def __init__(self, key, certificate, intermediate):
"""
:param key: String representation of the private key
:param certificate: String representation of the certificate
:param intermediate: String representation of the intermediate file
:param dh: String representation of the DH parameters
"""
self.ctx = new_tls_server_context()
x509 = load_certificate(FILETYPE_PEM, certificate)
self.ctx.use_certificate(x509)
if intermediate:
x509 = load_certificate(FILETYPE_PEM, intermediate)
self.ctx.add_extra_chain_cert(x509)
key = load_privatekey(FILETYPE_PEM, key)
self.ctx.use_privatekey(key)
# If SSL_CTX_set_ecdh_auto is available then set it so the ECDH curve
# will be auto-selected. This function was added in 1.0.2 and made a
# noop in 1.1.0+ (where it is set automatically).
try:
_lib.SSL_CTX_set_ecdh_auto(self.ctx._context, 1) # pylint: disable=no-member
except AttributeError:
ecdh = _lib.EC_KEY_new_by_curve_name(_lib.NID_X9_62_prime256v1) # pylint: disable=no-member
ecdh = _ffi.gc(ecdh, _lib.EC_KEY_free) # pylint: disable=no-member
_lib.SSL_CTX_set_tmp_ecdh(self.ctx._context, ecdh) # pylint: disable=no-member
def set_tmp_ecdh(self, curve):
"""
Select a curve to use for ECDHE key exchange.
:param curve: A curve object to use as returned by either
:py:meth:`OpenSSL.crypto.get_elliptic_curve` or
:py:meth:`OpenSSL.crypto.get_elliptic_curves`.
:return: None
"""
_lib.SSL_CTX_set_tmp_ecdh(self._context, curve._to_EC_KEY())
def cacheContext(self):
if self._context is None:
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_options(SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv2
| SSL.OP_NO_SSLv3 | SSL.OP_SINGLE_DH_USE
| SSL.OP_NO_COMPRESSION | SSL.OP_NO_TICKET)
ctx.set_mode(SSL.MODE_RELEASE_BUFFERS)
first = True
if os.path.isfile(self.certificateFilePath):
with open(self.certificateFilePath, 'r') as f:
first = False
x509 = load_certificate(FILETYPE_PEM, f.read())
ctx.use_certificate(x509)
if self.intermediateFilePath != self.certificateFilePath and \
os.path.isfile(self.intermediateFilePath):
if first:
ctx.use_certificate_chain_file(self.intermediateFilePath)
else:
with open(self.intermediateFilePath, 'r') as f:
x509 = load_certificate(FILETYPE_PEM, f.read())
ctx.add_extra_chain_cert(x509)
ctx.use_privatekey_file(self.privateKeyFilePath)
ctx.set_cipher_list(self.cipherList)
# If SSL_CTX_set_ecdh_auto is available then set it so the ECDH curve
# will be auto-selected. This function was added in 1.0.2 and made a
# noop in 1.1.0+ (where it is set automatically).
try:
_lib.SSL_CTX_set_ecdh_auto(ctx._context, 1) # pylint: disable=no-member
except AttributeError:
ecdh = _lib.EC_KEY_new_by_curve_name(_lib.NID_X9_62_prime256v1) # pylint: disable=no-member
ecdh = _ffi.gc(ecdh, _lib.EC_KEY_free) # pylint: disable=no-member
_lib.SSL_CTX_set_tmp_ecdh(ctx._context, ecdh) # pylint: disable=no-member
self._context = ctx
def cacheContext(self):
if self._context is None:
ctx = SSL.Context(self.sslmethod)
ctx.set_options(SSL.OP_CIPHER_SERVER_PREFERENCE |
SSL.OP_NO_SSLv2 |
SSL.OP_NO_SSLv3 |
SSL.OP_SINGLE_DH_USE |
SSL.OP_NO_COMPRESSION |
SSL.OP_NO_TICKET)
ctx.set_mode(SSL.MODE_RELEASE_BUFFERS)
first = True
if os.path.isfile(self.certificateFilePath):
with open(self.certificateFilePath, 'r') as f:
first = False
x509 = load_certificate(FILETYPE_PEM, f.read())
ctx.use_certificate(x509)
if self.intermediateFilePath != self.certificateFilePath and \
os.path.isfile(self.intermediateFilePath):
if first:
ctx.use_certificate_chain_file(self.intermediateFilePath)
else:
with open(self.intermediateFilePath, 'r') as f:
x509 = load_certificate(FILETYPE_PEM, f.read())
ctx.add_extra_chain_cert(x509)
ctx.use_privatekey_file(self.privateKeyFilePath)
ctx.set_cipher_list(self.cipherList)
ctx.load_tmp_dh(self.dhFilePath)
ecdh = _lib.EC_KEY_new_by_curve_name(_lib.NID_X9_62_prime256v1)
ecdh = _ffi.gc(ecdh, _lib.EC_KEY_free)
_lib.SSL_CTX_set_tmp_ecdh(ctx._context, ecdh)
self._context = ctx
def load_tmp_dh(self, dhfile):
"""
Function overridden in order to enforce ECDH/PFS
"""
from OpenSSL._util import (ffi as _ffi, lib as _lib)
if not isinstance(dhfile, bytes):
raise TypeError("dhfile must be a byte string")
bio = _lib.BIO_new_file(dhfile, b"r")
if bio == _ffi.NULL:
_raise_current_error()
bio = _ffi.gc(bio, _lib.BIO_free)
dh = _lib.PEM_read_bio_DHparams(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL)
dh = _ffi.gc(dh, _lib.DH_free)
_lib.SSL_CTX_set_tmp_dh(self._context, dh)
ecdh = _lib.EC_KEY_new_by_curve_name(_lib.NID_X9_62_prime256v1)
ecdh = _ffi.gc(ecdh, _lib.EC_KEY_free)
_lib.SSL_CTX_set_tmp_ecdh(self._context, ecdh)
def __init__(self, priv_key, certificate, intermediate, dh):
"""
@param priv_key: String representation of the private key
@param certificate: String representation of the certificate
@param intermediate: String representation of the intermediate file
@param dh: String representation of the DH parameters
"""
self.ctx = new_tls_server_context()
x509 = load_certificate(FILETYPE_PEM, certificate)
self.ctx.use_certificate(x509)
if intermediate:
x509 = load_certificate(FILETYPE_PEM, intermediate)
self.ctx.add_extra_chain_cert(x509)
priv_key = load_privatekey(FILETYPE_PEM, priv_key)
self.ctx.use_privatekey(priv_key)
load_dh_params_from_string(self.ctx, dh)
ecdh = _lib.EC_KEY_new_by_curve_name(_lib.NID_X9_62_prime256v1) # pylint: disable=no-member
ecdh = _ffi.gc(ecdh, _lib.EC_KEY_free) # pylint: disable=no-member
_lib.SSL_CTX_set_tmp_ecdh(self.ctx._context, ecdh) # pylint: disable=no-member
