def init(self): if nss.nss_is_initialized(): return if _password_callback is not None: nss.set_password_callback(_password_callback) nss.nss_init(_certdb) ssl.set_domestic_policy()
def __init__(self, host, port=None, strict=None, dbdir=None): httplib.HTTPConnection.__init__(self, host, port, strict) if not dbdir: raise RuntimeError("dbdir is required") logging.debug('%s init %s', self.__class__.__name__, host) if not nss.nss_is_initialized(): nss.nss_init(dbdir) self.sock = None ssl.set_domestic_policy() nss.set_password_callback(password_callback)
def __init__(self, host, port=None, strict=None, dbdir=None): six.moves.http_client.HTTPConnection.__init__(self, host, port, strict) if not dbdir: raise RuntimeError("dbdir is required") logging.debug('%s init host=%s dbdir=%s', self.__class__.__name__, host, dbdir) if not nss.nss_is_initialized(): nss.nss_init(dbdir) self.sock = None ssl.set_domestic_policy() nss.set_password_callback(password_callback)
def initialize_nss(dbdir): """Initialize NSS nss_init() initializes NSS and the DB globally. """ # global settings nss.nss_init(dbdir) ssl.set_domestic_policy() ssl.clear_session_cache() # thread local callback nss.set_password_callback(password_callback)
def client(request): if use_ssl: if info: print "client: using SSL" ssl.set_domestic_policy() valid_addr = False # Get the IP Address of our server try: addr_info = io.AddrInfo(hostname) except Exception, e: print >>sys.stderr, "client: could not resolve host address \"%s\"" % hostname return
def client(request): if use_ssl: if info: print "client: using SSL" ssl.set_domestic_policy() valid_addr = False # Get the IP Address of our server try: addr_info = io.AddrInfo(hostname) except Exception, e: print >> sys.stderr, "client: could not resolve host address \"%s\"" % hostname return
def __init__(self, host, port=None, strict=None, dbdir=None, family=socket.AF_UNSPEC, no_init=False, tls_version_min='tls1.1', tls_version_max='tls1.2'): """ :param host: the server to connect to :param port: the port to use (default is set in HTTPConnection) :param dbdir: the NSS database directory :param family: network family to use (default AF_UNSPEC) :param no_init: do not initialize the NSS database. This requires that the database has already been initialized or the request will fail. :param tls_min_version: mininum version of SSL/TLS supported :param tls_max_version: maximum version of SSL/TLS supported. """ httplib.HTTPConnection.__init__(self, host, port, strict) NSSAddressFamilyFallback.__init__(self, family) root_logger.debug('%s init %s', self.__class__.__name__, host) # If initialization is requested, initialize the new database. if not no_init: if nss.nss_is_initialized(): ssl.clear_session_cache() try: nss.nss_shutdown() except NSPRError as e: if e.errno != error.SEC_ERROR_NOT_INITIALIZED: raise e if not dbdir: raise RuntimeError("dbdir is required") nss.nss_init(dbdir) global current_dbdir current_dbdir = dbdir ssl.set_domestic_policy() nss.set_password_callback(self.password_callback) tls_versions = get_proper_tls_version_span(tls_version_min, tls_version_max) self.tls_version_min = tls_versions[0] self.tls_version_max = tls_versions[-1]
def __init__( self, host, port=None, strict=None, dbdir=None, family=socket.AF_UNSPEC, no_init=False, tls_version_min="tls1.1", tls_version_max="tls1.2", ): """ :param host: the server to connect to :param port: the port to use (default is set in HTTPConnection) :param dbdir: the NSS database directory :param family: network family to use (default AF_UNSPEC) :param no_init: do not initialize the NSS database. This requires that the database has already been initialized or the request will fail. :param tls_min_version: mininum version of SSL/TLS supported :param tls_max_version: maximum version of SSL/TLS supported. """ httplib.HTTPConnection.__init__(self, host, port, strict) NSSAddressFamilyFallback.__init__(self, family) root_logger.debug("%s init %s", self.__class__.__name__, host) # If initialization is requested, initialize the new database. if not no_init: if nss.nss_is_initialized(): ssl.clear_session_cache() try: nss.nss_shutdown() except NSPRError as e: if e.errno != error.SEC_ERROR_NOT_INITIALIZED: raise e if not dbdir: raise RuntimeError("dbdir is required") nss.nss_init(dbdir) global current_dbdir current_dbdir = dbdir ssl.set_domestic_policy() nss.set_password_callback(self.password_callback) self.tls_version_min = str(tls_version_min) self.tls_version_max = str(tls_version_max)
def server(): global family if verbose: print "starting server:" # Initialize # Setup an IP Address to listen on any of our interfaces if family == io.PR_AF_UNSPEC: family = io.PR_AF_INET net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family) if use_ssl: if info: print "server: using SSL" ssl.set_domestic_policy() nss.set_password_callback(password_callback) # Perform basic SSL server configuration ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True) ssl.config_server_session_id_cache() # Get our certificate and private key server_cert = nss.find_cert_from_nickname(server_nickname, password) priv_key = nss.find_key_by_any_cert(server_cert, password) server_cert_kea = server_cert.find_kea_type(); #if verbose: print "server cert:\n%s" % server_cert sock = ssl.SSLSocket(net_addr.family) # Set server SSL socket options sock.set_pkcs11_pin_arg(password) sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True) # If we're doing client authentication then set it up if client_cert_action >= REQUEST_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True) if client_cert_action == REQUIRE_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True) sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) # Configure the server SSL socket sock.config_secure_server(server_cert, priv_key, server_cert_kea) else: sock = io.Socket(net_addr.family) # Bind to our network address and listen for clients sock.bind(net_addr) if verbose: print "listening on: %s" % (net_addr) sock.listen() while True: # Accept a connection from a client client_sock, client_addr = sock.accept() if use_ssl: client_sock.set_handshake_callback(handshake_callback) if verbose: print "client connect from: %s" % (client_addr) while True: try: # Handle the client connection buf = client_sock.recv(1024) if not buf: print >>sys.stderr, "server: lost lost connection to %s" % (client_addr) break if info: print "server: received \"%s\"" % (buf) reply = "{%s}" % buf # echo if info: print "server: sending \"%s\"" % (reply) client_sock.send(reply) # echo time.sleep(sleep_time) client_sock.shutdown() client_sock.close() break except Exception, e: print >>sys.stderr, "server: %s" % e break break
def server(): if verbose: print("starting server:") # Initialize # Setup an IP Address to listen on any of our interfaces net_addr = io.NetworkAddress(io.PR_IpAddrAny, port) if use_ssl: if info: print("server: using SSL") ssl.set_domestic_policy() nss.set_password_callback(password_callback) # Perform basic SSL server configuration ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True) ssl.config_server_session_id_cache() # Get our certificate and private key server_cert = nss.find_cert_from_nickname(server_nickname, password) priv_key = nss.find_key_by_any_cert(server_cert, password) server_cert_kea = server_cert.find_kea_type() #if verbose: # print("server cert:\n%s" % server_cert) sock = ssl.SSLSocket(net_addr.family) # Set server SSL socket options sock.set_pkcs11_pin_arg(password) sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True) # If we're doing client authentication then set it up if client_cert_action >= REQUEST_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True) if client_cert_action == REQUIRE_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True) sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) # Configure the server SSL socket sock.config_secure_server(server_cert, priv_key, server_cert_kea) else: sock = io.Socket(net_addr.family) # Bind to our network address and listen for clients sock.bind(net_addr) if verbose: print("listening on: %s" % (net_addr)) sock.listen() while True: # Accept a connection from a client client_sock, client_addr = sock.accept() if use_ssl: client_sock.set_handshake_callback(handshake_callback) if verbose: print("client connect from: %s" % (client_addr)) while True: try: # Handle the client connection buf = client_sock.readline( ) # newline is protocol record separator if not buf: print("server: lost lost connection to %s" % (client_addr), file=sys.stderr) break buf = buf.decode('utf-8') buf = buf.rstrip() # remove newline record separator if info: print("server: received \"%s\"" % (buf)) reply = "{%s}" % buf # echo embedded inside braces if info: print("server: sending \"%s\"" % (reply)) data = reply + "\n" # send echo with record separator client_sock.send(data.encode('utf-8')) time.sleep(sleep_time) client_sock.shutdown() client_sock.close() break except Exception as e: print("server: %s" % e, file=sys.stderr) break break # Clean up sock.shutdown() sock.close() if use_ssl: ssl.shutdown_server_session_id_cache()
def client(request): if use_ssl: if info: print("client: using SSL") ssl.set_domestic_policy() # Get the IP Address of our server try: addr_info = io.AddrInfo(hostname) except Exception as e: print("client: could not resolve host address \"%s\"" % hostname, file=sys.stderr) return for net_addr in addr_info: net_addr.port = port if use_ssl: sock = ssl.SSLSocket(net_addr.family) # Set client SSL socket options sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) sock.set_hostname(hostname) # Provide a callback which notifies us when the SSL handshake is complete sock.set_handshake_callback(handshake_callback) # Provide a callback to supply our client certificate info sock.set_client_auth_data_callback(client_auth_data_callback, client_nickname, password, nss.get_default_certdb()) # Provide a callback to verify the servers certificate sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) else: sock = io.Socket(net_addr.family) try: if verbose: print("client trying connection to: %s" % (net_addr)) sock.connect(net_addr, timeout=io.seconds_to_interval(timeout_secs)) if verbose: print("client connected to: %s" % (net_addr)) break except Exception as e: sock.close() print("client: connection to: %s failed (%s)" % (net_addr, e), file=sys.stderr) # Talk to the server try: if info: print("client: sending \"%s\"" % (request)) data = request + "\n" # newline is protocol record separator sock.send(data.encode('utf-8')) buf = sock.readline() if not buf: print("client: lost connection", file=sys.stderr) sock.close() return buf = buf.decode('utf-8') buf = buf.rstrip() # remove newline record separator if info: print("client: received \"%s\"" % (buf)) except Exception as e: print("client: %s" % e, file=sys.stderr) try: sock.close() except: pass return try: sock.shutdown() except Exception as e: print("client: %s" % e, file=sys.stderr) try: sock.close() if use_ssl: ssl.clear_session_cache() except Exception as e: print("client: %s" % e, file=sys.stderr) return buf
def server(): if verbose: print("starting server:") # Initialize # Setup an IP Address to listen on any of our interfaces net_addr = io.NetworkAddress(io.PR_IpAddrAny, port) if use_ssl: if info: print("server: using SSL") ssl.set_domestic_policy() nss.set_password_callback(password_callback) # Perform basic SSL server configuration ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True) ssl.config_server_session_id_cache() # Get our certificate and private key server_cert = nss.find_cert_from_nickname(server_nickname, password) priv_key = nss.find_key_by_any_cert(server_cert, password) server_cert_kea = server_cert.find_kea_type(); #if verbose: # print("server cert:\n%s" % server_cert) sock = ssl.SSLSocket(net_addr.family) # Set server SSL socket options sock.set_pkcs11_pin_arg(password) sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True) # If we're doing client authentication then set it up if client_cert_action >= REQUEST_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True) if client_cert_action == REQUIRE_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True) sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) # Configure the server SSL socket sock.config_secure_server(server_cert, priv_key, server_cert_kea) else: sock = io.Socket(net_addr.family) # Bind to our network address and listen for clients sock.bind(net_addr) if verbose: print("listening on: %s" % (net_addr)) sock.listen() while True: # Accept a connection from a client client_sock, client_addr = sock.accept() if use_ssl: client_sock.set_handshake_callback(handshake_callback) if verbose: print("client connect from: %s" % (client_addr)) while True: try: # Handle the client connection buf = client_sock.readline() # newline is protocol record separator if not buf: print("server: lost lost connection to %s" % (client_addr), file=sys.stderr) break buf = buf.decode('utf-8') buf = buf.rstrip() # remove newline record separator if info: print("server: received \"%s\"" % (buf)) reply = "{%s}" % buf # echo embedded inside braces if info: print("server: sending \"%s\"" % (reply)) data = reply + "\n" # send echo with record separator client_sock.send(data.encode('utf-8')) time.sleep(sleep_time) client_sock.shutdown() client_sock.close() break except Exception as e: print("server: %s" % e, file=sys.stderr) break break # Clean up sock.shutdown() sock.close() if use_ssl: ssl.shutdown_server_session_id_cache()
options = parser.parse_args() if options.client and options.server: print("can't be both client and server") sys.exit(1) if not (options.client or options.server): print("must be one of client or server") sys.exit(1) # Perform basic configuration and setup if options.use_ssl: nss.nss_init(options.db_name) else: nss.nss_init_nodb() ssl.set_domestic_policy() nss.set_password_callback(password_callback) min_ssl_version, max_ssl_version = \ ssl.get_supported_ssl_version_range(repr_kind=nss.AsString) print("Supported SSL version range: min=%s, max=%s" % \ (min_ssl_version, max_ssl_version)) min_ssl_version, max_ssl_version = \ ssl.get_default_ssl_version_range(repr_kind=nss.AsString) print("Default SSL version range: min=%s, max=%s" % \ (min_ssl_version, max_ssl_version)) if options.min_ssl_version is not None or \ options.max_ssl_version is not None:
def server(): global family if verbose: print "starting server:" # Initialize # Setup an IP Address to listen on any of our interfaces if family == io.PR_AF_UNSPEC: family = io.PR_AF_INET net_addr = io.NetworkAddress(io.PR_IpAddrAny, port, family) if use_ssl: if info: print "server: using SSL" ssl.set_domestic_policy() nss.set_password_callback(password_callback) # Perform basic SSL server configuration ssl.set_default_cipher_pref(ssl.SSL_RSA_WITH_NULL_MD5, True) ssl.config_server_session_id_cache() # Get our certificate and private key server_cert = nss.find_cert_from_nickname(server_nickname, password) priv_key = nss.find_key_by_any_cert(server_cert, password) server_cert_kea = server_cert.find_kea_type() #if verbose: print "server cert:\n%s" % server_cert sock = ssl.SSLSocket(net_addr.family) # Set server SSL socket options sock.set_pkcs11_pin_arg(password) sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_SERVER, True) # If we're doing client authentication then set it up if client_cert_action >= REQUEST_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUEST_CERTIFICATE, True) if client_cert_action == REQUIRE_CLIENT_CERT_ONCE: sock.set_ssl_option(ssl.SSL_REQUIRE_CERTIFICATE, True) sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) # Configure the server SSL socket sock.config_secure_server(server_cert, priv_key, server_cert_kea) else: sock = io.Socket(net_addr.family) # Bind to our network address and listen for clients sock.bind(net_addr) if verbose: print "listening on: %s" % (net_addr) sock.listen() while True: # Accept a connection from a client client_sock, client_addr = sock.accept() if use_ssl: client_sock.set_handshake_callback(handshake_callback) if verbose: print "client connect from: %s" % (client_addr) while True: try: # Handle the client connection buf = client_sock.recv(1024) if not buf: print >> sys.stderr, "server: lost lost connection to %s" % ( client_addr) break if info: print "server: received \"%s\"" % (buf) reply = "{%s}" % buf # echo if info: print "server: sending \"%s\"" % (reply) client_sock.send(reply) # echo time.sleep(sleep_time) client_sock.shutdown() client_sock.close() break except Exception, e: print >> sys.stderr, "server: %s" % e break break
parser.set_defaults( db_name='sql:pki', hostname='www.verisign.com', port=443, enumerate_cipher_suites=True, ssl_connect=True, use_properties=False, ) options = parser.parse_args() # Perform basic configuration and setup try: nss.nss_init(options.db_name) ssl.set_domestic_policy() except Exception as e: print(str(e), file=sys.stderr) sys.exit(1) if options.enumerate_cipher_suites: suite_info = ssl.get_cipher_suite_info(ssl.ssl_implemented_ciphers[0]) print("There are %d implemented ciphers" % (len(ssl.ssl_implemented_ciphers))) for cipher in ssl.ssl_implemented_ciphers: suite_info = ssl.get_cipher_suite_info(cipher) print(suite_info) print()
def client(request): if use_ssl: if info: print("client: using SSL") ssl.set_domestic_policy() # Get the IP Address of our server try: addr_info = io.AddrInfo(hostname) except Exception as e: print("client: could not resolve host address \"%s\"" % hostname, file=sys.stderr) return for net_addr in addr_info: net_addr.port = port if use_ssl: sock = ssl.SSLSocket(net_addr.family) # Set client SSL socket options sock.set_ssl_option(ssl.SSL_SECURITY, True) sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) sock.set_hostname(hostname) # Provide a callback which notifies us when the SSL handshake is complete sock.set_handshake_callback(handshake_callback) # Provide a callback to supply our client certificate info sock.set_client_auth_data_callback(client_auth_data_callback, client_nickname, password, nss.get_default_certdb()) # Provide a callback to verify the servers certificate sock.set_auth_certificate_callback(auth_certificate_callback, nss.get_default_certdb()) else: sock = io.Socket(net_addr.family) try: if verbose: print("client trying connection to: %s" % (net_addr)) sock.connect(net_addr, timeout=io.seconds_to_interval(timeout_secs)) if verbose: print("client connected to: %s" % (net_addr)) break except Exception as e: sock.close() print("client: connection to: %s failed (%s)" % (net_addr, e), file=sys.stderr) # Talk to the server try: if info: print("client: sending \"%s\"" % (request)) data = request + "\n"; # newline is protocol record separator sock.send(data.encode('utf-8')) buf = sock.readline() if not buf: print("client: lost connection", file=sys.stderr) sock.close() return buf = buf.decode('utf-8') buf = buf.rstrip() # remove newline record separator if info: print("client: received \"%s\"" % (buf)) except Exception as e: print("client: %s" % e, file=sys.stderr) try: sock.close() except: pass return try: sock.shutdown() except Exception as e: print("client: %s" % e, file=sys.stderr) try: sock.close() if use_ssl: ssl.clear_session_cache() except Exception as e: print("client: %s" % e, file=sys.stderr) return buf