def printcert(host, port, hostname): con = Connection(Context(TLSv1_METHOD), socket(AF_INET, SOCK_STREAM)) con.connect((host, port)) con.set_tlsext_host_name(hostname if hostname else host) con.do_handshake() con.shutdown() con.close() print dump_certificate(FILETYPE_PEM, walkchain(con.get_peer_cert_chain()))
def verify_cert(host, ca, timeout): server_ctx = Context(TLSv1_METHOD) server_cert_chain = [] if os.path.isdir(ca): server_ctx.load_verify_locations(None, ca) else: server_ctx.load_verify_locations(ca, None) def verify_cb(conn, cert, errnum, depth, ok): server_cert_chain.append(cert) return ok server_ctx.set_verify(VERIFY_PEER, verify_cb) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setblocking(1) sock.settimeout(timeout) sock.connect((host, 443)) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() def iosock_try(): ok = True try: server_conn.do_handshake() sleep(0.5) except SSLWantReadError as e: ok = False pass except Exception as e: raise e return ok try: while True: if iosock_try(): break server_subject = server_cert_chain[-1].get_subject() if host != server_subject.CN: raise SSLError('Server certificate CN does not match %s' % host) except SSLError as e: raise e finally: server_conn.shutdown() server_conn.close() return True
def server_ok(serverarg, capath, timeout): "Check if the server is active and responsive" server_ctx = Context(TLSv1_METHOD) server_ctx.load_verify_locations(None, capath) def verify_cb(conn, cert, errnum, depth, ok): return ok server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb) serverarg = re.split("/*", serverarg)[1] if ':' in serverarg: serverarg = serverarg.split(':') server = serverarg[0] port = int(serverarg[1] if not '?' in serverarg[1] else serverarg[1].split('?')[0]) else: server = serverarg port = DEFAULT_PORT try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((server, port)) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() try: def handler(signum, frame): raise socket.error([('Timeout', 'after', str(timeout) + 's')]) signal.signal(signal.SIGALRM, handler) signal.alarm(timeout) server_conn.do_handshake() signal.alarm(0) except socket.timeout as e: nagios_out('Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)),2) server_conn.shutdown() server_conn.close() except (SSLError, socket.error) as e: if 'sslv3 alert handshake failure' in errmsg_from_excp(e): pass else: nagios_out('Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)), 2) return True
def server_ok(serverarg, capath, timeout): server_ctx = Context(TLSv1_METHOD) server_ctx.load_verify_locations(None, capath) def verify_cb(conn, cert, errnum, depth, ok): return ok server_ctx.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb) serverarg = re.split("/*", serverarg)[1] if ':' in serverarg: serverarg = serverarg.split(':') server = serverarg[0] port = int(serverarg[1] if not '?' in serverarg[1] else serverarg[1]. split('?')[0]) else: server = serverarg port = DEFAULT_PORT try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((server, port)) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() try: def handler(signum, frame): raise socket.error([('Timeout', 'after', str(timeout) + 's')]) signal.signal(signal.SIGALRM, handler) signal.alarm(timeout) server_conn.do_handshake() signal.alarm(0) except socket.timeout as e: nagios_out( 'Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)), 2) server_conn.shutdown() server_conn.close() except (SSLError, socket.error) as e: if 'sslv3 alert handshake failure' in errmsg_from_excp(e): pass else: nagios_out( 'Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)), 2) return True
def main(): def err_exit(ret, msg): ret['failed'] = True ret['msg'] = msg module.fail_json(**ret) module = AnsibleModule(argument_spec=dict( host=dict(required=True, type='str'), certificates=dict(required=True, type='dict'), ), ) host = module.params['host'] certificates = copy.copy(module.params['certificates']) split = host.split(':') split.reverse() host = split.pop() ret['host'] = host ret['port'] = None ret['downloaded'] = False ret['ansible_facts'] = dict(certificates=certificates) try: port = int(split.pop()) if split else 443 hostport = "{}:{}".format(host, port) ret['port'] = port if host in certificates and hostport not in certificates: certificates[hostport] = certificates[host] if hostport not in certificates or certificates[hostport] is None: s = socket(AF_INET, SOCK_STREAM) ctx = Context(TLSv1_METHOD) con = Connection(ctx, s) con.connect((host, port)) con.do_handshake() x509 = con.get_peer_cert_chain()[-1] con.shutdown() con.close() ret['downloaded'] = True certificates[hostport] = dump_certificate(FILETYPE_PEM, x509) if host not in certificates or certificates[host] is None: certificates[host] = certificates[hostport] module.exit_json(**ret) except Exception as e: msg_ = traceback.format_exc() module.fail_json(msg="{}: {}".format(repr(e), msg_))
def verify_servercert(host, timeout, capath): server_ctx = Context(TLSv1_METHOD) server_ctx.load_verify_locations(None, capath) server_cert_chain = [] def verify_cb(conn, cert, errnum, depth, ok): server_cert_chain.append(cert) return ok server_ctx.set_verify(VERIFY_PEER, verify_cb) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setblocking(1) sock.settimeout(timeout) sock.connect((host, 443)) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() def iosock_try(): ok = True try: server_conn.do_handshake() sleep(0.5) except SSLWantReadError as e: ok = False pass except Exception as e: raise e return ok try: while True: if iosock_try(): break global server_expire server_expire = server_cert_chain[-1].get_notAfter() except PyOpenSSLError as e: raise e finally: server_conn.shutdown() server_conn.close() return True
def get_ssl(url): print(Fore.RED+"[+] ssl certificate:"+Fore.GREEN) first_try = re.findall(r":([0-9]+)", str(url)) if len(first_try) != 0: for i in range(len(first_try)): port = ''.join(first_try[i]) else: port = int('443') second_try = re.findall(r"/([0-9a-zA-Z\.%&#]+)", str(url)) if len(second_try) != 0: for i in range(len(second_try)): host = ''.join(second_try[i]) try: try: ssl_connection_setting = Context(SSLv3_METHOD) except ValueError: ssl_connection_setting = Context(TLSv1_2_METHOD) ssl_connection_setting.set_timeout(5) with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.connect((host, int(port))) c = Connection(ssl_connection_setting, s) c.set_tlsext_host_name(str.encode(host)) c.set_connect_state() c.do_handshake() cert = c.get_peer_certificate() print(Fore.RED+" --> "+Fore.GREEN+"Is Expired: ", cert.has_expired()) print(Fore.RED+" --> "+Fore.GREEN+"Issuer: ", cert.get_issuer()) subject_list = cert.get_subject().get_components() cert_byte_arr_decoded = {} for item in subject_list: cert_byte_arr_decoded.update({item[0].decode('utf-8'): item[1].decode('utf-8')}) if len(cert_byte_arr_decoded) > 0: print(Fore.RED+" --> "+Fore.GREEN+"Subject: ", cert_byte_arr_decoded) if cert_byte_arr_decoded["CN"]: print(Fore.RED+" --> "+Fore.GREEN+"Common Name: ", cert_byte_arr_decoded["CN"]) end_date = datetime.strptime(str(cert.get_notAfter().decode('utf-8')), "%Y%m%d%H%M%SZ") print(Fore.RED+" --> "+Fore.GREEN+"Not After (UTC Time): ", end_date) diff = end_date - datetime.now() print(Fore.RED+" --> "+Fore.GREEN+'Summary: "{}" SSL certificate expires on {} i.e. {} days.'.format(host, end_date, diff.days)) c.shutdown() s.close() except: print(Fore.RED+" --> "+Fore.GREEN+"Not found") pass
def ip_ssl_connect(self, ip): logging.basicConfig(filename=self.basedir+'/output/log/get_cert_from_ip.log', level=logging.DEBUG, format='%(asctime)s %(message)s') try: sslcontext = Context(TLSv1_METHOD) sslcontext.set_timeout(30) s = socket() s.connect((ip, 443)) c = Connection(sslcontext, s) c.set_connect_state() logging.info("try to establish handshake with %s..." % ip) c.do_handshake() cert = c.get_peer_certificate() logging.info("got certificate!") c.shutdown() s.close() return cert except Exception as e: logging.info(e) logging.info("fail to connect to port 443 with %s" % ip) return None
def connect(self, ctx=None, session=None, port=7080): sock = socket.create_connection(('127.0.0.1', port)) if ctx is None: ctx = Context(TLSv1_2_METHOD) client = Connection(ctx, sock) client.set_connect_state() if session is not None: client.set_session(session) client.do_handshake() client.shutdown() return ( client.get_session(), ctx, _lib.SSL_session_reused(client._ssl), )
def connect(self, ctx=None, session=None): sock = socket.create_connection(('127.0.0.1', 7080)) if ctx is None: ctx = Context(TLSv1_2_METHOD) ctx.set_session_cache_mode(SESS_CACHE_CLIENT) ctx.set_options(OP_NO_TICKET) client = Connection(ctx, sock) client.set_connect_state() if session is not None: client.set_session(session) client.do_handshake() client.shutdown() return ( client, client.get_session(), ctx, _lib.SSL_session_reused(client._ssl), )
""" from socket import socket from OpenSSL.SSL import Connection, Context, SSLv3_METHOD import datetime import time sslcontext = Context(SSLv3_METHOD) sslcontext.set_timeout(30) ip = 'www.baidu.com' s = socket() s.connect((ip, 443)) c = Connection(sslcontext, s) c.set_connect_state() c.do_handshake() cert = c.get_peer_certificate() print "Issuer: ", cert.get_issuer() print "Subject: ", cert.get_subject().get_components() subject_list = cert.get_subject().get_components() print "Common Name:", dict(subject_list).get("CN") print "notAfter(UTC time): ", cert.get_notAfter() UTC_FORMAT = "%Y%m%d%H%M%SZ" utc_to_local_offset = datetime.datetime.fromtimestamp( time.time()) - datetime.datetime.utcfromtimestamp(time.time()) utc_time = time.mktime(time.strptime(cert.get_notAfter(), UTC_FORMAT)) local_time = utc_time + utc_to_local_offset.seconds print "notAfter(Local Time): ", datetime.datetime.fromtimestamp(local_time) print "is_expired:", cert.has_expired() c.shutdown() s.close()
class TLSMemoryBIOProtocol(ProtocolWrapper): """ L{TLSMemoryBIOProtocol} is a protocol wrapper which uses OpenSSL via a memory BIO to encrypt bytes written to it before sending them on to the underlying transport and decrypts bytes received from the underlying transport before delivering them to the wrapped protocol. In addition to producer events from the underlying transport, the need to wait for reads before a write can proceed means the L{TLSMemoryBIOProtocol} may also want to pause a producer. Pause/resume events are therefore merged using the L{_ProducerMembrane} wrapper. Non-streaming (pull) producers are supported by wrapping them with L{_PullToPush}. @ivar _tlsConnection: The L{OpenSSL.SSL.Connection} instance which is encrypted and decrypting this connection. @ivar _lostTLSConnection: A flag indicating whether connection loss has already been dealt with (C{True}) or not (C{False}). TLS disconnection is distinct from the underlying connection being lost. @ivar _writeBlockedOnRead: A flag indicating whether further writing must wait for data to be received (C{True}) or not (C{False}). @ivar _appSendBuffer: A C{list} of C{str} of application-level (cleartext) data which is waiting for C{_writeBlockedOnRead} to be reset to C{False} so it can be passed to and perhaps accepted by C{_tlsConnection.send}. @ivar _connectWrapped: A flag indicating whether or not to call C{makeConnection} on the wrapped protocol. This is for the reactor's L{twisted.internet.interfaces.ITLSTransport.startTLS} implementation, since it has a protocol which it has already called C{makeConnection} on, and which has no interest in a new transport. See #3821. @ivar _handshakeDone: A flag indicating whether or not the handshake is known to have completed successfully (C{True}) or not (C{False}). This is used to control error reporting behavior. If the handshake has not completed, the underlying L{OpenSSL.SSL.Error} will be passed to the application's C{connectionLost} method. If it has completed, any unexpected L{OpenSSL.SSL.Error} will be turned into a L{ConnectionLost}. This is weird; however, it is simply an attempt at a faithful re-implementation of the behavior provided by L{twisted.internet.ssl}. @ivar _reason: If an unexpected L{OpenSSL.SSL.Error} occurs which causes the connection to be lost, it is saved here. If appropriate, this may be used as the reason passed to the application protocol's C{connectionLost} method. @ivar _producer: The current producer registered via C{registerProducer}, or C{None} if no producer has been registered or a previous one was unregistered. """ _reason = None _handshakeDone = False _lostTLSConnection = False _writeBlockedOnRead = False _producer = None def __init__(self, factory, wrappedProtocol, _connectWrapped=True): ProtocolWrapper.__init__(self, factory, wrappedProtocol) self._connectWrapped = _connectWrapped def getHandle(self): """ Return the L{OpenSSL.SSL.Connection} object being used to encrypt and decrypt this connection. This is done for the benefit of L{twisted.internet.ssl.Certificate}'s C{peerFromTransport} and C{hostFromTransport} methods only. A different system handle may be returned by future versions of this method. """ return self._tlsConnection def makeConnection(self, transport): """ Connect this wrapper to the given transport and initialize the necessary L{OpenSSL.SSL.Connection} with a memory BIO. """ tlsContext = self.factory._contextFactory.getContext() self._tlsConnection = Connection(tlsContext, None) if self.factory._isClient: self._tlsConnection.set_connect_state() else: self._tlsConnection.set_accept_state() self._appSendBuffer = [] # Add interfaces provided by the transport we are wrapping: for interface in providedBy(transport): directlyProvides(self, interface) # Intentionally skip ProtocolWrapper.makeConnection - it might call # wrappedProtocol.makeConnection, which we want to make conditional. Protocol.makeConnection(self, transport) self.factory.registerProtocol(self) if self._connectWrapped: # Now that the TLS layer is initialized, notify the application of # the connection. ProtocolWrapper.makeConnection(self, transport) # Now that we ourselves have a transport (initialized by the # ProtocolWrapper.makeConnection call above), kick off the TLS # handshake. try: self._tlsConnection.do_handshake() except WantReadError: # This is the expected case - there's no data in the connection's # input buffer yet, so it won't be able to complete the whole # handshake now. If this is the speak-first side of the # connection, then some bytes will be in the send buffer now; flush # them. self._flushSendBIO() def _flushSendBIO(self): """ Read any bytes out of the send BIO and write them to the underlying transport. """ try: bytes = self._tlsConnection.bio_read(2**15) except WantReadError: # There may be nothing in the send BIO right now. pass else: self.transport.write(bytes) def _flushReceiveBIO(self): """ Try to receive any application-level bytes which are now available because of a previous write into the receive BIO. This will take care of delivering any application-level bytes which are received to the protocol, as well as handling of the various exceptions which can come from trying to get such bytes. """ # Keep trying this until an error indicates we should stop or we # close the connection. Looping is necessary to make sure we # process all of the data which was put into the receive BIO, as # there is no guarantee that a single recv call will do it all. while not self._lostTLSConnection: try: bytes = self._tlsConnection.recv(2**15) except WantReadError: # The newly received bytes might not have been enough to produce # any application data. break except ZeroReturnError: # TLS has shut down and no more TLS data will be received over # this connection. self._shutdownTLS() # Passing in None means the user protocol's connnectionLost # will get called with reason from underlying transport: self._tlsShutdownFinished(None) except Error as e: # Something went pretty wrong. For example, this might be a # handshake failure (because there were no shared ciphers, because # a certificate failed to verify, etc). TLS can no longer proceed. # Squash EOF in violation of protocol into ConnectionLost; we # create Failure before calling _flushSendBio so that no new # exception will get thrown in the interim. if e.args[0] == -1 and e.args[1] == 'Unexpected EOF': failure = Failure(CONNECTION_LOST) else: failure = Failure() self._flushSendBIO() self._tlsShutdownFinished(failure) else: # If we got application bytes, the handshake must be done by # now. Keep track of this to control error reporting later. self._handshakeDone = True ProtocolWrapper.dataReceived(self, bytes) # The received bytes might have generated a response which needs to be # sent now. For example, the handshake involves several round-trip # exchanges without ever producing application-bytes. self._flushSendBIO() def dataReceived(self, bytes): """ Deliver any received bytes to the receive BIO and then read and deliver to the application any application-level data which becomes available as a result of this. """ self._tlsConnection.bio_write(bytes) if self._writeBlockedOnRead: # A read just happened, so we might not be blocked anymore. Try to # flush all the pending application bytes. self._writeBlockedOnRead = False appSendBuffer = self._appSendBuffer self._appSendBuffer = [] for bytes in appSendBuffer: self._write(bytes) if (not self._writeBlockedOnRead and self.disconnecting and self.producer is None): self._shutdownTLS() if self._producer is not None: self._producer.resumeProducing() self._flushReceiveBIO() def _shutdownTLS(self): """ Initiate, or reply to, the shutdown handshake of the TLS layer. """ shutdownSuccess = self._tlsConnection.shutdown() self._flushSendBIO() if shutdownSuccess: # Both sides have shutdown, so we can start closing lower-level # transport. This will also happen if we haven't started # negotiation at all yet, in which case shutdown succeeds # immediately. self.transport.loseConnection() def _tlsShutdownFinished(self, reason): """ Called when TLS connection has gone away; tell underlying transport to disconnect. """ self._reason = reason self._lostTLSConnection = True # Using loseConnection causes the application protocol's # connectionLost method to be invoked non-reentrantly, which is always # a nice feature. However, for error cases (reason != None) we might # want to use abortConnection when it becomes available. The # loseConnection call is basically tested by test_handshakeFailure. # At least one side will need to do it or the test never finishes. self.transport.loseConnection() def connectionLost(self, reason): """ Handle the possible repetition of calls to this method (due to either the underlying transport going away or due to an error at the TLS layer) and make sure the base implementation only gets invoked once. """ if not self._lostTLSConnection: # Tell the TLS connection that it's not going to get any more data # and give it a chance to finish reading. self._tlsConnection.bio_shutdown() self._flushReceiveBIO() self._lostTLSConnection = True reason = self._reason or reason self._reason = None ProtocolWrapper.connectionLost(self, reason) def loseConnection(self): """ Send a TLS close alert and close the underlying connection. """ if self.disconnecting: return self.disconnecting = True if not self._writeBlockedOnRead and self._producer is None: self._shutdownTLS() def write(self, bytes): """ Process the given application bytes and send any resulting TLS traffic which arrives in the send BIO. If C{loseConnection} was called, subsequent calls to C{write} will drop the bytes on the floor. """ if isinstance(bytes, unicode): raise TypeError( "Must write bytes to a TLS transport, not unicode.") # Writes after loseConnection are not supported, unless a producer has # been registered, in which case writes can happen until the producer # is unregistered: if self.disconnecting and self._producer is None: return self._write(bytes) def _write(self, bytes): """ Process the given application bytes and send any resulting TLS traffic which arrives in the send BIO. This may be called by C{dataReceived} with bytes that were buffered before C{loseConnection} was called, which is why this function doesn't check for disconnection but accepts the bytes regardless. """ if self._lostTLSConnection: return leftToSend = bytes while leftToSend: try: sent = self._tlsConnection.send(leftToSend) except WantReadError: self._writeBlockedOnRead = True self._appSendBuffer.append(leftToSend) if self._producer is not None: self._producer.pauseProducing() break except Error: # Pretend TLS connection disconnected, which will trigger # disconnect of underlying transport. The error will be passed # to the application protocol's connectionLost method. The # other SSL implementation doesn't, but losing helpful # debugging information is a bad idea. self._tlsShutdownFinished(Failure()) break else: # If we sent some bytes, the handshake must be done. Keep # track of this to control error reporting behavior. self._handshakeDone = True self._flushSendBIO() leftToSend = leftToSend[sent:] def writeSequence(self, iovec): """ Write a sequence of application bytes by joining them into one string and passing them to L{write}. """ iovec = [x.encode('latin-1') for x in iovec] self.write(b"".join(iovec)) def getPeerCertificate(self): return self._tlsConnection.get_peer_certificate() def registerProducer(self, producer, streaming): # If we've already disconnected, nothing to do here: if self._lostTLSConnection: producer.stopProducing() return # If we received a non-streaming producer, wrap it so it becomes a # streaming producer: if not streaming: producer = streamingProducer = _PullToPush(producer, self) producer = _ProducerMembrane(producer) # This will raise an exception if a producer is already registered: self.transport.registerProducer(producer, True) self._producer = producer # If we received a non-streaming producer, we need to start the # streaming wrapper: if not streaming: streamingProducer.startStreaming() def unregisterProducer(self): # If we received a non-streaming producer, we need to stop the # streaming wrapper: if isinstance(self._producer._producer, _PullToPush): self._producer._producer.stopStreaming() self._producer = None self._producerPaused = False self.transport.unregisterProducer() if self.disconnecting and not self._writeBlockedOnRead: self._shutdownTLS()
class TLSMemoryBIOProtocol(ProtocolWrapper): """ L{TLSMemoryBIOProtocol} is a protocol wrapper which uses OpenSSL via a memory BIO to encrypt bytes written to it before sending them on to the underlying transport and decrypts bytes received from the underlying transport before delivering them to the wrapped protocol. In addition to producer events from the underlying transport, the need to wait for reads before a write can proceed means the L{TLSMemoryBIOProtocol} may also want to pause a producer. Pause/resume events are therefore merged using the L{_ProducerMembrane} wrapper. Non-streaming (pull) producers are supported by wrapping them with L{_PullToPush}. @ivar _tlsConnection: The L{OpenSSL.SSL.Connection} instance which is encrypted and decrypting this connection. @ivar _lostTLSConnection: A flag indicating whether connection loss has already been dealt with (C{True}) or not (C{False}). TLS disconnection is distinct from the underlying connection being lost. @ivar _writeBlockedOnRead: A flag indicating whether further writing must wait for data to be received (C{True}) or not (C{False}). @ivar _appSendBuffer: A C{list} of C{str} of application-level (cleartext) data which is waiting for C{_writeBlockedOnRead} to be reset to C{False} so it can be passed to and perhaps accepted by C{_tlsConnection.send}. @ivar _connectWrapped: A flag indicating whether or not to call C{makeConnection} on the wrapped protocol. This is for the reactor's L{twisted.internet.interfaces.ITLSTransport.startTLS} implementation, since it has a protocol which it has already called C{makeConnection} on, and which has no interest in a new transport. See #3821. @ivar _handshakeDone: A flag indicating whether or not the handshake is known to have completed successfully (C{True}) or not (C{False}). This is used to control error reporting behavior. If the handshake has not completed, the underlying L{OpenSSL.SSL.Error} will be passed to the application's C{connectionLost} method. If it has completed, any unexpected L{OpenSSL.SSL.Error} will be turned into a L{ConnectionLost}. This is weird; however, it is simply an attempt at a faithful re-implementation of the behavior provided by L{twisted.internet.ssl}. @ivar _reason: If an unexpected L{OpenSSL.SSL.Error} occurs which causes the connection to be lost, it is saved here. If appropriate, this may be used as the reason passed to the application protocol's C{connectionLost} method. @ivar _producer: The current producer registered via C{registerProducer}, or C{None} if no producer has been registered or a previous one was unregistered. """ _reason = None _handshakeDone = False _lostTLSConnection = False _writeBlockedOnRead = False _producer = None def __init__(self, factory, wrappedProtocol, _connectWrapped=True): ProtocolWrapper.__init__(self, factory, wrappedProtocol) self._connectWrapped = _connectWrapped def getHandle(self): """ Return the L{OpenSSL.SSL.Connection} object being used to encrypt and decrypt this connection. This is done for the benefit of L{twisted.internet.ssl.Certificate}'s C{peerFromTransport} and C{hostFromTransport} methods only. A different system handle may be returned by future versions of this method. """ return self._tlsConnection def makeConnection(self, transport): """ Connect this wrapper to the given transport and initialize the necessary L{OpenSSL.SSL.Connection} with a memory BIO. """ tlsContext = self.factory._contextFactory.getContext() self._tlsConnection = Connection(tlsContext, None) if self.factory._isClient: self._tlsConnection.set_connect_state() else: self._tlsConnection.set_accept_state() self._appSendBuffer = [] # Add interfaces provided by the transport we are wrapping: for interface in providedBy(transport): directlyProvides(self, interface) # Intentionally skip ProtocolWrapper.makeConnection - it might call # wrappedProtocol.makeConnection, which we want to make conditional. Protocol.makeConnection(self, transport) self.factory.registerProtocol(self) if self._connectWrapped: # Now that the TLS layer is initialized, notify the application of # the connection. ProtocolWrapper.makeConnection(self, transport) # Now that we ourselves have a transport (initialized by the # ProtocolWrapper.makeConnection call above), kick off the TLS # handshake. try: self._tlsConnection.do_handshake() except WantReadError: # This is the expected case - there's no data in the connection's # input buffer yet, so it won't be able to complete the whole # handshake now. If this is the speak-first side of the # connection, then some bytes will be in the send buffer now; flush # them. self._flushSendBIO() def _flushSendBIO(self): """ Read any bytes out of the send BIO and write them to the underlying transport. """ try: bytes = self._tlsConnection.bio_read(2 ** 15) except WantReadError: # There may be nothing in the send BIO right now. pass else: self.transport.write(bytes) def _flushReceiveBIO(self): """ Try to receive any application-level bytes which are now available because of a previous write into the receive BIO. This will take care of delivering any application-level bytes which are received to the protocol, as well as handling of the various exceptions which can come from trying to get such bytes. """ # Keep trying this until an error indicates we should stop or we # close the connection. Looping is necessary to make sure we # process all of the data which was put into the receive BIO, as # there is no guarantee that a single recv call will do it all. while not self._lostTLSConnection: try: bytes = self._tlsConnection.recv(2 ** 15) except WantReadError: # The newly received bytes might not have been enough to produce # any application data. break except ZeroReturnError: # TLS has shut down and no more TLS data will be received over # this connection. self._shutdownTLS() # Passing in None means the user protocol's connnectionLost # will get called with reason from underlying transport: self._tlsShutdownFinished(None) except Error as e: # Something went pretty wrong. For example, this might be a # handshake failure (because there were no shared ciphers, because # a certificate failed to verify, etc). TLS can no longer proceed. # Squash EOF in violation of protocol into ConnectionLost; we # create Failure before calling _flushSendBio so that no new # exception will get thrown in the interim. if e.args[0] == -1 and e.args[1] == 'Unexpected EOF': failure = Failure(CONNECTION_LOST) else: failure = Failure() self._flushSendBIO() self._tlsShutdownFinished(failure) else: # If we got application bytes, the handshake must be done by # now. Keep track of this to control error reporting later. self._handshakeDone = True ProtocolWrapper.dataReceived(self, bytes) # The received bytes might have generated a response which needs to be # sent now. For example, the handshake involves several round-trip # exchanges without ever producing application-bytes. self._flushSendBIO() def dataReceived(self, bytes): """ Deliver any received bytes to the receive BIO and then read and deliver to the application any application-level data which becomes available as a result of this. """ self._tlsConnection.bio_write(bytes) if self._writeBlockedOnRead: # A read just happened, so we might not be blocked anymore. Try to # flush all the pending application bytes. self._writeBlockedOnRead = False appSendBuffer = self._appSendBuffer self._appSendBuffer = [] for bytes in appSendBuffer: self._write(bytes) if (not self._writeBlockedOnRead and self.disconnecting and self.producer is None): self._shutdownTLS() if self._producer is not None: self._producer.resumeProducing() self._flushReceiveBIO() def _shutdownTLS(self): """ Initiate, or reply to, the shutdown handshake of the TLS layer. """ shutdownSuccess = self._tlsConnection.shutdown() self._flushSendBIO() if shutdownSuccess: # Both sides have shutdown, so we can start closing lower-level # transport. This will also happen if we haven't started # negotiation at all yet, in which case shutdown succeeds # immediately. self.transport.loseConnection() def _tlsShutdownFinished(self, reason): """ Called when TLS connection has gone away; tell underlying transport to disconnect. """ self._reason = reason self._lostTLSConnection = True # Using loseConnection causes the application protocol's # connectionLost method to be invoked non-reentrantly, which is always # a nice feature. However, for error cases (reason != None) we might # want to use abortConnection when it becomes available. The # loseConnection call is basically tested by test_handshakeFailure. # At least one side will need to do it or the test never finishes. self.transport.loseConnection() def connectionLost(self, reason): """ Handle the possible repetition of calls to this method (due to either the underlying transport going away or due to an error at the TLS layer) and make sure the base implementation only gets invoked once. """ if not self._lostTLSConnection: # Tell the TLS connection that it's not going to get any more data # and give it a chance to finish reading. self._tlsConnection.bio_shutdown() self._flushReceiveBIO() self._lostTLSConnection = True reason = self._reason or reason self._reason = None ProtocolWrapper.connectionLost(self, reason) def loseConnection(self): """ Send a TLS close alert and close the underlying connection. """ if self.disconnecting: return self.disconnecting = True if not self._writeBlockedOnRead and self._producer is None: self._shutdownTLS() def write(self, bytes): """ Process the given application bytes and send any resulting TLS traffic which arrives in the send BIO. If C{loseConnection} was called, subsequent calls to C{write} will drop the bytes on the floor. """ if isinstance(bytes, unicode): raise TypeError("Must write bytes to a TLS transport, not unicode.") # Writes after loseConnection are not supported, unless a producer has # been registered, in which case writes can happen until the producer # is unregistered: if self.disconnecting and self._producer is None: return self._write(bytes) def _write(self, bytes): """ Process the given application bytes and send any resulting TLS traffic which arrives in the send BIO. This may be called by C{dataReceived} with bytes that were buffered before C{loseConnection} was called, which is why this function doesn't check for disconnection but accepts the bytes regardless. """ if self._lostTLSConnection: return leftToSend = bytes while leftToSend: try: sent = self._tlsConnection.send(leftToSend) except WantReadError: self._writeBlockedOnRead = True self._appSendBuffer.append(leftToSend) if self._producer is not None: self._producer.pauseProducing() break except Error: # Pretend TLS connection disconnected, which will trigger # disconnect of underlying transport. The error will be passed # to the application protocol's connectionLost method. The # other SSL implementation doesn't, but losing helpful # debugging information is a bad idea. self._tlsShutdownFinished(Failure()) break else: # If we sent some bytes, the handshake must be done. Keep # track of this to control error reporting behavior. self._handshakeDone = True self._flushSendBIO() leftToSend = leftToSend[sent:] def writeSequence(self, iovec): """ Write a sequence of application bytes by joining them into one string and passing them to L{write}. """ self.write(b"".join(iovec)) def getPeerCertificate(self): return self._tlsConnection.get_peer_certificate() def registerProducer(self, producer, streaming): # If we've already disconnected, nothing to do here: if self._lostTLSConnection: producer.stopProducing() return # If we received a non-streaming producer, wrap it so it becomes a # streaming producer: if not streaming: producer = streamingProducer = _PullToPush(producer, self) producer = _ProducerMembrane(producer) # This will raise an exception if a producer is already registered: self.transport.registerProducer(producer, True) self._producer = producer # If we received a non-streaming producer, we need to start the # streaming wrapper: if not streaming: streamingProducer.startStreaming() def unregisterProducer(self): # If we received a non-streaming producer, we need to stop the # streaming wrapper: if isinstance(self._producer._producer, _PullToPush): self._producer._producer.stopStreaming() self._producer = None self._producerPaused = False self.transport.unregisterProducer() if self.disconnecting and not self._writeBlockedOnRead: self._shutdownTLS()
from OpenSSL.SSL import Connection, Context, SSLv3_METHOD, TLSv1_2_METHOD host = 'www.baidu.com' try: ssl_connection_setting = Context(SSLv3_METHOD) except ValueError: ssl_connection_setting = Context(TLSv1_2_METHOD) ssl_connection_setting.set_timeout(30) s = socket() s.connect((host, 443)) c = Connection(ssl_connection_setting, s) c.set_connect_state() c.do_handshake() cert = c.get_peer_certificate() print "Issuer: ", cert.get_issuer() print "Subject: ", cert.get_subject().get_components() subject_list = cert.get_subject().get_components() print "Common Name:", dict(subject_list).get("CN") print "notAfter(UTC time): ", cert.get_notAfter() UTC_FORMAT = "%Y%m%d%H%M%SZ" utc_to_local_offset = datetime.datetime.fromtimestamp(time.time()) - datetime.datetime.utcfromtimestamp(time.time()) utc_time = time.mktime(time.strptime(cert.get_notAfter(), UTC_FORMAT)) local_time = utc_time + utc_to_local_offset.seconds print "notAfter(Local Time): ", datetime.datetime.fromtimestamp(local_time) print "is_expired:", cert.has_expired() c.shutdown() s.close()
class SocketClient(object): """This class sends all info to the server """ cacertpath = "ca/cacert.pem" BUFF = 8192 def __init__(self,HOST='130.236.219.232', PORT = 443): self.mutex = threading.Semaphore(1) self.connected = False self.connect() self.host_addr = HOST self.host_port = PORT def connect(self): print "You are trying to connect..." for x in range(7): if not self.connected: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) context = Context(TLSv1_METHOD) context.use_certificate_file(self.cacertpath) context.set_timeout(2) self.sslsocket = Connection(context,s) self.sslsocket.connect((self.host_addr,self.host_port)) #starting a thread that listen to what server sends which the clients need to be able to send and recive data at the same time t = threading.Thread(target=self.receive) t.daemon = True t.start() if self.sslsocket: self.connected = True print "connection established" #self.authentication("Kalle", "te") t = threading.Thread(target=self.sendinput) t.start() except socket.error: print "You failed to connect, retrying......." time.sleep(5) def authentication(self, username, password): self.sslsocket.send(username) self.sslsocket.send(password) #sending string to server def send(self,str): try: self.sslsocket.write("start") totalsent = 0 while totalsent < str.__len__(): sent = self.sslsocket.write(str[totalsent:]) if sent == 0: raise RuntimeError, "socket connection broken" totalsent = totalsent + sent self.sslsocket.write("end") except SSL.SysCallError: print "your server is dead, you have to resend data" self.connected = False self.sslsocket.shutdown() self.sslsocket.close() self.mutex.acquire() print "Du är inne i connect via send SysCallError" self.connect() self.mutex.release() except SSL.Error: self.connected = False self.mutex.acquire() print "Du är inne i connect via send ssl error" self.connect() self.mutex.release() #Sending input to server def sendinput(self): try: while True: input = raw_input() self.send(input) except KeyboardInterrupt: print "du är inne i sendinput" self.sslsocket.shutdown() self.sslsocket.close() exit(0) #getting data from server def receive(self): output = "" try: while True: data = self.sslsocket.recv(self.BUFF) if data == "start": while True: data = self.sslsocket.recv(self.BUFF) if data == "end": print output output = "" break output = output + data except SSL.SysCallError: print "OMG Server is down" self.connected = False print self.connected self.sslsocket.shutdown() self.sslsocket.close() self.mutex.acquire() self.connect() self.mutex.release()
def verify_cert(host, capath, timeout, cncheck=True): server_ctx = Context(TLSv1_METHOD) server_cert_chain = [] server_ctx.load_verify_locations(None, capath) host = re.split("/*", host)[1] if ':' in host: host = host.split(':') server = host[0] port = int(host[1] if not '?' in host[1] else host[1].split('?')[0]) else: server = host port = 443 def verify_cb(conn, cert, errnum, depth, ok): server_cert_chain.append(cert) return ok server_ctx.set_verify(VERIFY_PEER, verify_cb) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setblocking(1) sock.settimeout(timeout) sock.connect((server, port)) except (socket.error, socket.timeout) as e: nagios_out('Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)), 2) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() def iosock_try(): ok = True try: server_conn.do_handshake() sleep(0.5) except SSLWantReadError as e: ok = False pass except Exception as e: raise e return ok try: while True: if iosock_try(): break if cncheck: server_subject = server_cert_chain[-1].get_subject() if server != server_subject.CN: nagios_out('Critical', 'Server certificate CN %s does not match %s' % (server_subject.CN, server), 2) except SSLError as e: if 'sslv3 alert handshake failure' in errmsg_from_excp(e): pass else: nagios_out('Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e, level=1)), 2) finally: server_conn.shutdown() server_conn.close() return True
def verify_cert(host, capath, timeout, cncheck=True): server_ctx = Context(TLSv1_METHOD) server_cert_chain = [] server_ctx.load_verify_locations(None, capath) host = re.split("/*", host)[1] if ':' in host: host = host.split(':') server = host[0] port = int(host[1] if not '?' in host[1] else host[1].split('?')[0]) else: server = host port = 443 def verify_cb(conn, cert, errnum, depth, ok): server_cert_chain.append(cert) return ok server_ctx.set_verify(VERIFY_PEER, verify_cb) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setblocking(1) sock.settimeout(timeout) sock.connect((server, port)) except (socket.error, socket.timeout) as e: nagios_out( 'Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)), 2) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() def iosock_try(): ok = True try: server_conn.do_handshake() sleep(0.5) except SSLWantReadError as e: ok = False pass except Exception as e: raise e return ok try: while True: if iosock_try(): break if cncheck: server_subject = server_cert_chain[-1].get_subject() if server != server_subject.CN: nagios_out( 'Critical', 'Server certificate CN %s does not match %s' % (server_subject.CN, server), 2) except SSLError as e: if 'sslv3 alert handshake failure' in errmsg_from_excp(e): pass else: nagios_out( 'Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e, level=1)), 2) finally: server_conn.shutdown() server_conn.close() return True