def _create_socket(self): ssl_enable_renegotiation = getattr( ssl, 'SSL_ENABLE_RENEGOTIATION', 20) ssl_require_safe_negotiation = getattr( ssl,'SSL_REQUIRE_SAFE_NEGOTIATION', 21) ssl_renegotiate_requires_xtn = getattr( ssl, 'SSL_RENEGOTIATE_REQUIRES_XTN', 2) # Create the socket here so we can do things like let the caller # override the NSS callbacks self.sock = ssl.SSLSocket(family=self.family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) try: self.sock.set_ssl_version_range(self.tls_version_min, self.tls_version_max) except NSPRError: root_logger.error('Failed to set TLS range to %s, %s' % (self.tls_version_min, self.tls_version_max)) raise self.sock.set_ssl_option(ssl_require_safe_negotiation, False) self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn) # Provide a callback which notifies us when the SSL handshake is complete self.sock.set_handshake_callback(self.handshake_callback) # Provide a callback to verify the servers certificate self.sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) self.sock.set_hostname(self.host)
def _create_socket(self): # TODO: remove the try block once python-nss is guaranteed to contain # these values try: #pylint: disable=E1101 ssl_enable_renegotiation = ssl.SSL_ENABLE_RENEGOTIATION ssl_require_safe_negotiation = ssl.SSL_REQUIRE_SAFE_NEGOTIATION ssl_renegotiate_requires_xtn = ssl.SSL_RENEGOTIATE_REQUIRES_XTN except: ssl_enable_renegotiation = 20 ssl_require_safe_negotiation = 21 ssl_renegotiate_requires_xtn = 2 # Create the socket here so we can do things like let the caller # override the NSS callbacks self.sock = ssl.SSLSocket(family=self.family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) try: self.sock.set_ssl_version_range(self.tls_version_min, self.tls_version_max) except NSPRError as e: root_logger.error('Failed to set TLS range to %s, %s' % (self.tls_version_min, self.tls_version_max)) raise self.sock.set_ssl_option(ssl_require_safe_negotiation, False) self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn) # Provide a callback which notifies us when the SSL handshake is complete self.sock.set_handshake_callback(self.handshake_callback) # Provide a callback to verify the servers certificate self.sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) self.sock.set_hostname(self.host)
def ssl_connect(): print("SSL connect to: %s" % options.hostname) valid_addr = False # Get the IP Address of our server try: addr_info = io.AddrInfo(options.hostname) except: print("ERROR: could not resolve hostname \"%s\"" % options.hostname) return for net_addr in addr_info: net_addr.port = options.port sock = ssl.SSLSocket(net_addr.family) # Set client SSL socket options sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) sock.set_hostname(options.hostname) try: sock.set_ssl_version_range("tls1.0", "tls1.3") except NSPRError as e: print("Cannot enable TLS 1.3, {}".format(e)) # Provide a callback which notifies us when the SSL handshake is # complete sock.set_handshake_callback(handshake_callback) try: print("try connecting to: %s" % (net_addr)) sock.connect(net_addr, timeout=io.seconds_to_interval(TIMEOUT_SECS)) print("connected to: %s" % (net_addr)) valid_addr = True break except: continue if not valid_addr: print("ERROR: could not connect to \"%s\"" % options.hostname) return try: # Talk to the server n_received = 0 sock.send(REQUEST.encode('utf-8')) while True: buf = sock.recv(1024) n_received += len(buf) if not buf: break except Exception as e: print(e) sock.shutdown() return sock.shutdown() return
def client(): valid_addr = False # Get the IP Address of our server try: addr_info = io.AddrInfo(options.hostname) except: print("ERROR: could not resolve hostname \"%s\"" % options.hostname) return for net_addr in addr_info: net_addr.port = options.port sock = ssl.SSLSocket(net_addr.family) # Set client SSL socket options sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) sock.set_hostname(options.hostname) # Provide a callback which notifies us when the SSL handshake is # complete sock.set_handshake_callback(handshake_callback) # Provide a callback to verify the servers certificate sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) try: print("try connecting to: %s" % (net_addr)) sock.connect(net_addr, timeout=io.seconds_to_interval(timeout_secs)) print("connected to: %s" % (net_addr)) valid_addr = True break except: continue if not valid_addr: print("ERROR: could not connect to \"%s\"" % options.hostname) return try: # Talk to the server n_received = 0 sock.send(request.encode('utf-8')) while True: buf = sock.recv(1024) n_received += len(buf) if not buf: print("\nclient lost connection, received %d bytes" % (n_received)) break except Exception as e: print(e) sock.shutdown() return sock.shutdown() return
def _create_socket(self, family): self.sock = ssl.SSLSocket(family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) self.sock.set_hostname(self.host) # Provide a callback to verify the servers certificate self.sock.set_auth_certificate_callback( self._auth_certificate_callback, self._certdb) self.sock.set_client_auth_data_callback( self._client_auth_data_callback, '', '', self._certdb)
def _create_socket(self, family): self.sock = ssl.SSLSocket(family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) self.sock.set_hostname(self.host) # Provide a callback which notifies us when the SSL handshake is complete self.sock.set_handshake_callback(handshake_callback) # Provide a callback to verify the servers certificate self.sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb())
def _create_socket(self): # TODO: remove the try block once python-nss is guaranteed to contain # these values try : ssl_enable_renegotiation = SSL_ENABLE_RENEGOTIATION #pylint: disable=E0602 ssl_require_safe_negotiation = SSL_REQUIRE_SAFE_NEGOTIATION #pylint: disable=E0602 ssl_renegotiate_requires_xtn = SSL_RENEGOTIATE_REQUIRES_XTN #pylint: disable=E0602 except : ssl_enable_renegotiation = 20 ssl_require_safe_negotiation = 21 ssl_renegotiate_requires_xtn = 2 # Create the socket here so we can do things like let the caller # override the NSS callbacks self.sock = ssl.SSLSocket(family=self.family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) try: self.sock.set_ssl_version_range(self.tls_version_min, self.tls_version_max) except NSPRError, e: root_logger.error('Failed to set TLS range to %s, %s' % (self.tls_version_min, self.tls_version_max)) raise
print("supported ssl version (asEnum): %s" % (ssl.get_supported_ssl_version_range(), )) # Query and print default SSL Library Versions print() print("default ssl version (asString): %s" % (ssl.get_default_ssl_version_range(repr_kind=nss.AsString), )) print("default ssl version (asEnumName): %s" % (ssl.get_default_ssl_version_range(repr_kind=nss.AsEnumName), )) print("default ssl version (asEnum): %s" % (ssl.get_default_ssl_version_range(), )) # Equivalent calls on a SSL Socket sock = ssl.SSLSocket() sock.set_ssl_option(ssl.SSL_SECURITY, True) print() print("Initial Socket version range") print("socket ssl version (asString): %s" % (sock.get_ssl_version_range(repr_kind=nss.AsString), )) print("socket ssl version (asEnumName): %s" % (sock.get_ssl_version_range(repr_kind=nss.AsEnumName), )) print("socket ssl version (asEnum): %s" % (sock.get_ssl_version_range(), )) # Note, setting the version range can be done either with an # enumeration constant (e.g. ssl.SSL_LIBRARY_VERSION_TLS_1_1) # or with a friendly name (e.g. 'tls1.1') # Set with enumeration constants
def server(): if verbose: print("starting server:") # Initialize # Setup an IP Address to listen on any of our interfaces net_addr = io.NetworkAddress(io.PR_IpAddrAny, port) if use_ssl: if info: print("server: using SSL") ssl.set_domestic_policy() nss.set_password_callback(password_callback) # Perform basic SSL server configuration ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True) ssl.config_server_session_id_cache() # Get our certificate and private key server_cert = nss.find_cert_from_nickname(server_nickname, password) priv_key = nss.find_key_by_any_cert(server_cert, password) server_cert_kea = server_cert.find_kea_type() #if verbose: # print("server cert:\n%s" % server_cert) sock = ssl.SSLSocket(net_addr.family) # Set server SSL socket options sock.set_pkcs11_pin_arg(password) sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True) # If we're doing client authentication then set it up if client_cert_action >= REQUEST_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True) if client_cert_action == REQUIRE_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True) sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) # Configure the server SSL socket sock.config_secure_server(server_cert, priv_key, server_cert_kea) else: sock = io.Socket(net_addr.family) # Bind to our network address and listen for clients sock.bind(net_addr) if verbose: print("listening on: %s" % (net_addr)) sock.listen() while True: # Accept a connection from a client client_sock, client_addr = sock.accept() if use_ssl: client_sock.set_handshake_callback(handshake_callback) if verbose: print("client connect from: %s" % (client_addr)) while True: try: # Handle the client connection buf = client_sock.readline( ) # newline is protocol record separator if not buf: print("server: lost lost connection to %s" % (client_addr), file=sys.stderr) break buf = buf.decode('utf-8') buf = buf.rstrip() # remove newline record separator if info: print("server: received \"%s\"" % (buf)) reply = "{%s}" % buf # echo embedded inside braces if info: print("server: sending \"%s\"" % (reply)) data = reply + "\n" # send echo with record separator client_sock.send(data.encode('utf-8')) time.sleep(sleep_time) client_sock.shutdown() client_sock.close() break except Exception as e: print("server: %s" % e, file=sys.stderr) break break # Clean up sock.shutdown() sock.close() if use_ssl: ssl.shutdown_server_session_id_cache()
def client(request): if use_ssl: if info: print("client: using SSL") ssl.set_domestic_policy() # Get the IP Address of our server try: addr_info = io.AddrInfo(hostname) except Exception as e: print("client: could not resolve host address \"%s\"" % hostname, file=sys.stderr) return for net_addr in addr_info: net_addr.port = port if use_ssl: sock = ssl.SSLSocket(net_addr.family) # Set client SSL socket options sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) sock.set_hostname(hostname) # Provide a callback which notifies us when the SSL handshake is complete sock.set_handshake_callback(handshake_callback) # Provide a callback to supply our client certificate info sock.set_client_auth_data_callback(client_auth_data_callback, client_nickname, password, nss.get_default_certdb()) # Provide a callback to verify the servers certificate sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) else: sock = io.Socket(net_addr.family) try: if verbose: print("client trying connection to: %s" % (net_addr)) sock.connect(net_addr, timeout=io.seconds_to_interval(timeout_secs)) if verbose: print("client connected to: %s" % (net_addr)) break except Exception as e: sock.close() print("client: connection to: %s failed (%s)" % (net_addr, e), file=sys.stderr) # Talk to the server try: if info: print("client: sending \"%s\"" % (request)) data = request + "\n" # newline is protocol record separator sock.send(data.encode('utf-8')) buf = sock.readline() if not buf: print("client: lost connection", file=sys.stderr) sock.close() return buf = buf.decode('utf-8') buf = buf.rstrip() # remove newline record separator if info: print("client: received \"%s\"" % (buf)) except Exception as e: print("client: %s" % e, file=sys.stderr) try: sock.close() except: pass return try: sock.shutdown() except Exception as e: print("client: %s" % e, file=sys.stderr) try: sock.close() if use_ssl: ssl.clear_session_cache() except Exception as e: print("client: %s" % e, file=sys.stderr) return buf
def server(): global family if verbose: print "starting server:" # Initialize # Setup an IP Address to listen on any of our interfaces if family == io.PR_AF_UNSPEC: family = io.PR_AF_INET net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family) if use_ssl: if info: print "server: using SSL" ssl.set_domestic_policy() nss.set_password_callback(password_callback) # Perform basic SSL server configuration ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True) ssl.config_server_session_id_cache() # Get our certificate and private key server_cert = nss.find_cert_from_nickname(server_nickname, password) priv_key = nss.find_key_by_any_cert(server_cert, password) server_cert_kea = server_cert.find_kea_type() #if verbose: print "server cert:\n%s" % server_cert sock = ssl.SSLSocket(net_addr.family) # Set server SSL socket options sock.set_pkcs11_pin_arg(password) sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True) # If we're doing client authentication then set it up if client_cert_action >= REQUEST_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True) if client_cert_action == REQUIRE_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True) sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) # Configure the server SSL socket sock.config_secure_server(server_cert, priv_key, server_cert_kea) else: sock = io.Socket(net_addr.family) # Bind to our network address and listen for clients sock.bind(net_addr) if verbose: print "listening on: %s" % (net_addr) sock.listen() while True: # Accept a connection from a client client_sock, client_addr = sock.accept() if use_ssl: client_sock.set_handshake_callback(handshake_callback) if verbose: print "client connect from: %s" % (client_addr) while True: try: # Handle the client connection buf = client_sock.recv(1024) if not buf: print >> sys.stderr, "server: lost lost connection to %s" % ( client_addr) break if info: print "server: received \"%s\"" % (buf) reply = "{%s}" % buf # echo if info: print "server: sending \"%s\"" % (reply) client_sock.send(reply) # echo time.sleep(sleep_time) client_sock.shutdown() client_sock.close() break except Exception, e: print >> sys.stderr, "server: %s" % e break break
valid_addr = False # Get the IP Address of our server try: addr_info = io.AddrInfo(hostname) except Exception, e: print >> sys.stderr, "client: could not resolve host address \"%s\"" % hostname return for net_addr in addr_info: if family != io.PR_AF_UNSPEC: if net_addr.family != family: continue net_addr.port = port if use_ssl: sock = ssl.SSLSocket(net_addr.family) # Set client SSL socket options sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) sock.set_hostname(hostname) # Provide a callback which notifies us when the SSL handshake is complete sock.set_handshake_callback(handshake_callback) # Provide a callback to supply our client certificate info sock.set_client_auth_data_callback(client_auth_data_callback, client_nickname, password, nss.get_default_certdb()) # Provide a callback to verify the servers certificate
def Server(): global family # Perform basic SSL server configuration ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True) ssl.config_server_session_id_cache() # Get our certificate and private key server_cert = nss.find_cert_from_nickname(server_nickname, password) priv_key = nss.find_key_by_any_cert(server_cert, password) server_cert_kea = server_cert.find_kea_type() print "server cert:\n%s" % server_cert # Setup an IP Address to listen on any of our interfaces if family == io.PR_AF_UNSPEC: family = io.PR_AF_INET net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family) if use_ssl: sock = ssl.SSLSocket(net_addr.family) # Set server SSL socket options sock.set_pkcs11_pin_arg(password) sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True) # If we're doing client authentication then set it up if client_cert_action >= REQUEST_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True) if client_cert_action == REQUIRE_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True) sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) # Configure the server SSL socket sock.config_secure_server(server_cert, priv_key, server_cert_kea) else: sock = io.Socket(net_addr.family) # Bind to our network address and listen for clients sock.bind(net_addr) print "listening on: %s" % (net_addr) sock.listen() while True: # Accept a connection from a client client_sock, client_addr = sock.accept() if use_ssl: client_sock.set_handshake_callback(handshake_callback) print "client connect from: %s" % (client_addr) while True: try: # Handle the client connection buf = client_sock.recv(1024) if not buf: print "server lost lost connection to %s" % (client_addr) break print "server received: %s" % (buf) client_sock.send("Goodbye") try: client_sock.shutdown(io.PR_SHUTDOWN_RCV) client_sock.close() except: pass break except Exception, e: print e.strerror break break
def Server(): # Setup an IP Address to listen on any of our interfaces if options.family == io.PR_AF_UNSPEC: options.family = io.PR_AF_INET net_addr = io.NetworkAddress(io.PR_IpAddrAny, options.port, options.family) if options.use_ssl: # Perform basic SSL server configuration ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True) ssl.config_server_session_id_cache() # Get our certificate and private key server_cert = nss.find_cert_from_nickname(options.server_nickname, options.password) priv_key = nss.find_key_by_any_cert(server_cert, options.password) server_cert_kea = server_cert.find_kea_type() print("server cert:\n%s" % server_cert) sock = ssl.SSLSocket(net_addr.family) # Set server SSL socket options sock.set_pkcs11_pin_arg(options.password) sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True) # If we're doing client authentication then set it up if options.client_cert_action >= REQUEST_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True) if options.client_cert_action == REQUIRE_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True) sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) # Configure the server SSL socket sock.config_secure_server(server_cert, priv_key, server_cert_kea) else: sock = io.Socket(net_addr.family) # Bind to our network address and listen for clients sock.bind(net_addr) print("listening on: %s" % (net_addr)) sock.listen() while True: # Accept a connection from a client client_sock, client_addr = sock.accept() if options.use_ssl: client_sock.set_handshake_callback(handshake_callback) print("client connect from: %s" % (client_addr)) while True: try: # Handle the client connection buf = client_sock.readline() if not buf: print("server lost lost connection to %s" % (client_addr)) break buf = buf.decode('utf-8') buf = buf.rstrip() # remove newline record separator print("server received: %s" % (buf)) data = 'Goodbye' + '\n' # newline is protocol record separator client_sock.send(data.encode('utf-8')) try: client_sock.shutdown(io.PR_SHUTDOWN_RCV) client_sock.close() except: pass break except Exception as e: print(e.strerror) break break try: sock.shutdown() sock.close() if options.use_ssl: ssl.shutdown_server_session_id_cache() except Exception as e: print(e) pass
def Client(): valid_addr = False # Get the IP Address of our server try: addr_info = io.AddrInfo(options.hostname) except Exception as e: print("could not resolve host address \"%s\"" % options.hostname) return for net_addr in addr_info: if options.family != io.PR_AF_UNSPEC: if net_addr.family != options.family: continue net_addr.port = options.port if options.use_ssl: sock = ssl.SSLSocket(net_addr.family) # Set client SSL socket options sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) sock.set_hostname(options.hostname) # Provide a callback which notifies us when the SSL handshake is complete sock.set_handshake_callback(handshake_callback) # Provide a callback to supply our client certificate info sock.set_client_auth_data_callback( client_auth_data_callback, options.client_nickname, options.password, nss.get_default_certdb(), ) # Provide a callback to verify the servers certificate sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) else: sock = io.Socket(net_addr.family) try: print("client trying connection to: %s" % (net_addr)) sock.connect(net_addr, timeout=io.seconds_to_interval(timeout_secs)) print("client connected to: %s" % (net_addr)) valid_addr = True break except Exception as e: sock.close() print("client connection to: %s failed (%s)" % (net_addr, e)) if not valid_addr: print("Could not establish valid address for \"%s\" in family %s" % (options.hostname, io.addr_family_name(options.family))) return # Talk to the server try: data = 'Hello' + '\n' # newline is protocol record separator sock.send(data.encode('utf-8')) buf = sock.readline() if not buf: print("client lost connection") sock.close() return buf = buf.decode('utf-8') buf = buf.rstrip() # remove newline record separator print("client received: %s" % (buf)) except Exception as e: print(e.strerror) try: sock.close() except: pass return # End of (simple) protocol session? if buf == 'Goodbye': try: sock.shutdown() except: pass try: sock.close() if options.use_ssl: ssl.clear_session_cache() except Exception as e: print(e)