv23_METHOD)
ctx.use_privatekey_file(ssl_private_key)
ctx.use_certificate_file(ssl_certificate)
cert = load_certificate(FILETYPE_PEM, open(ssl_certificate, 'rb').read())
base_environ = dict(HTTPS='on', SSL_SERVER_M_SERIAL = cert.get_serial_number(),
SSL_SERVER_M_VERSION = cert.get_version())
for prefix, dn in [("I", cert.get_issuer()), ("S", cert.get_subject())]:
dnstr = str(dn)[18:-2]
wsgikey = 'SSL_SERVER_%s_DN' %prefix
base_environ[wsgikey] = dnstr
while dnstr:
pos = dnstr.rfind('=')
dnstr, value = dnstr[:pos], dnstr[pos + 1:]
pos = dnstr.rfind('/')
dnstr, key = dnstr[:pos], dnstr[pos + 1:]
if key and value:
wsgikey = 'SSL_SERVER_%s_DN_%s' % (prefix, key)
base_environ[wsgikey] = value
socket_func = lambda family, socktype: \
SSL(SSLConnection(ctx, Socket(family, socktype)))
fromfd_func = lambda fileno, family, socktype: \
SSL(SSLConnection(ctx, fromfd(fileno, family, socktype)))
else:
fromfd_func, socket_func, base_environ = fromfd, Socket, {}
if isinstance(addresses, basestring):
addresses, addrs = [], [i for i in str(addresses).split(',') if i.strip()]
for addr in addrs:
is_ipv6 = R_IPV6(addr)
if is_ipv6:
addresses.append((AF_INET6, is_ipv6.groups()))
continue
seq = [i.strip() for i in addr.split(':')]
if len(seq) == 2:
if seq[0].lower() in ('fromfd', 'fileno'):
addresses.append((AF_INET, int(seq[1])))
continue
addresses.append((AF_INET, seq))
continue
if len(seq) == 3 and seq[0].lower() in ('fromfd', 'fileno'):
family = seq[1].lower()
if family in ('inet', 'af_inet', 'ipv4'):
addresses.append((AF_INET, int(seq[2])))
continue
elif family in ('inet6', 'af_inet6', 'ipv6', '6'):
addresses.append((AF_INET, int(seq[2])))
continue
elif family in ('unix', 'af_unix', 's', 'socket',
'unix_socket', 'unixsocket', 'unixsock'):
addresses.append((_socket.AF_UNIX, int(seq[2])))
continue
addresses.append((_socket.AF_UNIX, addr.strip()))
else:
addresses, addrs = [], addresses
for addr in addrs:
if isinstance(addr, (int, long)):
addresses.append((AF_INET, addr))
continue
if isinstance(addr, (list, tuple)) and len(addr) == 2:
if isinstance(addr[0], (int, long)):
address.append(addr)
continue
if isinstance(addr[0], basestring):
addresses.append((AF_INET6, addr) if ':' in addr[0] \
else (AF_INET , addr))
continue
if isinstance(addr, basestring):
addresses.append((_socket.AF_UNIX, addr))
continue
raise ValueError('bad address %r' %addr)
sockets = []
for family, addr in addresses:
if isinstance(addr, (int, long)):
sock = fromfd_func(addr, family, SOCK_STREAM)
sock.setblocking(0)
environ = dict(SERVER_NAME='fileno:%d' %addr, SERVER_PORT='')
environ.update(base_environ)
sockets.append((sock, environ))
continue
if family == AF_UNIX:
sock = socket_func(_socket.AF_UNIX, SOCK_STREAM)
sock.setblocking(0)
try:
sock.bind(addr)
except SocketError, address_already_in_use:
if address_already_in_use.args[0] != 98:
raise
ping = socket_func(_socket.AF_UNIX, SOCK_STREAM)
try:
ping.connect(addr)
except SocketError, e:
if e.args[0] == 111:
os.unlink(addr)
sock.bind(addr)
else:
ping.close()
raise address_already_in_use
sock.listen(4194304)
environ = dict(SERVER_NAME='s:%s' %addr, SERVER_PORT='')
environ.update(base_environ)
sockets.append((sock, environ))
continue
def Sockets(addresses, **args):
ssl_private_key = args.get('ssl_private_key', args.get('key_file'))
ssl_certificate = args.get('ssl_certificate', args.get('cert_file'))
ssl = ssl_certificate and ssl_private_key
if ssl:
if not SSL:
raise ImportError('you must install pyOpenSSL to use https')
ctx = SSLContext(SSLv23_METHOD)
ctx.use_privatekey_file(ssl_private_key)
ctx.use_certificate_file(ssl_certificate)
cert = load_certificate(FILETYPE_PEM,
open(ssl_certificate, 'rb').read())
base_environ = dict(HTTPS='on',
SSL_SERVER_M_SERIAL=cert.get_serial_number(),
SSL_SERVER_M_VERSION=cert.get_version())
for prefix, dn in [("I", cert.get_issuer()),
("S", cert.get_subject())]:
dnstr = str(dn)[18:-2]
wsgikey = 'SSL_SERVER_%s_DN' % prefix
base_environ[wsgikey] = dnstr
while dnstr:
pos = dnstr.rfind('=')
dnstr, value = dnstr[:pos], dnstr[pos + 1:]
pos = dnstr.rfind('/')
dnstr, key = dnstr[:pos], dnstr[pos + 1:]
if key and value:
wsgikey = 'SSL_SERVER_%s_DN_%s' % (prefix, key)
base_environ[wsgikey] = value
socket_func = lambda family, socktype: \
SSL(SSLConnection(ctx, Socket(family, socktype)))
fromfd_func = lambda fileno, family, socktype: \
SSL(SSLConnection(ctx, fromfd(fileno, family, socktype)))
else:
fromfd_func, socket_func, base_environ = fromfd, Socket, {}
if isinstance(addresses, basestring):
addresses, addrs = [], [
i for i in str(addresses).split(',') if i.strip()
]
for addr in addrs:
is_ipv6 = R_IPV6(addr)
if is_ipv6:
addresses.append((AF_INET6, is_ipv6.groups()))
continue
seq = [i.strip() for i in addr.split(':')]
if len(seq) == 2:
if seq[0].lower() in ('fromfd', 'fileno'):
addresses.append((AF_INET, int(seq[1])))
continue
addresses.append((AF_INET, seq))
continue
if len(seq) == 3 and seq[0].lower() in ('fromfd', 'fileno'):
family = seq[1].lower()
if family in ('inet', 'af_inet', 'ipv4'):
addresses.append((AF_INET, int(seq[2])))
continue
elif family in ('inet6', 'af_inet6', 'ipv6', '6'):
addresses.append((AF_INET, int(seq[2])))
continue
elif family in ('unix', 'af_unix', 's', 'socket',
'unix_socket', 'unixsocket', 'unixsock'):
addresses.append((_socket.AF_UNIX, int(seq[2])))
continue
addresses.append((_socket.AF_UNIX, addr.strip()))
else:
addresses, addrs = [], addresses
for addr in addrs:
if isinstance(addr, (int, long)):
addresses.append((AF_INET, addr))
continue
if isinstance(addr, (list, tuple)) and len(addr) == 2:
if isinstance(addr[0], (int, long)):
address.append(addr)
continue
if isinstance(addr[0], basestring):
addresses.append((AF_INET6, addr) if ':' in addr[0] \
else (AF_INET , addr))
continue
if isinstance(addr, basestring):
addresses.append((_socket.AF_UNIX, addr))
continue
raise ValueError('bad address %r' % addr)
sockets = []
for family, addr in addresses:
if isinstance(addr, (int, long)):
sock = fromfd_func(addr, family, SOCK_STREAM)
sock.setblocking(0)
environ = dict(SERVER_NAME='fileno:%d' % addr, SERVER_PORT='')
environ.update(base_environ)
sockets.append((sock, environ))
continue
if family == AF_UNIX:
sock = socket_func(_socket.AF_UNIX, SOCK_STREAM)
sock.setblocking(0)
try:
sock.bind(addr)
except SocketError, address_already_in_use:
if address_already_in_use.args[0] != 98:
raise
ping = socket_func(_socket.AF_UNIX, SOCK_STREAM)
try:
ping.connect(addr)
except SocketError, e:
if e.args[0] == 111:
os.unlink(addr)
sock.bind(addr)
else:
ping.close()
raise address_already_in_use
sock.listen(4194304)
environ = dict(SERVER_NAME='s:%s' % addr, SERVER_PORT='')
environ.update(base_environ)
sockets.append((sock, environ))
continue
