def test05_open_with_subj_alt_names_verification(self): ctx = SSL.Context(SSL.TLSv1_2_METHOD) # Set wildcard hostname for subject alternative name matching - # setting a minimum of two name components for hostname split_hostname = Constants.HOSTNAME.split('.', 1) if len(split_hostname) > 1: _hostname = '*.' + split_hostname[-1] else: _hostname = Constants.HOSTNAME server_ssl_verify = ServerSSLCertVerification(hostname=_hostname) verify_callback_ = server_ssl_verify.get_verify_server_cert_func() ctx.set_verify(SSL.VERIFY_PEER, verify_callback_) # Set default verify paths if testing with peer that has corresponding # CA cert in bundle provided with the OS. In this case, load verify # locations is not needed. #ctx.set_default_verify_paths() ctx.set_verify_depth(9) # Set correct location for CA certs to verify with ctx.load_verify_locations(None, Constants.CACERT_DIR) opener = build_opener(ssl_context=ctx) res = opener.open(Constants.TEST_URI) self.assertTrue(res) print("res = %s" % res.read())
def set_peer_verification_for_url_hostname(ssl_context, url, if_verify_enabled=False): '''Convenience routine to set peer verification callback based on ServerSSLCertVerification class''' if not if_verify_enabled or (ssl_context.get_verify_mode() & SSL.VERIFY_PEER): urlObj = urlparse.urlparse(url) hostname = urlObj.hostname server_ssl_cert_verif = ServerSSLCertVerification(hostname=hostname) verify_callback_ = server_ssl_cert_verif.get_verify_server_cert_func() ssl_context.set_verify(SSL.VERIFY_PEER, verify_callback_)
def set_peer_verification_for_url_hostname(ssl_context, url, if_verify_enabled=False): '''Convenience routine to set peer verification callback based on ServerSSLCertVerification class''' if not if_verify_enabled or (ssl_context.get_verify_mode() & SSL.VERIFY_PEER): urlObj = urlparse_.urlparse(url) hostname = urlObj.hostname server_ssl_cert_verif = ServerSSLCertVerification(hostname=hostname) verify_callback_ = server_ssl_cert_verif.get_verify_server_cert_func() ssl_context.set_verify(SSL.VERIFY_PEER, verify_callback_)
def test04_ssl_verification_with_subj_alt_name(self): ctx = SSL.Context(SSL.TLSv1_METHOD) verification = ServerSSLCertVerification(hostname='localhost') verify_callback = verification.get_verify_server_cert_func() ctx.set_verify(SSL.VERIFY_PEER, verify_callback) ctx.set_verify_depth(9) # Set correct location for CA certs to verify with ctx.load_verify_locations(None, Constants.CACERT_DIR) conn = HTTPSConnection(Constants.HOSTNAME, port=Constants.PORT, ssl_context=ctx) conn.connect() conn.request('GET', '/') resp = conn.getresponse() print('Response = %s' % resp.read())
def test04_ssl_verification_with_subj_common_name(self): ctx = SSL.Context(SSL.SSLv3_METHOD) # Explicitly set verification of peer hostname using peer certificate # subject common name verify_callback = ServerSSLCertVerification(hostname='localhost', subj_alt_name_match=False) ctx.set_verify(SSL.VERIFY_PEER, verify_callback) ctx.set_verify_depth(9) # Set correct location for CA certs to verify with ctx.load_verify_locations(None, Constants.CACERT_DIR) conn = HTTPSConnection(Constants.HOSTNAME, port=Constants.PORT, ssl_context=ctx) conn.connect() conn.request('GET', '/') resp = conn.getresponse() print('Response = %s' % resp.read())
def __call__(self): """Create an M2Crypto SSL Context from this objects properties :type depth: int :param depth: max. depth of certificate to verify against :type kw: dict :param kw: OpenSSL.SSL.Context keyword arguments :rtype: OpenSSL.SSL.Context :return: M2Crypto SSL context object """ ctx = SSL.Context(self.__class__.SSL_PROTOCOL_METHOD) # Configure context according to this proxy's attributes if self.sslCertFilePath and self.sslPriKeyFilePath: # Pass client certificate (optionally with chain) ctx.use_certificate_chain_file(self.sslCertFilePath) with open(self.sslPriKeyFilePath, 'r') as prikey_file: prikey_content = prikey_file.read() prikey_file.close() prikey = crypto.load_privatekey(crypto.FILETYPE_PEM, prikey_content, self.sslPriKeyPwd) ctx.use_privatekey(prikey) log.debug("Set client certificate and key in SSL Context") else: log.debug("No client certificate or key set in SSL Context") if self.sslCACertFilePath or self.sslCACertDir: # Set CA certificates in order to verify peer ctx.load_verify_locations(self.sslCACertFilePath, self.sslCACertDir) mode = SSL.VERIFY_PEER ctx.set_verify_depth(self.__class__.SSL_VERIFY_DEPTH) verify_cb = lambda connection, peerCert, errorStatus, errorDepth, \ preverifyOK: preverifyOK else: mode = SSL.VERIFY_NONE log.warning('No CA certificate files set: mode set to ' '"verify_none"! No verification of the server ' 'certificate will be enforced') n_ssl_valid_x509_subj_names = len(self.ssl_valid_x509_subj_names) if n_ssl_valid_x509_subj_names > 0 or self.ssl_valid_hostname: # Set custom callback in order to verify peer certificate DN # against whitelist mode = SSL.VERIFY_PEER if n_ssl_valid_x509_subj_names == 0: cert_dn = None else: cert_dn = self.ssl_valid_x509_subj_names[0] # Nb. limit - this verification callback can only validate against # a single DN not multiples as allowed by the interface class ssl_cert_verification = ServerSSLCertVerification( hostname=self.ssl_valid_hostname, certDN=cert_dn) verify_cb = ssl_cert_verification.get_verify_server_cert_func() log.debug('Set peer certificate Distinguished Name check set in ' 'SSL Context') else: log.warning('No peer certificate Distinguished Name check set in ' 'SSL Context') ctx.set_verify(mode, verify_cb) return ctx