def SSL_Connect(ctx,
sock,
server_side=False,
accepted=False,
connected=False,
verify_names=None):
if DEBUG: DEBUG('*** TLS is provided by native Python ssl')
reqs = (verify_names and ssl.CERT_REQUIRED or ssl.CERT_NONE)
try:
fd = ssl.wrap_socket(sock,
keyfile=ctx.privatekey_file,
certfile=ctx.certchain_file,
cert_reqs=reqs,
ca_certs=ctx.ca_certs,
do_handshake_on_connect=False,
ssl_version=ctx.method,
ciphers=ctx.ciphers,
server_side=server_side)
except:
fd = ssl.wrap_socket(sock,
keyfile=ctx.privatekey_file,
certfile=ctx.certchain_file,
cert_reqs=reqs,
ca_certs=ctx.ca_certs,
do_handshake_on_connect=False,
ssl_version=ctx.method,
server_side=server_side)
if verify_names:
fd.do_handshake()
if not SSL_CheckPeerName(fd, verify_names):
raise SSL.Error(
('Cert not in %s (%s)') % (verify_names, reqs))
return fd
def test_error_if_short_key(self, mock_use_key):
mock_use_key.side_effect = SSL.Error("reason")
self.pair.regenerate(SERVER_NAME, 1024)
errors = self.pair.check()
self.assertEqual(
errors,
["Unable to load SSL certificate and/or key: reason"]
)
def handle_secure_connection(self, client_socket, request, dialog_id):
""" performs all TLS stuff with client
returns (wrapped secure_socket socket, client request after CONNECT)
"""
client_socket.sendall(self.dialog_service.make_established_response(dialog_id))
context = self.tls_service.create_ssl_context(request.host)
secure_socket = SSL.Connection(context, client_socket)
secure_socket.set_accept_state()
try:
secure_socket.do_handshake()
except SSL.Error as err:
secure_socket.close()
raise SSL.Error(err)
# return secure_socket, None
# read application data request after handshake
post_handshake_raw = read(secure_socket)
final_request = self.dialog_service.make_request_from_raw(post_handshake_raw, dialog_id)
return secure_socket, final_request
def callRemote(proxy, function, callbackOK, callbackError, *args):
proceed = True
while proceed:
try:
# get arround missing python function for python version < 3.5
li = []
li.append(function)
for ar in args:
li.append(ar)
# call the timeout function with our arguments, which executes our
# function on JSONRPC Server and cacels the call if it takes longer
# than the specified seconds in $timeout_duration
handle = timeout(proxy.callRemote,
args=(tuple(li)),
kwargs={},
timeout_duration=60,
default=None)
if(handle):
# adds callback methods which are called from JSONRPC server.
# $callbackOK gets called if there was no error
# $callbackError gets called if there was an error like
# a lost connection
handle.addCallbacks(callbackOK, callbackError)
else:
print("Can not connect to " + function +
" please check cacert settings")
# If we were able to execute our command, there was noi issue with
# a missing/wrong decryption Key for our private key and we can
# go further.
proceed = False
except SSL.Error as ex:
# handle worn password or decrypt error,
# raise it again if it was something else
if('bad password read' in str(ex) or 'bad decrypt' in str(ex)):
print("Wrong PEM decryption password entered, " +
"wasn't able to decrypt keyfile")
exit()
else:
raise SSL.Error(ex)
def test_read_ssl_error(self):
s = mock.MagicMock()
s.read = mock.MagicMock(side_effect=SSL.Error())
s = tcp.Reader(s)
tutils.raises(TlsException, s.read, 1)
def test_read_ssl_error(self):
s = mock.MagicMock()
s.read = mock.MagicMock(side_effect=SSL.Error())
s = tcp.Reader(s)
with pytest.raises(exceptions.TlsException):
s.read(1)
def raiser(_):
# Unfortunately, there seems to be no way to trigger a real SSL
# error artificially.
raise SSL.Error([['', '', '']])
def test_read_ssl_error(self):
s = mock.MagicMock()
s.read = mock.MagicMock(side_effect=SSL.Error())
s = tcp.Reader(s)
tutils.raises(tcp.NetLibSSLError, s.read, 1)
