def _create_ssl_connection(self, ip_port): if not connect_control.allow_connect(): time.sleep(10) return False ip = ip_port[0] port = ip_port[1] connect_control.start_connect_register(high_prior=True) time_begin = time.time() try: ssl_sock = check_ip.connect_ssl(ip, port=port, timeout=self.connect_timeout, on_close=ip_manager.ssl_closed) xlog.debug("create_ssl update ip:%s time:%d h2:%d sni:%s top:%s", ip, ssl_sock.handshake_time, ssl_sock.h2, ssl_sock.sni, ssl_sock.top_domain) ssl_sock.last_use_time = ssl_sock.create_time ssl_sock.received_size = 0 ssl_sock.load = 0 ssl_sock.host = self.sub + "." + ssl_sock.top_domain connect_control.report_connect_success() return ssl_sock except Exception as e: time_cost = time.time() - time_begin if time_cost < self.connect_timeout - 1: xlog.debug("connect %s fail:%s cost:%d ", ip, e, time_cost * 1000) else: xlog.debug("%s fail:%r", ip, e) ip_manager.report_connect_fail(ip) connect_control.report_connect_fail() return False finally: connect_control.end_connect_register(high_prior=True)
def verify_SSL_certificate_issuer(ssl_sock): cert = ssl_sock.get_peer_certificate() if not cert: #ip_manager.report_bad_ip(ssl_sock.ip) #connect_control.fall_into_honeypot() raise socket.error(' certficate is none') issuer_commonname = next((v for k, v in cert.get_issuer().get_components() if k == 'CN'), '') if not issuer_commonname.startswith('COMODO'): ip_manager.report_connect_fail(ip, force_remove=True) raise socket.error(' certficate is issued by %r, not COMODO' % ( issuer_commonname))
def _create_ssl_connection(self, ip_port): if not connect_control.allow_connect(): time.sleep(10) return False sock = None ssl_sock = None ip = ip_port[0] connect_control.start_connect_register(high_prior=True) handshake_time = 0 time_begin = time.time() try: if config.PROXY_ENABLE: sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6) else: sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6) # set reuseaddr option to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) # resize socket recv buffer 8K->32K to improve browser releated application performance sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 64 * 1024) # disable negal algorithm to send http request quickly. sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True) # set a short timeout to trigger timeout retry more quickly. sock.settimeout(self.connect_timeout) ssl_sock = SSLConnection(self.openssl_context, sock, ip, ip_manager.ssl_closed) ssl_sock.set_connect_state() host = random.choice(ns) ssl_sock.set_tlsext_host_name(host) ssl_sock.connect(ip_port) time_connected = time.time() ssl_sock.do_handshake() time_handshaked = time.time() def verify_SSL_certificate_issuer(ssl_sock): cert = ssl_sock.get_peer_certificate() if not cert: #ip_manager.report_bad_ip(ssl_sock.ip) #connect_control.fall_into_honeypot() raise socket.error(' certficate is none') issuer_commonname = next( (v for k, v in cert.get_issuer().get_components() if k == 'CN'), '') if not issuer_commonname.startswith('COMODO'): ip_manager.report_connect_fail(ip, force_remove=True) raise socket.error( ' certficate is issued by %r, not COMODO' % (issuer_commonname)) verify_SSL_certificate_issuer(ssl_sock) handshake_time = int((time_handshaked - time_connected) * 1000) try: h2 = ssl_sock.get_alpn_proto_negotiated() if h2 == "h2": ssl_sock.h2 = True # xlog.debug("ip:%s http/2", ip) else: ssl_sock.h2 = False #xlog.deubg("alpn h2:%s", h2) except: if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2": ssl_sock.h2 = True # xlog.debug("ip:%s http/2", ip) else: ssl_sock.h2 = False # xlog.debug("ip:%s http/1.1", ip) # ip_manager.update_ip(ip, handshake_time) # handshake time is not the response time, # cloudflare don't have global back-bond network like google. # the reasonable response RTT time should be the HTTP test RTT. xlog.debug("create_ssl update ip:%s time:%d h2:%d", ip, handshake_time, ssl_sock.h2) ssl_sock.fd = sock.fileno() ssl_sock.create_time = time_begin ssl_sock.last_use_time = time.time() ssl_sock.received_size = 0 ssl_sock.load = 0 ssl_sock.handshake_time = handshake_time ssl_sock.host = self.host connect_control.report_connect_success() return ssl_sock except Exception as e: time_cost = time.time() - time_begin if time_cost < self.connect_timeout - 1: xlog.debug("connect %s fail:%s cost:%d h:%d", ip, e, time_cost * 1000, handshake_time) else: xlog.debug("%s fail:%r", ip, e) ip_manager.report_connect_fail(ip) connect_control.report_connect_fail() if ssl_sock: ssl_sock.close() if sock: sock.close() return False finally: connect_control.end_connect_register(high_prior=True)