Exemplo n.º 1
0
    def _identityVerifyingInfoCallback(self, connection, where, ret):
        if where & SSL.SSL_CB_HANDSHAKE_START:
            connection.set_tlsext_host_name(self._hostnameBytes)
        elif where & SSL.SSL_CB_HANDSHAKE_DONE:
            if self.verbose_logging:
                logger.debug('SSL connection to %s using protocol %s, cipher %s',
                             self._hostnameASCII,
                             connection.get_protocol_version_name(),
                             connection.get_cipher_name(),
                             )
                server_cert = connection.get_peer_certificate()
                logger.debug('SSL connection certificate: issuer "%s", subject "%s"',
                             x509name_to_string(server_cert.get_issuer()),
                             x509name_to_string(server_cert.get_subject()),
                             )
                key_info = get_temp_key_info(connection._ssl)
                if key_info:
                    logger.debug('SSL temp key: %s', key_info)

            try:
                verifyHostname(connection, self._hostnameASCII)
            except (CertificateError, VerificationError) as e:
                logger.warning(
                    'Remote certificate is not valid for hostname "%s"; %s',
                    self._hostnameASCII, e)

            except ValueError as e:
                logger.warning(
                    'Ignoring error while verifying certificate '
                    'from host "%s" (exception: %r)',
                    self._hostnameASCII, e)
Exemplo n.º 2
0
    def _identityVerifyingInfoCallback(self, connection, where, ret):
        """
        U{info_callback
        <http://pythonhosted.org/pyOpenSSL/api/ssl.html#OpenSSL.SSL.Context.set_info_callback>
        } for pyOpenSSL that verifies the hostname in the presented certificate
        matches the one passed to this L{ClientTLSOptions}.

        @param connection: the connection which is handshaking.
        @type connection: L{OpenSSL.SSL.Connection}

        @param where: flags indicating progress through a TLS handshake.
        @type where: L{int}

        @param ret: ignored
        @type ret: ignored
        """
        if where & SSL_CB_HANDSHAKE_DONE:
            try:
                hostname = self.peerName.decode("utf-8") if isinstance(
                    self.peerName, str) else self.peerName
                verifyHostname(connection, hostname)
            except VerificationError:
                f = Failure()
                transport = connection.get_app_data()
                transport.failVerification(f)
Exemplo n.º 3
0
 def _identityVerifyingInfoCallback(self, connection, where, ret):
     if where & SSL_CB_HANDSHAKE_START:
         _maybeSetHostNameIndication(connection, self._hostnameBytes)
     elif where & SSL_CB_HANDSHAKE_DONE:
         try:
             verifyHostname(connection, self._hostnameASCII)
         except VerificationError as e:
             logger.warning(e)
Exemplo n.º 4
0
 def _identityVerifyingInfoCallback(self, connection, where, ret):
     if where & SSL_CB_HANDSHAKE_START:
         _maybeSetHostNameIndication(connection, self._hostnameBytes)
     elif where & SSL_CB_HANDSHAKE_DONE:
         try:
             verifyHostname(connection, self._hostnameASCII)
         except VerificationError as e:
             logger.warning(e)
Exemplo n.º 5
0
 def _identityVerifyingInfoCallback(self, connection, where, ret):
     if where & SSL_CB_HANDSHAKE_START:
         _maybeSetHostNameIndication(connection, self._hostnameBytes)
     elif where & SSL_CB_HANDSHAKE_DONE:
         try:
             verifyHostname(connection, self._hostnameASCII)
         except VerificationError as e:
             logger.warning(
                 'Remote certificate is not valid for hostname "{}"; {}'
                 .format(self._hostnameASCII, e))
Exemplo n.º 6
0
 def _identityVerifyingInfoCallback(self, connection, where, ret):
     if where & SSL_CB_HANDSHAKE_START:
         _maybeSetHostNameIndication(connection, self._hostnameBytes)
     elif where & SSL_CB_HANDSHAKE_DONE:
         try:
             verifyHostname(connection, self._hostnameASCII)
         except VerificationError as e:
             logger.warning(
                 'Remote certificate is not valid for hostname "{}"; {}'.format(
                     self._hostnameASCII, e))
Exemplo n.º 7
0
    def _identityVerifyingInfoCallback(self, connection, where, ret):
        if where & SSL_CB_HANDSHAKE_START:
            _maybeSetHostNameIndication(connection, self._hostnameBytes)
        elif where & SSL_CB_HANDSHAKE_DONE:
            try:
                verifyHostname(connection, self._hostnameASCII)
            except VerificationError as e:
                log.warn(
                    'Remote certificate is not valid for hostname "{}"; {}'.
                    format(self._hostnameASCII, e))

            except ValueError as e:
                log.warn('Ignoring error while verifying certificate '
                         'from host "{}" (exception: {})'.format(
                             self._hostnameASCII, repr(e)))
Exemplo n.º 8
0
    def _identityVerifyingInfoCallback(self, connection, where, ret):
        if where & SSL_CB_HANDSHAKE_START:
            _maybeSetHostNameIndication(connection, self._hostnameBytes)
        elif where & SSL_CB_HANDSHAKE_DONE:
            try:
                verifyHostname(connection, self._hostnameASCII)
            except VerificationError as e:
                log.warn(
                    'Remote certificate is not valid for hostname "{}"; {}'.format(
                        self._hostnameASCII, e))

            except ValueError as e:
                log.warn(
                    'Ignoring error while verifying certificate '
                    'from host "{}" (exception: {})'.format(
                        self._hostnameASCII, repr(e)))
Exemplo n.º 9
0
        def _identityVerifyingInfoCallback(self, connection, where, ret):
            if where & SSL_CB_HANDSHAKE_START:
                set_tlsext_host_name(connection, self._hostnameBytes)
            elif where & SSL_CB_HANDSHAKE_DONE:
                if self.verbose_logging:
                    if hasattr(connection,
                               'get_cipher_name'):  # requires pyOPenSSL 0.15
                        if hasattr(connection, 'get_protocol_version_name'
                                   ):  # requires pyOPenSSL 16.0.0
                            logger.debug(
                                'SSL connection to %s using protocol %s, cipher %s',
                                self._hostnameASCII,
                                connection.get_protocol_version_name(),
                                connection.get_cipher_name(),
                            )
                        else:
                            logger.debug(
                                'SSL connection to %s using cipher %s',
                                self._hostnameASCII,
                                connection.get_cipher_name(),
                            )
                    server_cert = connection.get_peer_certificate()
                    logger.debug(
                        'SSL connection certificate: issuer "%s", subject "%s"',
                        x509name_to_string(server_cert.get_issuer()),
                        x509name_to_string(server_cert.get_subject()),
                    )
                    key_info = get_temp_key_info(connection._ssl)
                    if key_info:
                        logger.debug('SSL temp key: %s', key_info)

                try:
                    verifyHostname(connection, self._hostnameASCII)
                except verification_errors as e:
                    logger.warning(
                        'Remote certificate is not valid for hostname "{}"; {}'
                        .format(self._hostnameASCII, e))

                except ValueError as e:
                    logger.warning(
                        'Ignoring error while verifying certificate '
                        'from host "{}" (exception: {})'.format(
                            self._hostnameASCII, repr(e)))
Exemplo n.º 10
0
    def _identityVerifyingInfoCallback(self, connection, where, ret):
        """
        Override the base implementation to provide better hostname verification.

        @param connection: the connection which is handshaking.
        @type connection: L{OpenSSL.SSL.Connection}

        @param where: flags indicating progress through a TLS handshake.
        @type where: L{int}

        @param ret: ignored
        @type ret:  ignored
        """
        if where & SSL.SSL_CB_HANDSHAKE_START:
            connection.set_tlsext_host_name(self._hostnameBytes)
        elif where & SSL.SSL_CB_HANDSHAKE_DONE:
            if self._ctx.get_verify_mode() != SSL.VERIFY_NONE:
                try:
                    verifyHostname(connection, self._hostnameASCII)
                except VerificationError as ex:
                    log.error(str(ex))
                    f = Failure()
                    transport = connection.get_app_data()
                    transport.failVerification(f)