def init(self):
if nss.nss_is_initialized():
return
if _password_callback is not None:
nss.set_password_callback(_password_callback)
nss.nss_init(_certdb)
ssl.set_domestic_policy()
def init(self):
if nss.nss_is_initialized():
return
if _password_callback is not None:
nss.set_password_callback(_password_callback)
nss.nss_init(_certdb)
ssl.set_domestic_policy()
def __init__(self, host, port=None, strict=None, dbdir=None):
httplib.HTTPConnection.__init__(self, host, port, strict)
if not dbdir:
raise RuntimeError("dbdir is required")
logging.debug('%s init %s', self.__class__.__name__, host)
if not nss.nss_is_initialized(): nss.nss_init(dbdir)
self.sock = None
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
def __init__(self, host, port=None, strict=None, dbdir=None):
six.moves.http_client.HTTPConnection.__init__(self, host, port, strict)
if not dbdir:
raise RuntimeError("dbdir is required")
logging.debug('%s init host=%s dbdir=%s', self.__class__.__name__, host, dbdir)
if not nss.nss_is_initialized(): nss.nss_init(dbdir)
self.sock = None
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
def initialize_nss(dbdir):
"""Initialize NSS
nss_init() initializes NSS and the DB globally.
"""
# global settings
nss.nss_init(dbdir)
ssl.set_domestic_policy()
ssl.clear_session_cache()
# thread local callback
nss.set_password_callback(password_callback)
def client(request):
if use_ssl:
if info: print "client: using SSL"
ssl.set_domestic_policy()
valid_addr = False
# Get the IP Address of our server
try:
addr_info = io.AddrInfo(hostname)
except Exception, e:
print >>sys.stderr, "client: could not resolve host address \"%s\"" % hostname
return
def client(request):
if use_ssl:
if info: print "client: using SSL"
ssl.set_domestic_policy()
valid_addr = False
# Get the IP Address of our server
try:
addr_info = io.AddrInfo(hostname)
except Exception, e:
print >> sys.stderr, "client: could not resolve host address \"%s\"" % hostname
return
def __init__(self,
host,
port=None,
strict=None,
dbdir=None,
family=socket.AF_UNSPEC,
no_init=False,
tls_version_min='tls1.1',
tls_version_max='tls1.2'):
"""
:param host: the server to connect to
:param port: the port to use (default is set in HTTPConnection)
:param dbdir: the NSS database directory
:param family: network family to use (default AF_UNSPEC)
:param no_init: do not initialize the NSS database. This requires
that the database has already been initialized or
the request will fail.
:param tls_min_version: mininum version of SSL/TLS supported
:param tls_max_version: maximum version of SSL/TLS supported.
"""
httplib.HTTPConnection.__init__(self, host, port, strict)
NSSAddressFamilyFallback.__init__(self, family)
root_logger.debug('%s init %s', self.__class__.__name__, host)
# If initialization is requested, initialize the new database.
if not no_init:
if nss.nss_is_initialized():
ssl.clear_session_cache()
try:
nss.nss_shutdown()
except NSPRError as e:
if e.errno != error.SEC_ERROR_NOT_INITIALIZED:
raise e
if not dbdir:
raise RuntimeError("dbdir is required")
nss.nss_init(dbdir)
global current_dbdir
current_dbdir = dbdir
ssl.set_domestic_policy()
nss.set_password_callback(self.password_callback)
tls_versions = get_proper_tls_version_span(tls_version_min,
tls_version_max)
self.tls_version_min = tls_versions[0]
self.tls_version_max = tls_versions[-1]
def __init__(
self,
host,
port=None,
strict=None,
dbdir=None,
family=socket.AF_UNSPEC,
no_init=False,
tls_version_min="tls1.1",
tls_version_max="tls1.2",
):
"""
:param host: the server to connect to
:param port: the port to use (default is set in HTTPConnection)
:param dbdir: the NSS database directory
:param family: network family to use (default AF_UNSPEC)
:param no_init: do not initialize the NSS database. This requires
that the database has already been initialized or
the request will fail.
:param tls_min_version: mininum version of SSL/TLS supported
:param tls_max_version: maximum version of SSL/TLS supported.
"""
httplib.HTTPConnection.__init__(self, host, port, strict)
NSSAddressFamilyFallback.__init__(self, family)
root_logger.debug("%s init %s", self.__class__.__name__, host)
# If initialization is requested, initialize the new database.
if not no_init:
if nss.nss_is_initialized():
ssl.clear_session_cache()
try:
nss.nss_shutdown()
except NSPRError as e:
if e.errno != error.SEC_ERROR_NOT_INITIALIZED:
raise e
if not dbdir:
raise RuntimeError("dbdir is required")
nss.nss_init(dbdir)
global current_dbdir
current_dbdir = dbdir
ssl.set_domestic_policy()
nss.set_password_callback(self.password_callback)
self.tls_version_min = str(tls_version_min)
self.tls_version_max = str(tls_version_max)
def server():
global family
if verbose: print "starting server:"
# Initialize
# Setup an IP Address to listen on any of our interfaces
if family == io.PR_AF_UNSPEC:
family = io.PR_AF_INET
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family)
if use_ssl:
if info: print "server: using SSL"
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type();
#if verbose: print "server cert:\n%s" % server_cert
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
if verbose: print "listening on: %s" % (net_addr)
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
if verbose: print "client connect from: %s" % (client_addr)
while True:
try:
# Handle the client connection
buf = client_sock.recv(1024)
if not buf:
print >>sys.stderr, "server: lost lost connection to %s" % (client_addr)
break
if info: print "server: received \"%s\"" % (buf)
reply = "{%s}" % buf # echo
if info: print "server: sending \"%s\"" % (reply)
client_sock.send(reply) # echo
time.sleep(sleep_time)
client_sock.shutdown()
client_sock.close()
break
except Exception, e:
print >>sys.stderr, "server: %s" % e
break
break
def server():
if verbose:
print("starting server:")
# Initialize
# Setup an IP Address to listen on any of our interfaces
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port)
if use_ssl:
if info:
print("server: using SSL")
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type()
#if verbose:
# print("server cert:\n%s" % server_cert)
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
if verbose:
print("listening on: %s" % (net_addr))
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
if verbose:
print("client connect from: %s" % (client_addr))
while True:
try:
# Handle the client connection
buf = client_sock.readline(
) # newline is protocol record separator
if not buf:
print("server: lost lost connection to %s" % (client_addr),
file=sys.stderr)
break
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
if info:
print("server: received \"%s\"" % (buf))
reply = "{%s}" % buf # echo embedded inside braces
if info:
print("server: sending \"%s\"" % (reply))
data = reply + "\n" # send echo with record separator
client_sock.send(data.encode('utf-8'))
time.sleep(sleep_time)
client_sock.shutdown()
client_sock.close()
break
except Exception as e:
print("server: %s" % e, file=sys.stderr)
break
break
# Clean up
sock.shutdown()
sock.close()
if use_ssl:
ssl.shutdown_server_session_id_cache()
def client(request):
if use_ssl:
if info:
print("client: using SSL")
ssl.set_domestic_policy()
# Get the IP Address of our server
try:
addr_info = io.AddrInfo(hostname)
except Exception as e:
print("client: could not resolve host address \"%s\"" % hostname,
file=sys.stderr)
return
for net_addr in addr_info:
net_addr.port = port
if use_ssl:
sock = ssl.SSLSocket(net_addr.family)
# Set client SSL socket options
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
sock.set_hostname(hostname)
# Provide a callback which notifies us when the SSL handshake is complete
sock.set_handshake_callback(handshake_callback)
# Provide a callback to supply our client certificate info
sock.set_client_auth_data_callback(client_auth_data_callback,
client_nickname, password,
nss.get_default_certdb())
# Provide a callback to verify the servers certificate
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
else:
sock = io.Socket(net_addr.family)
try:
if verbose:
print("client trying connection to: %s" % (net_addr))
sock.connect(net_addr,
timeout=io.seconds_to_interval(timeout_secs))
if verbose:
print("client connected to: %s" % (net_addr))
break
except Exception as e:
sock.close()
print("client: connection to: %s failed (%s)" % (net_addr, e),
file=sys.stderr)
# Talk to the server
try:
if info:
print("client: sending \"%s\"" % (request))
data = request + "\n"
# newline is protocol record separator
sock.send(data.encode('utf-8'))
buf = sock.readline()
if not buf:
print("client: lost connection", file=sys.stderr)
sock.close()
return
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
if info:
print("client: received \"%s\"" % (buf))
except Exception as e:
print("client: %s" % e, file=sys.stderr)
try:
sock.close()
except:
pass
return
try:
sock.shutdown()
except Exception as e:
print("client: %s" % e, file=sys.stderr)
try:
sock.close()
if use_ssl:
ssl.clear_session_cache()
except Exception as e:
print("client: %s" % e, file=sys.stderr)
return buf
def server():
if verbose:
print("starting server:")
# Initialize
# Setup an IP Address to listen on any of our interfaces
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port)
if use_ssl:
if info:
print("server: using SSL")
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type();
#if verbose:
# print("server cert:\n%s" % server_cert)
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
if verbose:
print("listening on: %s" % (net_addr))
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
if verbose:
print("client connect from: %s" % (client_addr))
while True:
try:
# Handle the client connection
buf = client_sock.readline() # newline is protocol record separator
if not buf:
print("server: lost lost connection to %s" % (client_addr), file=sys.stderr)
break
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
if info:
print("server: received \"%s\"" % (buf))
reply = "{%s}" % buf # echo embedded inside braces
if info:
print("server: sending \"%s\"" % (reply))
data = reply + "\n" # send echo with record separator
client_sock.send(data.encode('utf-8'))
time.sleep(sleep_time)
client_sock.shutdown()
client_sock.close()
break
except Exception as e:
print("server: %s" % e, file=sys.stderr)
break
break
# Clean up
sock.shutdown()
sock.close()
if use_ssl:
ssl.shutdown_server_session_id_cache()
options = parser.parse_args()
if options.client and options.server:
print("can't be both client and server")
sys.exit(1)
if not (options.client or options.server):
print("must be one of client or server")
sys.exit(1)
# Perform basic configuration and setup
if options.use_ssl:
nss.nss_init(options.db_name)
else:
nss.nss_init_nodb()
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
min_ssl_version, max_ssl_version = \
ssl.get_supported_ssl_version_range(repr_kind=nss.AsString)
print("Supported SSL version range: min=%s, max=%s" % \
(min_ssl_version, max_ssl_version))
min_ssl_version, max_ssl_version = \
ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
print("Default SSL version range: min=%s, max=%s" % \
(min_ssl_version, max_ssl_version))
if options.min_ssl_version is not None or \
options.max_ssl_version is not None:
def server():
global family
if verbose: print "starting server:"
# Initialize
# Setup an IP Address to listen on any of our interfaces
if family == io.PR_AF_UNSPEC:
family = io.PR_AF_INET
net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family)
if use_ssl:
if info: print "server: using SSL"
ssl.set_domestic_policy()
nss.set_password_callback(password_callback)
# Perform basic SSL server configuration
ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True)
ssl.config_server_session_id_cache()
# Get our certificate and private key
server_cert = nss.find_cert_from_nickname(server_nickname, password)
priv_key = nss.find_key_by_any_cert(server_cert, password)
server_cert_kea = server_cert.find_kea_type()
#if verbose: print "server cert:\n%s" % server_cert
sock = ssl.SSLSocket(net_addr.family)
# Set server SSL socket options
sock.set_pkcs11_pin_arg(password)
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True)
# If we're doing client authentication then set it up
if client_cert_action >= REQUEST_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True)
if client_cert_action == REQUIRE_CLIENT_CERT_ONCE:
sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True)
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
# Configure the server SSL socket
sock.config_secure_server(server_cert, priv_key, server_cert_kea)
else:
sock = io.Socket(net_addr.family)
# Bind to our network address and listen for clients
sock.bind(net_addr)
if verbose: print "listening on: %s" % (net_addr)
sock.listen()
while True:
# Accept a connection from a client
client_sock, client_addr = sock.accept()
if use_ssl:
client_sock.set_handshake_callback(handshake_callback)
if verbose: print "client connect from: %s" % (client_addr)
while True:
try:
# Handle the client connection
buf = client_sock.recv(1024)
if not buf:
print >> sys.stderr, "server: lost lost connection to %s" % (
client_addr)
break
if info: print "server: received \"%s\"" % (buf)
reply = "{%s}" % buf # echo
if info: print "server: sending \"%s\"" % (reply)
client_sock.send(reply) # echo
time.sleep(sleep_time)
client_sock.shutdown()
client_sock.close()
break
except Exception, e:
print >> sys.stderr, "server: %s" % e
break
break
parser.set_defaults(
db_name='sql:pki',
hostname='www.verisign.com',
port=443,
enumerate_cipher_suites=True,
ssl_connect=True,
use_properties=False,
)
options = parser.parse_args()
# Perform basic configuration and setup
try:
nss.nss_init(options.db_name)
ssl.set_domestic_policy()
except Exception as e:
print(str(e), file=sys.stderr)
sys.exit(1)
if options.enumerate_cipher_suites:
suite_info = ssl.get_cipher_suite_info(ssl.ssl_implemented_ciphers[0])
print("There are %d implemented ciphers" %
(len(ssl.ssl_implemented_ciphers)))
for cipher in ssl.ssl_implemented_ciphers:
suite_info = ssl.get_cipher_suite_info(cipher)
print(suite_info)
print()
def client(request):
if use_ssl:
if info:
print("client: using SSL")
ssl.set_domestic_policy()
# Get the IP Address of our server
try:
addr_info = io.AddrInfo(hostname)
except Exception as e:
print("client: could not resolve host address \"%s\"" % hostname, file=sys.stderr)
return
for net_addr in addr_info:
net_addr.port = port
if use_ssl:
sock = ssl.SSLSocket(net_addr.family)
# Set client SSL socket options
sock.set_ssl_option(ssl.SSL_SECURITY, True)
sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
sock.set_hostname(hostname)
# Provide a callback which notifies us when the SSL handshake is complete
sock.set_handshake_callback(handshake_callback)
# Provide a callback to supply our client certificate info
sock.set_client_auth_data_callback(client_auth_data_callback, client_nickname,
password, nss.get_default_certdb())
# Provide a callback to verify the servers certificate
sock.set_auth_certificate_callback(auth_certificate_callback,
nss.get_default_certdb())
else:
sock = io.Socket(net_addr.family)
try:
if verbose:
print("client trying connection to: %s" % (net_addr))
sock.connect(net_addr, timeout=io.seconds_to_interval(timeout_secs))
if verbose:
print("client connected to: %s" % (net_addr))
break
except Exception as e:
sock.close()
print("client: connection to: %s failed (%s)" % (net_addr, e), file=sys.stderr)
# Talk to the server
try:
if info:
print("client: sending \"%s\"" % (request))
data = request + "\n"; # newline is protocol record separator
sock.send(data.encode('utf-8'))
buf = sock.readline()
if not buf:
print("client: lost connection", file=sys.stderr)
sock.close()
return
buf = buf.decode('utf-8')
buf = buf.rstrip() # remove newline record separator
if info:
print("client: received \"%s\"" % (buf))
except Exception as e:
print("client: %s" % e, file=sys.stderr)
try:
sock.close()
except:
pass
return
try:
sock.shutdown()
except Exception as e:
print("client: %s" % e, file=sys.stderr)
try:
sock.close()
if use_ssl:
ssl.clear_session_cache()
except Exception as e:
print("client: %s" % e, file=sys.stderr)
return buf
