def __init__(self, key, certificate, intermediate): """ :param key: String representation of the private key :param certificate: String representation of the certificate :param intermediate: String representation of the intermediate file :param dh: String representation of the DH parameters """ self.ctx = new_tls_server_context() x509 = load_certificate(FILETYPE_PEM, certificate) self.ctx.use_certificate(x509) if intermediate: x509 = load_certificate(FILETYPE_PEM, intermediate) self.ctx.add_extra_chain_cert(x509) key = load_privatekey(FILETYPE_PEM, key) self.ctx.use_privatekey(key) # If SSL_CTX_set_ecdh_auto is available then set it so the ECDH curve # will be auto-selected. This function was added in 1.0.2 and made a # noop in 1.1.0+ (where it is set automatically). try: _lib.SSL_CTX_set_ecdh_auto(self.ctx._context, 1) # pylint: disable=no-member except AttributeError: ecdh = _lib.EC_KEY_new_by_curve_name(_lib.NID_X9_62_prime256v1) # pylint: disable=no-member ecdh = _ffi.gc(ecdh, _lib.EC_KEY_free) # pylint: disable=no-member _lib.SSL_CTX_set_tmp_ecdh(self.ctx._context, ecdh) # pylint: disable=no-member
def set_tmp_ecdh(self, curve): """ Select a curve to use for ECDHE key exchange. :param curve: A curve object to use as returned by either :py:meth:`OpenSSL.crypto.get_elliptic_curve` or :py:meth:`OpenSSL.crypto.get_elliptic_curves`. :return: None """ _lib.SSL_CTX_set_tmp_ecdh(self._context, curve._to_EC_KEY())
def cacheContext(self): if self._context is None: ctx = SSL.Context(SSL.SSLv23_METHOD) ctx.set_options(SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_SINGLE_DH_USE | SSL.OP_NO_COMPRESSION | SSL.OP_NO_TICKET) ctx.set_mode(SSL.MODE_RELEASE_BUFFERS) first = True if os.path.isfile(self.certificateFilePath): with open(self.certificateFilePath, 'r') as f: first = False x509 = load_certificate(FILETYPE_PEM, f.read()) ctx.use_certificate(x509) if self.intermediateFilePath != self.certificateFilePath and \ os.path.isfile(self.intermediateFilePath): if first: ctx.use_certificate_chain_file(self.intermediateFilePath) else: with open(self.intermediateFilePath, 'r') as f: x509 = load_certificate(FILETYPE_PEM, f.read()) ctx.add_extra_chain_cert(x509) ctx.use_privatekey_file(self.privateKeyFilePath) ctx.set_cipher_list(self.cipherList) # If SSL_CTX_set_ecdh_auto is available then set it so the ECDH curve # will be auto-selected. This function was added in 1.0.2 and made a # noop in 1.1.0+ (where it is set automatically). try: _lib.SSL_CTX_set_ecdh_auto(ctx._context, 1) # pylint: disable=no-member except AttributeError: ecdh = _lib.EC_KEY_new_by_curve_name(_lib.NID_X9_62_prime256v1) # pylint: disable=no-member ecdh = _ffi.gc(ecdh, _lib.EC_KEY_free) # pylint: disable=no-member _lib.SSL_CTX_set_tmp_ecdh(ctx._context, ecdh) # pylint: disable=no-member self._context = ctx
def cacheContext(self): if self._context is None: ctx = SSL.Context(self.sslmethod) ctx.set_options(SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_SINGLE_DH_USE | SSL.OP_NO_COMPRESSION | SSL.OP_NO_TICKET) ctx.set_mode(SSL.MODE_RELEASE_BUFFERS) first = True if os.path.isfile(self.certificateFilePath): with open(self.certificateFilePath, 'r') as f: first = False x509 = load_certificate(FILETYPE_PEM, f.read()) ctx.use_certificate(x509) if self.intermediateFilePath != self.certificateFilePath and \ os.path.isfile(self.intermediateFilePath): if first: ctx.use_certificate_chain_file(self.intermediateFilePath) else: with open(self.intermediateFilePath, 'r') as f: x509 = load_certificate(FILETYPE_PEM, f.read()) ctx.add_extra_chain_cert(x509) ctx.use_privatekey_file(self.privateKeyFilePath) ctx.set_cipher_list(self.cipherList) ctx.load_tmp_dh(self.dhFilePath) ecdh = _lib.EC_KEY_new_by_curve_name(_lib.NID_X9_62_prime256v1) ecdh = _ffi.gc(ecdh, _lib.EC_KEY_free) _lib.SSL_CTX_set_tmp_ecdh(ctx._context, ecdh) self._context = ctx
def load_tmp_dh(self, dhfile): """ Function overridden in order to enforce ECDH/PFS """ from OpenSSL._util import (ffi as _ffi, lib as _lib) if not isinstance(dhfile, bytes): raise TypeError("dhfile must be a byte string") bio = _lib.BIO_new_file(dhfile, b"r") if bio == _ffi.NULL: _raise_current_error() bio = _ffi.gc(bio, _lib.BIO_free) dh = _lib.PEM_read_bio_DHparams(bio, _ffi.NULL, _ffi.NULL, _ffi.NULL) dh = _ffi.gc(dh, _lib.DH_free) _lib.SSL_CTX_set_tmp_dh(self._context, dh) ecdh = _lib.EC_KEY_new_by_curve_name(_lib.NID_X9_62_prime256v1) ecdh = _ffi.gc(ecdh, _lib.EC_KEY_free) _lib.SSL_CTX_set_tmp_ecdh(self._context, ecdh)
def __init__(self, priv_key, certificate, intermediate, dh): """ @param priv_key: String representation of the private key @param certificate: String representation of the certificate @param intermediate: String representation of the intermediate file @param dh: String representation of the DH parameters """ self.ctx = new_tls_server_context() x509 = load_certificate(FILETYPE_PEM, certificate) self.ctx.use_certificate(x509) if intermediate: x509 = load_certificate(FILETYPE_PEM, intermediate) self.ctx.add_extra_chain_cert(x509) priv_key = load_privatekey(FILETYPE_PEM, priv_key) self.ctx.use_privatekey(priv_key) load_dh_params_from_string(self.ctx, dh) ecdh = _lib.EC_KEY_new_by_curve_name(_lib.NID_X9_62_prime256v1) # pylint: disable=no-member ecdh = _ffi.gc(ecdh, _lib.EC_KEY_free) # pylint: disable=no-member _lib.SSL_CTX_set_tmp_ecdh(self.ctx._context, ecdh) # pylint: disable=no-member