def send_request(
host,
port,
endpoint,
method,
token,
data=None,
cert=None,
key=None,
ca_cert=None,
check_ocsp=True,
):
def callback(conn, encoded_ocsp, data):
ocsp_resp = load_der_ocsp_response(encoded_ocsp)
return ocsp_resp.response_status == OCSPResponseStatus.SUCCESSFUL and ocsp_resp.certificate_status == OCSPCertStatus.GOOD
context = Context(TLSv1_2_METHOD)
context.load_client_ca(bytes(ca_cert, encoding="utf8"))
context.use_certificate_file(cert)
context.use_privatekey_file(key)
context.set_ocsp_client_callback(callback)
conn = Connection(context, socket.socket(socket.AF_INET,
socket.SOCK_STREAM))
conn.connect((host, port))
if check_ocsp:
conn.request_ocsp()
conn.send(
bytes(
f"{method} {endpoint} HTTP/1.1\nHost: {host}:{port}\n" +
f"Content-Type: text/plain\norigin: https://{host}:{port}\nToken: {token}\nContent-Length: {len(data)}\n\n{data}",
encoding="utf8"))
response = conn.read(2048)
conn.close()
def testPFSCipher(host,port,cipher): try: # Construct the socket client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client.settimeout(10) client.connect((host, port)) # Define the method as serverpreferred and use the Cipher from the test contextToUse = Context(pfsCipherList[cipher]) contextToUse.set_cipher_list(cipher) # Estabilish a SSL connection using the server's preferred connection client_ssl = Connection(contextToUse, client) client_ssl.set_connect_state() client_ssl.set_tlsext_host_name(host) # Try to perform an SSL handshake client_ssl.do_handshake() # Close the connection client_ssl.close() client.close() return True except openSSLError as e: # Server may be down or avoiding SSL connection return False except ValueError as e: # Not configured or not allowed return False pass
def printcert(host, port, hostname):
con = Connection(Context(TLSv1_METHOD), socket(AF_INET, SOCK_STREAM))
con.connect((host, port))
con.set_tlsext_host_name(hostname if hostname else host)
con.do_handshake()
con.shutdown()
con.close()
print dump_certificate(FILETYPE_PEM, walkchain(con.get_peer_cert_chain()))
def verify_cert(host, ca, timeout):
server_ctx = Context(TLSv1_METHOD)
server_cert_chain = []
if os.path.isdir(ca):
server_ctx.load_verify_locations(None, ca)
else:
server_ctx.load_verify_locations(ca, None)
def verify_cb(conn, cert, errnum, depth, ok):
server_cert_chain.append(cert)
return ok
server_ctx.set_verify(VERIFY_PEER, verify_cb)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setblocking(1)
sock.settimeout(timeout)
sock.connect((host, 443))
server_conn = Connection(server_ctx, sock)
server_conn.set_connect_state()
def iosock_try():
ok = True
try:
server_conn.do_handshake()
sleep(0.5)
except SSLWantReadError as e:
ok = False
pass
except Exception as e:
raise e
return ok
try:
while True:
if iosock_try():
break
server_subject = server_cert_chain[-1].get_subject()
if host != server_subject.CN:
raise SSLError('Server certificate CN does not match %s' %
host)
except SSLError as e:
raise e
finally:
server_conn.shutdown()
server_conn.close()
return True
def main():
"""
Connect to an SNI-enabled server and request a specific hostname, specified by argv[1], of it.
"""
if len(argv) < 2:
print 'Usage: %s <hostname> [port]' % (argv[0], )
return 1
port = 443
if len(argv) == 3:
port = int(argv[2])
hostname = argv[1]
client = socket()
#client.settimeout(2)
#print 'Connecting...',
stdout.flush()
client.connect((hostname, port))
#print 'connected', client.getpeername()
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(hostname)
client_ssl.do_handshake()
host = client_ssl.getpeername()
servername = client_ssl.get_servername()
x509 = client_ssl.get_peer_certificate()
notAfter = datetime.strptime(x509.get_notAfter(), '%Y%m%d%H%M%SZ')
cert_chain = client_ssl.get_peer_cert_chain()
now = datetime.now()
timedelta = notAfter - now
DNS = ''
for i in xrange(x509.get_extension_count()):
ret = str(x509.get_extension(i))
if re.match('^DNS:', ret):
DNS = ret.replace('DNS:', '')
print "servername: %s, host: %s, port: %s" % (servername, host[0], host[1])
print "\tnotAfter: %s, remain: %s days" % (notAfter, timedelta.days)
print "\tDNS: ", DNS
print '\tCert Chain:'
for i, v in enumerate(cert_chain):
print '\t%s,i,%s' % (i, v.get_subject())
print '\t%s,s,%s' % (i, v.get_issuer())
client_ssl.close()
def server_ok(serverarg, capath, timeout):
"Check if the server is active and responsive"
server_ctx = Context(TLSv1_METHOD)
server_ctx.load_verify_locations(None, capath)
def verify_cb(conn, cert, errnum, depth, ok):
return ok
server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
serverarg = re.split("/*", serverarg)[1]
if ':' in serverarg:
serverarg = serverarg.split(':')
server = serverarg[0]
port = int(serverarg[1] if not '?' in serverarg[1] else serverarg[1].split('?')[0])
else:
server = serverarg
port = DEFAULT_PORT
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((server, port))
server_conn = Connection(server_ctx, sock)
server_conn.set_connect_state()
try:
def handler(signum, frame):
raise socket.error([('Timeout', 'after', str(timeout) + 's')])
signal.signal(signal.SIGALRM, handler)
signal.alarm(timeout)
server_conn.do_handshake()
signal.alarm(0)
except socket.timeout as e:
nagios_out('Critical',
'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)),2)
server_conn.shutdown()
server_conn.close()
except (SSLError, socket.error) as e:
if 'sslv3 alert handshake failure' in errmsg_from_excp(e):
pass
else:
nagios_out('Critical',
'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)), 2)
return True
def verify_cert(host, ca, timeout):
server_ctx = Context(TLSv1_METHOD)
server_cert_chain = []
if os.path.isdir(ca):
server_ctx.load_verify_locations(None, ca)
else:
server_ctx.load_verify_locations(ca, None)
def verify_cb(conn, cert, errnum, depth, ok):
server_cert_chain.append(cert)
return ok
server_ctx.set_verify(VERIFY_PEER, verify_cb)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setblocking(1)
sock.settimeout(timeout)
sock.connect((host, 443))
server_conn = Connection(server_ctx, sock)
server_conn.set_connect_state()
def iosock_try():
ok = True
try:
server_conn.do_handshake()
sleep(0.5)
except SSLWantReadError as e:
ok = False
pass
except Exception as e:
raise e
return ok
try:
while True:
if iosock_try():
break
server_subject = server_cert_chain[-1].get_subject()
if host != server_subject.CN:
raise SSLError('Server certificate CN does not match %s' % host)
except SSLError as e:
raise e
finally:
server_conn.shutdown()
server_conn.close()
return True
def server_ok(serverarg, capath, timeout):
server_ctx = Context(TLSv1_METHOD)
server_ctx.load_verify_locations(None, capath)
def verify_cb(conn, cert, errnum, depth, ok):
return ok
server_ctx.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
serverarg = re.split("/*", serverarg)[1]
if ':' in serverarg:
serverarg = serverarg.split(':')
server = serverarg[0]
port = int(serverarg[1] if not '?' in serverarg[1] else serverarg[1].
split('?')[0])
else:
server = serverarg
port = DEFAULT_PORT
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((server, port))
server_conn = Connection(server_ctx, sock)
server_conn.set_connect_state()
try:
def handler(signum, frame):
raise socket.error([('Timeout', 'after', str(timeout) + 's')])
signal.signal(signal.SIGALRM, handler)
signal.alarm(timeout)
server_conn.do_handshake()
signal.alarm(0)
except socket.timeout as e:
nagios_out(
'Critical', 'Connection error %s - %s' %
(server + ':' + str(port), errmsg_from_excp(e)), 2)
server_conn.shutdown()
server_conn.close()
except (SSLError, socket.error) as e:
if 'sslv3 alert handshake failure' in errmsg_from_excp(e):
pass
else:
nagios_out(
'Critical', 'Connection error %s - %s' %
(server + ':' + str(port), errmsg_from_excp(e)), 2)
return True
def testWeakCipher(host,port,protocolList):
# Create a list to put all analysed data
protoDataList = []
# Test the size of the cipher for each protocol avaiable and get the Cipher Suite
for proto in protocolList:
try:
# Construct the socket
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect((host, port))
# Estabilish a SSL connection
client_ssl = Connection(Context(methods[proto]), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(host)
# Try to perform an SSL handshake
client_ssl.do_handshake()
# Obtain the name of the protocol being used
protoName = (client_ssl.get_protocol_version_name())
# Obtain the size of the cipher being used by the protocol
bitSize = (client_ssl.get_cipher_bits())
# Obtain the Cipher Suite
suite = client_ssl.get_cipher_name()
# Create a compiled data
data = (protoName,bitSize,suite)
# Put the data obtained on the list
protoDataList.append(data)
# Close the connection
client_ssl.close()
client.close()
except openSSLError as e: # Server may be down or avoiding SSL connection
print _('Servidor nao esta respondendo')
return
except ValueError as e: # Not configured or not allowed
print _('Servidor nao esta configurado')
return
# Print the results
print bcolors.BOLD + _("Protocolo\tTamanho da Cifra\tCifra") + bcolors.ENDC
for protoData in protoDataList:
print protoData[0] + '\t\t' + str(protoData[1]) + ' bits' + ( '(OK)' if (protoData[1] >=128) else _('(FRACA)')) + '\the\t' + str(protoData[2])
def main():
def err_exit(ret, msg):
ret['failed'] = True
ret['msg'] = msg
module.fail_json(**ret)
module = AnsibleModule(argument_spec=dict(
host=dict(required=True, type='str'),
certificates=dict(required=True, type='dict'),
), )
host = module.params['host']
certificates = copy.copy(module.params['certificates'])
split = host.split(':')
split.reverse()
host = split.pop()
ret['host'] = host
ret['port'] = None
ret['downloaded'] = False
ret['ansible_facts'] = dict(certificates=certificates)
try:
port = int(split.pop()) if split else 443
hostport = "{}:{}".format(host, port)
ret['port'] = port
if host in certificates and hostport not in certificates:
certificates[hostport] = certificates[host]
if hostport not in certificates or certificates[hostport] is None:
s = socket(AF_INET, SOCK_STREAM)
ctx = Context(TLSv1_METHOD)
con = Connection(ctx, s)
con.connect((host, port))
con.do_handshake()
x509 = con.get_peer_cert_chain()[-1]
con.shutdown()
con.close()
ret['downloaded'] = True
certificates[hostport] = dump_certificate(FILETYPE_PEM, x509)
if host not in certificates or certificates[host] is None:
certificates[host] = certificates[hostport]
module.exit_json(**ret)
except Exception as e:
msg_ = traceback.format_exc()
module.fail_json(msg="{}: {}".format(repr(e), msg_))
def identifyProtocol(host,port):
# Create a list to put all analysed data
protoDataList = []
try:
# Construct the socket
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect((host, port))
# Estabilish a SSL connection using the server's preferred connection
client_ssl = Connection(Context(SSLv23_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(host)
# Try to perform an SSL handshake
client_ssl.do_handshake()
# Obtain the name of the protocol being used
protoName = (client_ssl.get_protocol_version_name())
# Obtain the size of the cipher being used by the protocol
bitSize = (client_ssl.get_cipher_bits())
# Obtain the Cipher Suite
suite = client_ssl.get_cipher_name()
# Create a compiled data
data = (protoName,bitSize,suite)
# Put the data obtained on the list
protoDataList.append(data)
# Close the connection
client_ssl.close()
client.close()
# Shpw the data
print _('Preferido: ') + str(protoName) + _('\nCifra: ') + str(suite) + _('\nTamanho em bits: ') + str(bitSize)
# Return the protocol method used by pyOpenSSL
return methodName[protoName]
except openSSLError as e: # Server may be down or avoiding SSL connection
print _('\nNao foi possivel identificar o protocolo padrao\n')
return 0
except ValueError as e: # Not configured or not allowed
print _('\nNao foi possivel identificar o protocolo padrao\n')
return 0
def verify_servercert(host, timeout, capath):
server_ctx = Context(TLSv1_METHOD)
server_ctx.load_verify_locations(None, capath)
server_cert_chain = []
def verify_cb(conn, cert, errnum, depth, ok):
server_cert_chain.append(cert)
return ok
server_ctx.set_verify(VERIFY_PEER, verify_cb)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setblocking(1)
sock.settimeout(timeout)
sock.connect((host, 443))
server_conn = Connection(server_ctx, sock)
server_conn.set_connect_state()
def iosock_try():
ok = True
try:
server_conn.do_handshake()
sleep(0.5)
except SSLWantReadError as e:
ok = False
pass
except Exception as e:
raise e
return ok
try:
while True:
if iosock_try():
break
global server_expire
server_expire = server_cert_chain[-1].get_notAfter()
except PyOpenSSLError as e:
raise e
finally:
server_conn.shutdown()
server_conn.close()
return True
def verify_servercert(host, timeout, capath):
server_ctx = Context(TLSv1_METHOD)
server_ctx.load_verify_locations(None, capath)
server_cert_chain = []
def verify_cb(conn, cert, errnum, depth, ok):
server_cert_chain.append(cert)
return ok
server_ctx.set_verify(VERIFY_PEER, verify_cb)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setblocking(1)
sock.settimeout(timeout)
sock.connect((host, 443))
server_conn = Connection(server_ctx, sock)
server_conn.set_connect_state()
def iosock_try():
ok = True
try:
server_conn.do_handshake()
sleep(0.5)
except SSLWantReadError as e:
ok = False
pass
except Exception as e:
raise e
return ok
try:
while True:
if iosock_try():
break
global server_expire
server_expire = server_cert_chain[-1].get_notAfter()
except PyOpenSSLError as e:
raise e
finally:
server_conn.shutdown()
server_conn.close()
return True
def get_certificate(hostname, port=443):
"""
Return TLS certificate (f.i. for https or smtps)
"""
client = socket()
client.connect((hostname, port))
client_ssl = Connection(Context(TLSv1_2_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(hostname.encode("ascii")) # SNI
client_ssl.do_handshake()
cert = client_ssl.get_peer_certificate()
client_ssl.close()
return cert
class OpenSSLSNI(object):
"""This class implements the functionality of obtaining certificates secure connection using
apache TLS Extension Server Name Indication (SNI)
"""
def connection(func):
def wrapped(self):
self._connect()
try:
return func(self)
finally:
self._close()
return wrapped
def __init__(self, host, port):
#Set host name
self._host = str(host).split('//')[-1].split(':')[0]
#Set port
self._port = int(port) if str(port).isdigit() else 443
def _connect(self):
"""This method implements the functionality of establishing a secure connection using TLS Extension"""
self._socket_client = socket()
self._socket_client.connect((self._host, self._port))
self._ssl_client = Connection(Context(TLSv1_METHOD), self._socket_client)
self._ssl_client.set_connect_state()
self._ssl_client.set_tlsext_host_name(self._host)
self._ssl_client.do_handshake()
def _close(self):
"""This method implements the functional termination created connection"""
self._ssl_client.close()
del self._socket_client
@property
@connection
def serial_number(self):
"""Returns certificates serial number"""
return self._ssl_client.get_peer_certificate().get_serial_number()
@property
@connection
def certificate(self):
"""Returns certificate"""
return OpenSSL.crypto.dump_certificate(FILETYPE_PEM, self._ssl_client.get_peer_certificate())
def main():
if len(argv) < 3:
print('Usage: %s <hostname> <port>'.format(argv[0]))
return 1
hostname = str(argv[1])
port = int(argv[2])
client = socket()
print('Connecting...')
stdout.flush()
client.connect((hostname, port))
print('Connected to', client.getpeername())
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(hostname.encode('utf-8'))
client_ssl.do_handshake()
chain = client_ssl.get_peer_cert_chain()
print("\n>> Certificate Chain:\n")
i = 0
for cert in reversed(chain):
i += 1
asterisks = "*" * i
print(" [+] {:<10} {}".format(asterisks, cert.get_subject()))
print("\n>> Certificate Details:\n")
for cert in reversed(chain):
pkey = cert.get_pubkey()
print("." * 80)
print("- [Subject]:\t\t{}".format(cert.get_subject()))
print("- [Issuer]:\t\t{}".format(cert.get_issuer()))
print("- [Valid from]:\t\t{}".format(cert.get_notBefore()))
print("- [Valid until]:\t{}".format(cert.get_notAfter()))
print("- [Has Expired]:\t{}".format(cert.has_expired()))
print("\n")
client_ssl.close()
return 0
def netflix_openssl_test_retry(ip):
client = socket()
print 'Connecting...',
stdout.flush()
client.connect((ip, port))
print 'connected', client.getpeername()
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(hostname)
client_ssl.do_handshake()
cert = client_ssl.get_peer_certificate().get_subject()
cn = [comp for comp in cert.get_components() if comp[0] in ['CN']]
client_ssl.close()
print cn
if hostname in cn[0][1]:
return True
else:
return False
def netflix_openssl_test_retry(ip):
client = socket()
print 'Connecting...',
stdout.flush()
client.connect((ip, port))
print 'connected', client.getpeername()
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(hostname)
client_ssl.do_handshake()
cert = client_ssl.get_peer_certificate().get_subject()
cn = [comp for comp in cert.get_components() if comp[0] in ['CN']]
client_ssl.close()
print cn
if hostname in cn[0][1]:
return True
else:
return False
def _validate_certificate_hostname_pyopenssl(self):
""" Use pyOpenSSL check if the host's certifcate matches the hostname.
Python < 2.7.9 is not able to provide a server hostname for SNI, so this
is a fallback that opens an additional connection if the initial
validation failed.
Returns:
bool: Whether or not the hostname is valid on the certificate.
"""
client = socket.socket()
client.connect((self.host, self.port))
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(self.host)
client_ssl.do_handshake()
cert = client_ssl.get_peer_certificate()
client_ssl.close()
common_name = cert.get_subject().commonName
return self._cert_host_matches_hostname(common_name, self.host)
def _validate_certificate_hostname_pyopenssl(self):
""" Use pyOpenSSL check if the host's certifcate matches the hostname.
Python < 2.7.9 is not able to provide a server hostname for SNI, so this
is a fallback that opens an additional connection if the initial
validation failed.
Returns:
bool: Whether or not the hostname is valid on the certificate.
"""
client = socket.socket()
client.connect((self.host, self.port))
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(self.host)
client_ssl.do_handshake()
cert = client_ssl.get_peer_certificate()
client_ssl.close()
common_name = cert.get_subject().commonName
return self._cert_host_matches_hostname(common_name, self.host)
def main():
"""
Connect to an SNI-enabled server and request a specific hostname, specified
by argv[1], of it.
"""
if len(argv) < 2:
print 'Usage: %s <hostname>' % (argv[0],)
return 1
client = socket()
print 'Connecting...',
stdout.flush()
client.connect(('127.0.0.1', 8443))
print 'connected', client.getpeername()
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(argv[1])
client_ssl.do_handshake()
print 'Server subject is', client_ssl.get_peer_certificate().get_subject()
client_ssl.close()
def main():
"""
Connect to an SNI-enabled server and request a specific hostname, specified
by argv[1], of it.
"""
if len(argv) < 2:
print 'Usage: %s <hostname>' % (argv[0], )
return 1
client = socket()
print 'Connecting...',
stdout.flush()
client.connect(('127.0.0.1', 8443))
print 'connected', client.getpeername()
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(argv[1])
client_ssl.do_handshake()
print 'Server subject is', client_ssl.get_peer_certificate().get_subject()
client_ssl.close()
def verifyOpenProtocol(host,port,proto): try: # Construct the socket client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client.connect((host, port)) # Estabilish a SSL connection client_ssl = Connection(Context(proto), client) client_ssl.set_connect_state() client_ssl.set_tlsext_host_name(host) # Try to perform an SSL handshake client_ssl.do_handshake() # Close the connection client_ssl.close() client.close() except openSSLError as e: # Server not configured to use return False except ValueError as e: # Not present return False # Success return True
def verify_cert(host, capath, timeout, cncheck=True):
server_ctx = Context(TLSv1_METHOD)
server_cert_chain = []
server_ctx.load_verify_locations(None, capath)
host = re.split("/*", host)[1]
if ':' in host:
host = host.split(':')
server = host[0]
port = int(host[1] if not '?' in host[1] else host[1].split('?')[0])
else:
server = host
port = 443
def verify_cb(conn, cert, errnum, depth, ok):
server_cert_chain.append(cert)
return ok
server_ctx.set_verify(VERIFY_PEER, verify_cb)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setblocking(1)
sock.settimeout(timeout)
sock.connect((server, port))
except (socket.error, socket.timeout) as e:
nagios_out(
'Critical', 'Connection error %s - %s' %
(server + ':' + str(port), errmsg_from_excp(e)), 2)
server_conn = Connection(server_ctx, sock)
server_conn.set_connect_state()
def iosock_try():
ok = True
try:
server_conn.do_handshake()
sleep(0.5)
except SSLWantReadError as e:
ok = False
pass
except Exception as e:
raise e
return ok
try:
while True:
if iosock_try():
break
if cncheck:
server_subject = server_cert_chain[-1].get_subject()
if server != server_subject.CN:
nagios_out(
'Critical', 'Server certificate CN %s does not match %s' %
(server_subject.CN, server), 2)
except SSLError as e:
if 'sslv3 alert handshake failure' in errmsg_from_excp(e):
pass
else:
nagios_out(
'Critical', 'Connection error %s - %s' %
(server + ':' + str(port), errmsg_from_excp(e, level=1)), 2)
finally:
server_conn.shutdown()
server_conn.close()
return True
def verify_cert(host, capath, timeout, cncheck=True):
server_ctx = Context(TLSv1_METHOD)
server_cert_chain = []
server_ctx.load_verify_locations(None, capath)
host = re.split("/*", host)[1]
if ':' in host:
host = host.split(':')
server = host[0]
port = int(host[1] if not '?' in host[1] else host[1].split('?')[0])
else:
server = host
port = 443
def verify_cb(conn, cert, errnum, depth, ok):
server_cert_chain.append(cert)
return ok
server_ctx.set_verify(VERIFY_PEER, verify_cb)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setblocking(1)
sock.settimeout(timeout)
sock.connect((server, port))
except (socket.error, socket.timeout) as e:
nagios_out('Critical', 'Connection error %s - %s' % (server + ':' + str(port),
errmsg_from_excp(e)),
2)
server_conn = Connection(server_ctx, sock)
server_conn.set_connect_state()
def iosock_try():
ok = True
try:
server_conn.do_handshake()
sleep(0.5)
except SSLWantReadError as e:
ok = False
pass
except Exception as e:
raise e
return ok
try:
while True:
if iosock_try():
break
if cncheck:
server_subject = server_cert_chain[-1].get_subject()
if server != server_subject.CN:
nagios_out('Critical', 'Server certificate CN %s does not match %s' % (server_subject.CN, server), 2)
except SSLError as e:
if 'sslv3 alert handshake failure' in errmsg_from_excp(e):
pass
else:
nagios_out('Critical', 'Connection error %s - %s' % (server + ':' + str(port),
errmsg_from_excp(e, level=1)),
2)
finally:
server_conn.shutdown()
server_conn.close()
return True
class SocketClient(object):
"""This class sends all info to the server
"""
cacertpath = "ca/cacert.pem"
BUFF = 8192
def __init__(self,HOST='130.236.219.232', PORT = 443):
self.mutex = threading.Semaphore(1)
self.connected = False
self.connect()
self.host_addr = HOST
self.host_port = PORT
def connect(self):
print "You are trying to connect..."
for x in range(7):
if not self.connected:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
context = Context(TLSv1_METHOD)
context.use_certificate_file(self.cacertpath)
context.set_timeout(2)
self.sslsocket = Connection(context,s)
self.sslsocket.connect((self.host_addr,self.host_port))
#starting a thread that listen to what server sends which the clients need to be able to send and recive data at the same time
t = threading.Thread(target=self.receive)
t.daemon = True
t.start()
if self.sslsocket:
self.connected = True
print "connection established"
#self.authentication("Kalle", "te")
t = threading.Thread(target=self.sendinput)
t.start()
except socket.error:
print "You failed to connect, retrying......."
time.sleep(5)
def authentication(self, username, password):
self.sslsocket.send(username)
self.sslsocket.send(password)
#sending string to server
def send(self,str):
try:
self.sslsocket.write("start")
totalsent = 0
while totalsent < str.__len__():
sent = self.sslsocket.write(str[totalsent:])
if sent == 0:
raise RuntimeError, "socket connection broken"
totalsent = totalsent + sent
self.sslsocket.write("end")
except SSL.SysCallError:
print "your server is dead, you have to resend data"
self.connected = False
self.sslsocket.shutdown()
self.sslsocket.close()
self.mutex.acquire()
print "Du är inne i connect via send SysCallError"
self.connect()
self.mutex.release()
except SSL.Error:
self.connected = False
self.mutex.acquire()
print "Du är inne i connect via send ssl error"
self.connect()
self.mutex.release()
#Sending input to server
def sendinput(self):
try:
while True:
input = raw_input()
self.send(input)
except KeyboardInterrupt:
print "du är inne i sendinput"
self.sslsocket.shutdown()
self.sslsocket.close()
exit(0)
#getting data from server
def receive(self):
output = ""
try:
while True:
data = self.sslsocket.recv(self.BUFF)
if data == "start":
while True:
data = self.sslsocket.recv(self.BUFF)
if data == "end":
print output
output = ""
break
output = output + data
except SSL.SysCallError:
print "OMG Server is down"
self.connected = False
print self.connected
self.sslsocket.shutdown()
self.sslsocket.close()
self.mutex.acquire()
self.connect()
self.mutex.release()
def index():
form = ActionForm(request.form, csrf_context=session)
if request.method == 'POST' and form.validate(
) and current_user.is_authenticated:
comment_value = request.form['comment']
action_value = request.form['action']
user_name = current_user.username
user_ip = get_client_ip()
action_data = dict(comment=comment_value,
action=action_value,
user=user_name,
ip=user_ip)
rx = ""
try:
print('Creating socket', file=sys.stderr)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#s.settimeout(10.0)
if repeater_listen_psk:
ctx = Context(TLSv1_2_METHOD)
ctx.set_cipher_list(b'PSK')
ctx.set_psk_client_callback(client_callback)
s = Connection(ctx, s)
print('PSK Context created', file=sys.stderr)
print('Connecting:', REPEATER_LISTENER)
s.connect(REPEATER_LISTENER)
print('Connected')
try:
hello_msg = s.recv(5)
print(f'hello msg: {hello_msg}', file=sys.stderr)
except socket.timeout:
traceback.print_exc(file=sys.stderr)
#send_delay = request.form.get('test_send_delay') or 0
#sleep(int(send_delay))
#if action_value == 'test_send':
# msg = comment_value.encode()
#else:
# msg = json.dumps(action_data).encode()
msg = json.dumps(action_data).encode()
msg_len = len(msg)
print(f'Sending {msg_len}b message: {msg}', file=sys.stderr)
s.send(msg)
#recv_delay = request.form.get('test_recv_delay') or 0
#sleep(int(recv_delay))
try:
rx = s.recv(2)
except ConnectionResetError:
traceback.print_exc(file=sys.stderr)
pass
s.close()
if len(rx) > 0:
action_data['submitted'] = True
action_data['submit_result'] = "Server reply: " + rx.decode()
else:
action_data['submitted'] = True
action_data['submit_result'] = '<Unknown - no reply>'
except Exception as e:
traceback.print_exc(file=sys.stderr)
action_data['submitted'] = False
action_data[
'submit_result'] = 'Unexpected error while sending: ' + str(e)
ev = LogEvent.from_action(action_data, current_user)
db.session.add(ev)
db.session.commit()
else:
action_data = None
connections = ''
logs = []
if current_user.is_authenticated:
if os.path.exists(LISTENER_FILE):
with open(LISTENER_FILE) as f:
connections = f.read()
else:
connections = 'No file'
logs = LogEvent.query.order_by(LogEvent.ts.desc()).limit(10).all()
return render_template("index.html",
actions=REPEATER_ACTIONS,
form=form,
connections=connections,
logs=logs,
action=action_data)
print '\nChecking DNS for CAA records . . .\n'
answers = dns.resolver.query(domain, 'CAA')
print 'The following records were found:\n'
for rdata in answers:
print domain, 'in CAA', rdata.flags, rdata.value
print '\nNow checking certificate . . . \n'
print 'Using server name:', host, 'on port', port, 'for SNI ...'
client = socket()
stdout.flush()
client.connect(('{0}'.format(host), int(port)))
print 'Connected to', client.getpeername(), '\n'
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(host)
client_ssl.do_handshake()
issuer = client_ssl.get_peer_certificate().get_issuer()
issr = str(issuer)
issr = issr.strip('<>')
issr = issr.replace('X509Name object', 'Certificate Information: ')
issr = issr.replace('C=', 'Country: ')
issr = issr.replace('O=', 'Organization: ')
issr = issr.replace('CN=', 'Common Name: ')
issr = issr.split('/')
for issr in issr:
print issr
print '\n'
client_ssl.close()
exit()
