from ssl import SSLContext, PROTOCOL_TLSv1_2 , CERT_REQUIRED from cassandra.auth import PlainTextAuthProvider from cassandra.cluster import Cluster, ExecutionProfile, EXEC_PROFILE_DEFAULT, ConsistencyLevel from google.transit import gtfs_realtime_pb2 import requests from zipfile import ZipFile from io import BytesIO import os def lambda_handler(event, context): username = os.environ['CASSANDRA_USER'] password = os.environ['CASSANDRA_PWD'] response = requests.get('https://romamobilita.it/sites/default/files/rome_static_gtfs.zip').content zipfile = ZipFile(BytesIO(response)) ssl_context = SSLContext(PROTOCOL_TLSv1_2 ) auth_provider = PlainTextAuthProvider(username=username, password=password) cluster = Cluster(['cassandra.us-east-1.amazonaws.com'], ssl_context=ssl_context, auth_provider=auth_provider, port=9142) session = cluster.connect() stmt = session.prepare("INSERT INTO static_files.lines_correspondence (route_id, actual_line_name) VALUES (?, ?)") execution_profile = session.execution_profile_clone_update(session.get_execution_profile(EXEC_PROFILE_DEFAULT)) execution_profile.consistency_level = ConsistencyLevel.LOCAL_QUORUM with zipfile.open('routes.txt', 'r') as myfile: #print(myfile.read()) content = myfile.readlines() for elem in content: elemList=elem.decode().split(sep=',') elemList[2] = elemList[2].replace('"','') session.execute(stmt, (elemList[0],elemList[2]), execution_profile=execution_profile)
def main(): import argparse ap = argparse.ArgumentParser() ap.add_argument('-d', '--algod', default=None, help='algorand data dir') ap.add_argument('--algod-net', default=None, help='algod host:port') ap.add_argument('--algod-token', default=None, help='algod token') ap.add_argument('--genesis', default=None, help='path to genesis.json') ap.add_argument('--limit', default=None, type=int, help='debug limit number of accoutns to dump') ap.add_argument('--indexer', default=None, help='URL to indexer to fetch from') ap.add_argument('--indexer-token', default=None, help='indexer API token') ap.add_argument('--asset', default=None, help='filter on accounts possessing asset id') ap.add_argument('--mismatches', default=10, type=int, help='max number of mismatches to show details on (0 for no limit)') ap.add_argument('-q', '--quiet', default=False, action='store_true') ap.add_argument('--verbose', default=False, action='store_true') ap.add_argument('--accounts', help='comma separated list of accounts to test') ap.add_argument('--ssl-no-validate', default=False, action='store_true') ap.add_argument('--threads', default=4, type=int, help='number of request-compare threads to run') ap.add_argument('--gtaddr', default=None, help='fetch accounts after this addr') ap.add_argument('--shard', default=None, help='a/b for a in [1..b]') args = ap.parse_args() if args.verbose: logging.basicConfig(level=logging.DEBUG) else: logging.basicConfig(level=logging.INFO) if not args.indexer: logger.error("need --indexer to specify root url of indexer api") return 1 if (not args.algod) and ((not args.algod_net) or (not args.algod_token)): logger.error("need --algod datadir or --algod-net and --algod-token") return 1 if args.ssl_no_validate: global ssl_no_validate ssl_no_validate = SSLContext() # empty context doesn't validate; use for self-signed certs if args.gtaddr and args.shard: logger.error('--gtaddr and --shard are incompatible') return 1 out = sys.stdout err = sys.stderr i2a_checker = check_from_algod(args) retval = 0 i2a_checker.summary() mismatches = i2a_checker.mismatches if args.mismatches and len(mismatches) > args.mismatches: mismatches = mismatches[:args.mismatches] for addr, msg in mismatches: niceaddr = algosdk.encoding.encode_address(addr) if addr in (reward_addr, fee_addr): logger.debug('skip %s', niceaddr) # we know accounting for the special addrs is different continue retval = 1 xaddr = base64.b16encode(addr).decode().lower() err.write('\n{} \'\\x{}\'\n\t{}\n'.format(niceaddr, xaddr, msg)) tcount = 0 tmore = 0 for txn in indexerAccountTxns(args.indexer, addr, limit=30, token=args.indexer_token): if tcount > 10: tmore += 1 continue tcount += 1 sender = txn.pop('sender') cround = txn.pop('confirmed-round') intra = txn.pop('intra-round-offset') parts = ['{}:{}'.format(cround, intra), 's={}'.format(sender)] pay = txn.get('payment-transaction', None) if pay: receiver = pay.pop('receiver', None) closeto = pay.pop('close-remainder-to', None) else: receiver = None closeto = None axfer = txn.get('asset-transfer-transaction', None) if axfer is not None: asnd = axfer.pop('sender', None) arcv = axfer.pop('receiver', None) aclose = axfer.pop('close-to', None) else: asnd = None arcv = None aclose = None if asnd: parts.append('as={}'.format(asnd)) if receiver: parts.append('r={}'.format(receiver)) if closeto: parts.append('c={}'.format(closeto)) if arcv: parts.append('ar={}'.format(arcv)) if aclose: parts.append('ac={}'.format(aclose)) # everything else parts.append(json.dumps(txn)) err.write(' '.join(parts) + '\n') if tmore: err.write('... and {} more\n'.format(tmore)) if retval == 0: logger.info('validate_accounting OK') return retval
def create_urllib3_context(ssl_version=None, cert_reqs=None, options=None, ciphers=None): """All arguments have the same meaning as ``ssl_wrap_socket``. By default, this function does a lot of the same work that ``ssl.create_default_context`` does on Python 3.4+. It: - Disables SSLv2, SSLv3, and compression - Sets a restricted set of server ciphers If you wish to enable SSLv3, you can do:: from urllib3.util import ssl_ context = ssl_.create_urllib3_context() context.options &= ~ssl_.OP_NO_SSLv3 You can do the same to enable compression (substituting ``COMPRESSION`` for ``SSLv3`` in the last line above). :param ssl_version: The desired protocol version to use. This will default to PROTOCOL_SSLv23 which will negotiate the highest protocol that both the server and your installation of OpenSSL support. :param cert_reqs: Whether to require the certificate verification. This defaults to ``ssl.CERT_REQUIRED``. :param options: Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``, ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``. :param ciphers: Which cipher suites to allow the server to select. :returns: Constructed SSLContext object with specified options :rtype: SSLContext """ context = SSLContext(ssl_version or PROTOCOL_TLS) context.set_ciphers(ciphers or DEFAULT_CIPHERS) # Setting the default here, as we may have no ssl module on import cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs if options is None: options = 0 # SSLv2 is easily broken and is considered harmful and dangerous options |= OP_NO_SSLv2 # SSLv3 has several problems and is now dangerous options |= OP_NO_SSLv3 # Disable compression to prevent CRIME attacks for OpenSSL 1.0+ # (issue #309) options |= OP_NO_COMPRESSION context.options |= options context.verify_mode = cert_reqs if getattr(context, 'check_hostname', None) is not None: # Platform-specific: Python 3.2 # We do our own verification, including fingerprints and alternative # hostnames. So disable it here context.check_hostname = False return context
def open_url(url, data=None, headers=None, method=None, use_proxy=True, force=False, last_mod_time=None, timeout=10, validate_certs=True, url_username=None, url_password=None, http_agent=None, force_basic_auth=False, follow_redirects='urllib2'): ''' Fetches a file from an HTTP/FTP server using urllib2 ''' handlers = [] ssl_handler = maybe_add_ssl_handler(url, validate_certs) if ssl_handler: handlers.append(ssl_handler) # FIXME: change the following to use the generic_urlparse function # to remove the indexed references for 'parsed' parsed = urlparse.urlparse(url) if parsed[0] != 'ftp': username = url_username if headers is None: headers = {} if username: password = url_password netloc = parsed[1] elif '@' in parsed[1]: credentials, netloc = parsed[1].split('@', 1) if ':' in credentials: username, password = credentials.split(':', 1) else: username = credentials password = '' parsed = list(parsed) parsed[1] = netloc # reconstruct url without credentials url = urlparse.urlunparse(parsed) if username and not force_basic_auth: passman = urllib2.HTTPPasswordMgrWithDefaultRealm() # this creates a password manager passman.add_password(None, netloc, username, password) # because we have put None at the start it will always # use this username/password combination for urls # for which `theurl` is a super-url authhandler = urllib2.HTTPBasicAuthHandler(passman) # create the AuthHandler handlers.append(authhandler) elif username and force_basic_auth: headers["Authorization"] = basic_auth_header(username, password) else: try: rc = netrc.netrc(os.environ.get('NETRC')) login = rc.authenticators(parsed[1]) except IOError: login = None if login: username, _, password = login if username and password: headers["Authorization"] = basic_auth_header( username, password) if not use_proxy: proxyhandler = urllib2.ProxyHandler({}) handlers.append(proxyhandler) # pre-2.6 versions of python cannot use the custom https # handler, since the socket class is lacking create_connection. # Some python builds lack HTTPS support. if hasattr(socket, 'create_connection') and CustomHTTPSHandler: handlers.append(CustomHTTPSHandler) handlers.append(RedirectHandlerFactory(follow_redirects, validate_certs)) opener = urllib2.build_opener(*handlers) urllib2.install_opener(opener) if method: if method.upper() not in ('OPTIONS', 'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'TRACE', 'CONNECT', 'PATCH'): raise ConnectionError('invalid HTTP request method; %s' % method.upper()) request = RequestWithMethod(url, method.upper(), data) else: request = urllib2.Request(url, data) # add the custom agent header, to help prevent issues # with sites that block the default urllib agent string request.add_header('User-agent', http_agent) # if we're ok with getting a 304, set the timestamp in the # header, otherwise make sure we don't get a cached copy if last_mod_time and not force: tstamp = last_mod_time.strftime('%a, %d %b %Y %H:%M:%S +0000') request.add_header('If-Modified-Since', tstamp) else: request.add_header('cache-control', 'no-cache') # user defined headers now, which may override things we've set above if headers: if not isinstance(headers, dict): raise ValueError("headers provided to fetch_url() must be a dict") for header in headers: request.add_header(header, headers[header]) urlopen_args = [request, None] if sys.version_info >= (2, 6, 0): # urlopen in python prior to 2.6.0 did not # have a timeout parameter urlopen_args.append(timeout) if HAS_SSLCONTEXT and not validate_certs: # In 2.7.9, the default context validates certificates context = SSLContext(ssl.PROTOCOL_SSLv23) context.options |= ssl.OP_NO_SSLv2 context.options |= ssl.OP_NO_SSLv3 context.verify_mode = ssl.CERT_NONE context.check_hostname = False urlopen_args += (None, None, None, context) r = urllib2.urlopen(*urlopen_args) return r
def create_urllib3_context(ssl_version=None, cert_reqs=None, options=None, ciphers=None): """All arguments have the same meaning as ``ssl_wrap_socket``. By default, this function does a lot of the same work that ``ssl.create_default_context`` does on Python 3.4+. It: - Disables SSLv2, SSLv3, and compression - Sets a restricted set of server ciphers If you wish to enable SSLv3, you can do:: from urllib3.util import ssl_ context = ssl_.create_urllib3_context() context.options &= ~ssl_.OP_NO_SSLv3 You can do the same to enable compression (substituting ``COMPRESSION`` for ``SSLv3`` in the last line above). :param ssl_version: The desired protocol version to use. This will default to PROTOCOL_SSLv23 which will negotiate the highest protocol that both the server and your installation of OpenSSL support. :param cert_reqs: Whether to require the certificate verification. This defaults to ``ssl.CERT_REQUIRED``. :param options: Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``, ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``, and ``ssl.OP_NO_TICKET``. :param ciphers: Which cipher suites to allow the server to select. Defaults to either system configured ciphers if OpenSSL 1.1.1+, otherwise uses a secure default set of ciphers. :returns: Constructed SSLContext object with specified options :rtype: SSLContext """ context = SSLContext(ssl_version or PROTOCOL_TLS) # Unless we're given ciphers defer to either system ciphers in # the case of OpenSSL 1.1.1+ or use our own secure default ciphers. if ciphers is not None or not USE_DEFAULT_SSLCONTEXT_CIPHERS: context.set_ciphers(ciphers or DEFAULT_CIPHERS) # Setting the default here, as we may have no ssl module on import cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs if options is None: options = 0 # SSLv2 is easily broken and is considered harmful and dangerous options |= OP_NO_SSLv2 # SSLv3 has several problems and is now dangerous options |= OP_NO_SSLv3 # Disable compression to prevent CRIME attacks for OpenSSL 1.0+ # (issue #309) options |= OP_NO_COMPRESSION # TLSv1.2 only. Unless set explicitly, do not request tickets. # This may save some bandwidth on wire, and although the ticket is encrypted, # there is a risk associated with it being on wire, # if the server is not rotating its ticketing keys properly. options |= OP_NO_TICKET context.options |= options # Enable post-handshake authentication for TLS 1.3, see GH #1634. PHA is # necessary for conditional client cert authentication with TLS 1.3. # The attribute is None for OpenSSL <= 1.1.0 or does not exist in older # versions of Python. We only enable on Python 3.7.4+ or if certificate # verification is enabled to work around Python issue #37428 # See: https://bugs.python.org/issue37428 if (cert_reqs == ssl.CERT_REQUIRED or sys.version_info >= (3, 7, 4)) and getattr(context, "post_handshake_auth", None) is not None: context.post_handshake_auth = True context.verify_mode = cert_reqs # We do our own verification, including fingerprints and alternative # hostnames. So disable it here context.check_hostname = False # Enable logging of TLS session keys via defacto standard environment variable # 'SSLKEYLOGFILE', if the feature is available (Python 3.8+). Skip empty values. if hasattr(context, "keylog_filename"): sslkeylogfile = os.environ.get("SSLKEYLOGFILE") if sslkeylogfile: context.keylog_filename = sslkeylogfile return context
def create_ssl_context(ssl_version=None, cert_reqs=None, options=None, ciphers=None): """All arguments have the same meaning as ``ssl_wrap_socket``. By default, this function does a lot of the same work that ``ssl.create_default_context`` does on Python 3.4+. It: - Disables SSLv2, SSLv3, and compression - Sets a restricted set of server ciphers If you wish to enable SSLv3, you can do:: from hip.util import ssl_ context = ssl_.create_ssl_context() context.options &= ~ssl_.OP_NO_SSLv3 You can do the same to enable compression (substituting ``COMPRESSION`` for ``SSLv3`` in the last line above). :param ssl_version: The desired protocol version to use. This will default to PROTOCOL_SSLv23 which will negotiate the highest protocol that both the server and your installation of OpenSSL support. :param cert_reqs: Whether to require the certificate verification. This defaults to ``ssl.CERT_REQUIRED``. :param options: Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``, ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``. :param ciphers: Which cipher suites to allow the server to select. :returns: Constructed SSLContext object with specified options :rtype: SSLContext """ context = SSLContext(ssl_version or PROTOCOL_TLS) context.set_ciphers(ciphers or DEFAULT_CIPHERS) # Setting the default here, as we may have no ssl module on import cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs if options is None: options = 0 # SSLv2 is easily broken and is considered harmful and dangerous options |= OP_NO_SSLv2 # SSLv3 has several problems and is now dangerous options |= OP_NO_SSLv3 # Disable compression to prevent CRIME attacks for OpenSSL 1.0+ # (issue #309) options |= OP_NO_COMPRESSION context.options |= options # Enable post-handshake authentication for TLS 1.3, see GH #1634. PHA is # necessary for conditional client cert authentication with TLS 1.3. # The attribute is None for OpenSSL <= 1.1.0 or does not exist in older # versions of Python. We only enable on Python 3.7.4+ or if certificate # verification is enabled to work around Python issue #37428 # See: https://bugs.python.org/issue37428 if (cert_reqs == ssl.CERT_REQUIRED or sys.version_info >= (3, 7, 4)) and getattr( context, "post_handshake_auth", None ) is not None: context.post_handshake_auth = True context.verify_mode = cert_reqs if ( getattr(context, "check_hostname", None) is not None ): # Platform-specific: Python 3.2 # We do our own verification, including fingerprints and alternative # hostnames. So disable it here context.check_hostname = False return context
# Route that will process the file upload @APP.route('/add/send', methods=['POST']) @requires_auth def send(current_user=None): pubkey = request.files['file'] username = request.form['username'] try: req = put(APP.config['CASSH_URL'] + '/client' + auth_url(current_user['name'], password=current_user['password'], \ prefix='?username=%s' % username), data=pubkey, verify=False) except ConnectionError: return Response('Connection error : %s' % APP.config['CASSH_URL']) if 'Error' in req.text: return Response(req.text) return redirect('/status') @APP.errorhandler(404) def page_not_found(_): """ Display error page """ return render_template('404.html'), 404 if __name__ == '__main__': CONTEXT = SSLContext(PROTOCOL_TLSv1_2) CONTEXT.load_cert_chain(APP.config['SSL_PUB_KEY'], APP.config['SSL_PRIV_KEY']) PORT = int(getenv('PORT', 443)) APP.run(debug=True, host='0.0.0.0', port=PORT, ssl_context=CONTEXT)
def main(): # initialize variables used through the main function exitcode = 1 use_proxy = True proxy_protocol = '' proxy_url = '' base_url = '' ini_file = '' extract_path = '' # read configuration file name if supplied as command line argument if len(argv) > 1: cfg_file_name = str(argv[1]) else: cfg_file_name = 'uvlinux_updater.cfg' # try to parse configuration, otherwise use default settings try: config = ConfigParser(interpolation=None) config.read(cfg_file_name) use_proxy = config.getboolean('Config', 'use_proxy') if use_proxy: proxy_protocol = config.get('Config', 'proxy_protocol') proxy_url = config.get('Config', 'proxy_url') base_url = config.get('Config', 'base_url') ini_file = config.get('Config', 'ini_file') extract_path = config.get('Config', 'extract_path') print('Successfully read settings from configfile ' + cfg_file_name) except Exception as e: print(e) print('Failed to read settings from configfile ' + cfg_file_name + '. Using default settings.') use_proxy = True proxy_protocol = 'https' proxy_url = 'http://10.0.14.121:3128' base_url = 'https://update.nai.com/products/commonupdater' ini_file = 'avvdat.ini' extract_path = '/usr/local/uvscan/' pass # set up handler for our http(s) proxy proxy_handler = ur.ProxyHandler() if use_proxy: proxy_handler = ur.ProxyHandler({proxy_protocol: proxy_url}) # set up handler to allow only secure protocols, but do not verify hostname against certificate, as it does not match ('update.nai.com' vs. 'a248.e.akamai.net') ssl_context = SSLContext(PROTOCOL_SSLv23) ssl_context.options |= OP_NO_TLSv1 ssl_context.options |= OP_NO_SSLv3 ssl_context.options |= OP_NO_SSLv2 ssl_context.options |= OP_NO_COMPRESSION ssl_context.check_hostname = False # pull filename of most current archive (e.g. avvdat-8737.dat) & md5 hash from ini file on McAfee Server filename, hash_md5, filepath = getcurrent_filename_and_hash( proxy_handler, ssl_context, base_url + '/' + ini_file) # clean up returned values/types if needed (Python 2 Backport of Python 3 configparser module quirk) if type(filename) is list: filename = str(filename[0]) if type(hash_md5) is list: hash_md5 = str(hash_md5[0]) # check whether getcurrent_filename_and_hash() was successful if filename == '': print("Error, could not get current filename") else: # download current archive (e.g. avvdat-8737.dat) from McAfee Server tmp_file = download_archive(base_url + filepath, filename, proxy_handler, ssl_context) # prepare path archive will be extracted to #dest_dir = path.join(extract_path) # only extract if downloaded and actual md5 matches if md5match(tmp_file, hash_md5): print('MD5 hash matches, extracting ' + str(tmp_file) + ' to ' + extract_path) try: unzip(tmp_file, extract_path) except Exception as e: print(e) pass else: print('Extracted successfully into ' + extract_path) exitcode = 0 else: print('MD5 hash does not match!') # remove downloaded archive in either case print('Removing downloaded archive ' + str(tmp_file)) try: remove(tmp_file) except Exception as e: print(e) return (exitcode)
from ssl import SSLContext, PROTOCOL_SSLv23, CERT_NONE from psphere.client import Client context = SSLContext(PROTOCOL_SSLv23) context.verify_mode = CERT_NONE test_client = Client("192.168.0.14", "root", "password", sslcontext=context) print(test_client.si.CurrentTime()) test_client.logout()
conn_output = "{} {}".format("Number of clients connected : ", connected_clients) print(conn_output) else: conn_output = "can't connect, max number of clients reached" return conn_output #global variables LOCALHOST = "127.0.0.1" PORT = 3443 MAX_CLIENTS = 100 connected_clients = 0 # PROTOCOL_TLS_CLIENT requires valid certificate chain and hostname # SSLContext helps manage settings and certificates which can be inherited by SSL sockets created through SSLContext.wrap_socket() context = SSLContext(PROTOCOL_TLS_SERVER) context.load_cert_chain('certificates/cert.pem', 'certificates/key.pem') #AF_INET means ipv4, as opposed to ipv6 with AF_INET6 #SOCK_STREAM means it will be a TCP socket server = socket(AF_INET, SOCK_STREAM) server.bind((LOCALHOST, PORT)) #listen for incoming connections. We can only handle one connection at a given time, #allows for some sort of a queue. If someone attempts to connect while the queue is full, they will be denied. server.listen(5) tls = context.wrap_socket(server, server_side=True) print("Server started") print("Waiting for client request") lock = threading.Lock() if __name__ == "__main__": conn_params() while True:
daemon_threads = True # much faster rebinding allow_reuse_address = True def handle(self): data = self.request[0] serv = self.request[1] addr = self.client_address transfer(data, addr, serv) if __name__ == "__main__": print('init') ENV['TLS'] = SSLContext(PROTOCOL_TLS) ENV['TLS'].verify_mode = CERT_REQUIRED ENV['TLS'].check_hostname = True ENV['TLS'].load_default_certs() #tlsctx.load_verify_locations(cadata=cadata) # Cloudflare ENV['REMOTE_SERVERS'].append(('1.1.1.1', '1.1.1.1', 853)) ENV['REMOTE_SERVERS'].append(('1.0.0.1', '1.0.0.1', 853)) # Quad9 (Packet Clearing House and IBM) ENV['REMOTE_SERVERS'].append(('dns.quad9.net', '9.9.9.9', 853)) ENV['REMOTE_SERVERS'].append(('dns.quad9.net', '149.112.112.112', 853)) ENV['REMOTE_SERVERS_LENGTH'] = len(ENV['REMOTE_SERVERS']) with ThreadUDPServer((ENV['SERVER_IP'], ENV['SERVER_PORT']),
def get_ssl_context(*args): """Create and return an SSLContext object.""" certfile, keyfile, passphrase, ca_certs, cert_reqs, crlfile = args # Note PROTOCOL_SSLv23 is about the most misleading name imaginable. # This configures the server and client to negotiate the # highest protocol version they both support. A very good thing. ctx = SSLContext(ssl.PROTOCOL_SSLv23) if hasattr(ctx, "options"): # Explicitly disable SSLv2, SSLv3 and TLS compression. Note that # up to date versions of MongoDB 2.4 and above already disable # SSLv2 and SSLv3, python disables SSLv2 by default in >= 2.7.7 # and >= 3.3.4 and SSLv3 in >= 3.4.3. There is no way for us to do # any of this explicitly for python 2.6 or 2.7 before 2.7.9. ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0) ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0) # OpenSSL >= 1.0.0 ctx.options |= getattr(ssl, "OP_NO_COMPRESSION", 0) if certfile is not None: try: if passphrase is not None: vi = sys.version_info # Since python just added a new parameter to an existing method # this seems to be about the best we can do. if (vi[0] == 2 and vi < (2, 7, 9) or vi[0] == 3 and vi < (3, 3)): raise ConfigurationError( "Support for ssl_pem_passphrase requires " "python 2.7.9+ (pypy 2.5.1+) or 3.3+") ctx.load_cert_chain(certfile, keyfile, passphrase) else: ctx.load_cert_chain(certfile, keyfile) except ssl.SSLError as exc: raise ConfigurationError( "Private key doesn't match certificate: %s" % (exc, )) if crlfile is not None: if not hasattr(ctx, "verify_flags"): raise ConfigurationError( "Support for ssl_crlfile requires " "python 2.7.9+ (pypy 2.5.1+) or 3.4+") # Match the server's behavior. ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF ctx.load_verify_locations(crlfile) if ca_certs is not None: ctx.load_verify_locations(ca_certs) elif cert_reqs != ssl.CERT_NONE: # CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1 if hasattr(ctx, "load_default_certs"): ctx.load_default_certs() # Python >= 3.2.0, useless on Windows. elif (sys.platform != "win32" and hasattr(ctx, "set_default_verify_paths")): ctx.set_default_verify_paths() elif sys.platform == "win32" and HAVE_WINCERTSTORE: with _WINCERTSLOCK: if _WINCERTS is None: _load_wincerts() ctx.load_verify_locations(_WINCERTS.name) elif HAVE_CERTIFI: ctx.load_verify_locations(certifi.where()) else: raise ConfigurationError( "`ssl_cert_reqs` is not ssl.CERT_NONE and no system " "CA certificates could be loaded. `ssl_ca_certs` is " "required.") ctx.verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs return ctx
# ------------------ # Only for running this script here import sys from os.path import dirname sys.path.insert(1, f"{dirname(__file__)}/../../..") # ------------------ import logging logging.basicConfig(level=logging.DEBUG) # export SLACK_API_TOKEN=xoxb-*** # python3 integration_tests/samples/readme/proxy.py import os from slack_sdk.web import WebClient from ssl import SSLContext sslcert = SSLContext() # pip3 install proxy.py # proxy --port 9000 --log-level d proxyinfo = "http://localhost:9000" client = WebClient(token=os.environ["SLACK_API_TOKEN"], ssl=sslcert, proxy=proxyinfo) response = client.chat_postMessage(channel="#random", text="Hello World!") print(response)
def get_ssl_context(*args): """Create and return an SSLContext object.""" (certfile, keyfile, passphrase, ca_certs, cert_reqs, crlfile, match_hostname) = args verify_mode = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs # Note PROTOCOL_SSLv23 is about the most misleading name imaginable. # This configures the server and client to negotiate the # highest protocol version they both support. A very good thing. # PROTOCOL_TLS_CLIENT was added in CPython 3.6, deprecating # PROTOCOL_SSLv23. ctx = SSLContext( getattr(ssl, "PROTOCOL_TLS_CLIENT", ssl.PROTOCOL_SSLv23)) # SSLContext.check_hostname was added in CPython 2.7.9 and 3.4. # PROTOCOL_TLS_CLIENT (added in Python 3.6) enables it by default. if hasattr(ctx, "check_hostname"): if _PY37PLUS and verify_mode != ssl.CERT_NONE: # Python 3.7 uses OpenSSL's hostname matching implementation # making it the obvious version to start using this with. # Python 3.6 might have been a good version, but it suffers # from https://bugs.python.org/issue32185. # We'll use our bundled match_hostname for older Python # versions, which also supports IP address matching # with Python < 3.5. ctx.check_hostname = match_hostname else: ctx.check_hostname = False if hasattr(ctx, "options"): # Explicitly disable SSLv2, SSLv3 and TLS compression. Note that # up to date versions of MongoDB 2.4 and above already disable # SSLv2 and SSLv3, python disables SSLv2 by default in >= 2.7.7 # and >= 3.3.4 and SSLv3 in >= 3.4.3. There is no way for us to do # any of this explicitly for python 2.7 before 2.7.9. ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0) ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0) # OpenSSL >= 1.0.0 ctx.options |= getattr(ssl, "OP_NO_COMPRESSION", 0) # Python 3.7+ with OpenSSL >= 1.1.0h ctx.options |= getattr(ssl, "OP_NO_RENEGOTIATION", 0) if certfile is not None: try: if passphrase is not None: vi = sys.version_info # Since python just added a new parameter to an existing method # this seems to be about the best we can do. if (vi[0] == 2 and vi < (2, 7, 9) or vi[0] == 3 and vi < (3, 3)): raise ConfigurationError( "Support for ssl_pem_passphrase requires " "python 2.7.9+ (pypy 2.5.1+) or 3.3+") ctx.load_cert_chain(certfile, keyfile, passphrase) else: ctx.load_cert_chain(certfile, keyfile) except ssl.SSLError as exc: raise ConfigurationError( "Private key doesn't match certificate: %s" % (exc,)) if crlfile is not None: if not hasattr(ctx, "verify_flags"): raise ConfigurationError( "Support for ssl_crlfile requires " "python 2.7.9+ (pypy 2.5.1+) or 3.4+") # Match the server's behavior. ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF ctx.load_verify_locations(crlfile) if ca_certs is not None: ctx.load_verify_locations(ca_certs) elif cert_reqs != ssl.CERT_NONE: # CPython >= 2.7.9 or >= 3.4.0, pypy >= 2.5.1 if hasattr(ctx, "load_default_certs"): ctx.load_default_certs() # Python >= 3.2.0, useless on Windows. elif (sys.platform != "win32" and hasattr(ctx, "set_default_verify_paths")): ctx.set_default_verify_paths() elif sys.platform == "win32" and HAVE_WINCERTSTORE: with _WINCERTSLOCK: if _WINCERTS is None: _load_wincerts() ctx.load_verify_locations(_WINCERTS.name) elif HAVE_CERTIFI: ctx.load_verify_locations(certifi.where()) else: raise ConfigurationError( "`ssl_cert_reqs` is not ssl.CERT_NONE and no system " "CA certificates could be loaded. `ssl_ca_certs` is " "required.") ctx.verify_mode = verify_mode return ctx
def setup_ssl_context(cert, private, hostname=False): ssl_context = SSLContext(PROTOCOL_SSLv23) ssl_context.load_cert_chain(cert, private) ssl_context.check_hostname = hostname return ssl_context
# Start the webserver(s) webserver = None ssl_webserver = None if not args.noserver: # HTTP server logger.info("Creating webserver...") application = AppRunner(app) loop.run_until_complete(application.setup()) webserver = TCPSite(application, host=args.host, port=args.port) # SSL server try: if not args.nossl: ssl_context = SSLContext() ssl_context.load_cert_chain(**bot.config['ssl_context']) ssl_webserver = TCPSite(application, host=args.host, port=args.sslport, ssl_context=ssl_context) except Exception as e: ssl_webserver = None logger.exception("Could not make SSL webserver") # Start servers loop.run_until_complete(webserver.start()) logger.info(f"Server started - http://{args.host}:{args.port}/") if ssl_webserver: loop.run_until_complete(ssl_webserver.start()) logger.info(f"Server started - http://{args.host}:{args.sslport}/")