def __init__(self):
self.appid = ''
self.password = ''
self.proxy_enable = "0"
self.proxy_type = "HTTP"
self.proxy_host = ""
self.proxy_port = ""
self.proxy_user = ""
self.proxy_passwd = ""
self.host_appengine_mode = "gae"
self.auto_adjust_scan_ip_thread_num = 1
self.scan_ip_thread_num = 0
self.use_ipv6 = "auto"
self.LISTEN_IP = "127.0.0.1"
self.fake_host = sni_generater.get()
def connect_ssl(ip, port=443, timeout=5, check_cert=True, close_cb=None):
if not check_local_network.is_ok(ip):
with network_fail_lock:
time.sleep(0.1)
ip_port = (ip, port)
sni = sni_generater.get()
if int(config.PROXY_ENABLE):
sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6)
else:
sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error
sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
# resize socket recv buffer 8K->32K to improve browser releated application performance
sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32*1024)
sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True)
sock.settimeout(timeout)
ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip, close_cb)
ssl_sock.set_connect_state()
if hasattr(ssl_sock, 'set_tlsext_host_name'):
try:
ssl_sock.set_tlsext_host_name(sni)
except:
pass
time_begin = time.time()
ssl_sock.connect(ip_port)
time_connected = time.time()
ssl_sock.do_handshake()
try:
h2 = ssl_sock.get_alpn_proto_negotiated()
if h2 == "h2":
ssl_sock.h2 = True
else:
ssl_sock.h2 = False
xlog.debug("%s alpn h2:%s", ip, h2)
except Exception as e:
#xlog.exception("alpn:%r", e)
if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2":
ssl_sock.h2 = True
# xlog.debug("ip:%s http/2", ip)
else:
ssl_sock.h2 = False
# xlog.debug("ip:%s http/1.1", ip)
time_handshaked = time.time()
check_local_network.report_ok(ip)
def verify_SSL_certificate_issuer(ssl_sock):
# cert = ssl_sock.get_peer_certificate()
# if not cert:
# #google_ip.report_bad_ip(ssl_sock.ip)
# #connect_control.fall_into_honeypot()
# raise socket.error(' certficate is none')
# issuer_commonname = next((v for k, v in cert.get_issuer().get_components() if k == 'CN'), '')
# if not issuer_commonname.startswith('Google'):
# google_ip.report_connect_fail(ip, force_remove=True)
# raise socket.error(' certficate is issued by %r, not Google' % ( issuer_commonname))
certs = ssl_sock.get_peer_cert_chain()
if not certs:
# google_ip.report_bad_ip(ssl_sock.ip)
# connect_control.fall_into_honeypot()
raise socket.error(' certficate is none')
if len(certs) < 3:
# google_ip.report_connect_fail(ip, force_remove=True)
raise Cert_Exception('No intermediate CA was found.')
if hasattr(OpenSSL.crypto, "dump_publickey"):
# old OpenSSL not support this function.
if OpenSSL.crypto.dump_publickey(OpenSSL.crypto.FILETYPE_PEM, certs[1].get_pubkey()) not in GoogleG23PKP:
# google_ip.report_connect_fail(ip, force_remove=True)
raise Cert_Exception('The intermediate CA is mismatching.')
issuer_commonname = next((v for k, v in certs[0].get_issuer().get_components() if k == 'CN'), '')
if not issuer_commonname.startswith('Google'):
# google_ip.report_connect_fail(ip, force_remove=True)
raise Cert_Exception(' certficate is issued by %r, not Google' % (issuer_commonname))
if check_cert:
verify_SSL_certificate_issuer(ssl_sock)
connct_time = int((time_connected - time_begin) * 1000)
handshake_time = int((time_handshaked - time_connected) * 1000)
#xlog.debug("conn: %d handshake:%d", connct_time, handshake_time)
# sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket.
ssl_sock._sock = sock
ssl_sock.connct_time = connct_time
ssl_sock.handshake_time = handshake_time
ssl_sock.fd = sock.fileno()
ssl_sock.create_time = time_begin
ssl_sock.last_use_time = time_begin
ssl_sock.received_size = 0
ssl_sock.load = 0
ssl_sock.sni = sni
ssl_sock.host = ""
return ssl_sock
def connect_ssl(ip, port=443, timeout=5, check_cert=True, close_cb=None):
if check_local_network.network_stat != "OK":
with network_fail_lock:
time.sleep(0.1)
ip_port = (ip, port)
sni = sni_generater.get()
if config.PROXY_ENABLE:
sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6)
else:
sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error
sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
# resize socket recv buffer 8K->32K to improve browser releated application performance
sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32*1024)
sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True)
sock.settimeout(timeout)
ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip, close_cb)
ssl_sock.set_connect_state()
ssl_sock.set_tlsext_host_name(sni)
time_begin = time.time()
ssl_sock.connect(ip_port)
time_connected = time.time()
ssl_sock.do_handshake()
try:
h2 = ssl_sock.get_alpn_proto_negotiated()
if h2 == "h2":
ssl_sock.h2 = True
else:
ssl_sock.h2 = False
xlog.debug("%s alpn h2:%s", ip, h2)
except Exception as e:
#xlog.exception("alpn:%r", e)
if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2":
ssl_sock.h2 = True
# xlog.debug("ip:%s http/2", ip)
else:
ssl_sock.h2 = False
# xlog.debug("ip:%s http/1.1", ip)
time_handshaked = time.time()
# report network ok
check_local_network.network_stat = "OK"
check_local_network.last_check_time = time_handshaked
check_local_network.continue_fail_count = 0
def verify_SSL_certificate_issuer(ssl_sock):
# cert = ssl_sock.get_peer_certificate()
# if not cert:
# #google_ip.report_bad_ip(ssl_sock.ip)
# #connect_control.fall_into_honeypot()
# raise socket.error(' certficate is none')
# issuer_commonname = next((v for k, v in cert.get_issuer().get_components() if k == 'CN'), '')
# if not issuer_commonname.startswith('Google'):
# google_ip.report_connect_fail(ip, force_remove=True)
# raise socket.error(' certficate is issued by %r, not Google' % ( issuer_commonname))
certs = ssl_sock.get_peer_cert_chain()
if not certs:
# google_ip.report_bad_ip(ssl_sock.ip)
# connect_control.fall_into_honeypot()
raise socket.error(' certficate is none')
if len(certs) < 3:
# google_ip.report_connect_fail(ip, force_remove=True)
raise Cert_Exception('No intermediate CA was found.')
if hasattr(OpenSSL.crypto, "dump_publickey"):
# old OpenSSL not support this function.
if OpenSSL.crypto.dump_publickey(OpenSSL.crypto.FILETYPE_PEM, certs[1].get_pubkey()) not in GoogleG23PKP:
# google_ip.report_connect_fail(ip, force_remove=True)
raise Cert_Exception('The intermediate CA is mismatching.')
issuer_commonname = next((v for k, v in certs[0].get_issuer().get_components() if k == 'CN'), '')
if not issuer_commonname.startswith('Google'):
# google_ip.report_connect_fail(ip, force_remove=True)
raise Cert_Exception(' certficate is issued by %r, not Google' % (issuer_commonname))
if check_cert:
verify_SSL_certificate_issuer(ssl_sock)
connct_time = int((time_connected - time_begin) * 1000)
handshake_time = int((time_handshaked - time_connected) * 1000)
#xlog.debug("conn: %d handshake:%d", connct_time, handshake_time)
# sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket.
ssl_sock._sock = sock
ssl_sock.connct_time = connct_time
ssl_sock.handshake_time = handshake_time
ssl_sock.fd = sock.fileno()
ssl_sock.create_time = time_begin
ssl_sock.last_use_time = time_begin
ssl_sock.received_size = 0
ssl_sock.load = 0
ssl_sock.sni = sni
ssl_sock.host = ""
return ssl_sock
def connect_ssl(ip, port=443, timeout=5, top_domain=None, on_close=None):
if check_local_network.network_stat != "OK":
with network_fail_lock:
time.sleep(0.1)
sni = sni_generater.get()
if not top_domain:
top_domain = sni
xlog.debug("top_domain:%s sni:%s", top_domain, sni)
if config.PROXY_ENABLE:
sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6)
else:
sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error
sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
# resize socket recv buffer 8K->32K to improve browser releated application performance
sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32*1024)
sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True)
sock.settimeout(timeout)
ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip, on_close=on_close)
ssl_sock.set_connect_state()
ssl_sock.set_tlsext_host_name(sni)
time_begin = time.time()
ip_port = (ip, port)
ssl_sock.connect(ip_port)
time_connected = time.time()
ssl_sock.do_handshake()
try:
h2 = ssl_sock.get_alpn_proto_negotiated()
if h2 == "h2":
ssl_sock.h2 = True
else:
ssl_sock.h2 = False
except Exception as e:
#xlog.exception("alpn:%r", e)
if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2":
ssl_sock.h2 = True
else:
ssl_sock.h2 = False
time_handshaked = time.time()
# report network ok
check_local_network.network_stat = "OK"
check_local_network.last_check_time = time_handshaked
check_local_network.continue_fail_count = 0
cert = ssl_sock.get_peer_certificate()
if not cert:
raise socket.error(' certficate is none')
issuer_commonname = next((v for k, v in cert.get_issuer().get_components() if k == 'CN'), '')
if not issuer_commonname.startswith('DigiCert'):
# and issuer_commonname not in ['DigiCert ECC Extended Validation Server CA']
raise socket.error(' certficate is issued by %r, not COMODO' % ( issuer_commonname))
connect_time = int((time_connected - time_begin) * 1000)
handshake_time = int((time_handshaked - time_begin) * 1000)
if __name__ == "__main__":
xlog.debug("h2:%s", ssl_sock.h2)
xlog.debug("issued by:%s", issuer_commonname)
xlog.debug("conn: %d handshake:%d", connect_time, handshake_time)
# sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket.
ssl_sock.ip = ip
ssl_sock._sock = sock
ssl_sock.fd = sock.fileno()
ssl_sock.create_time = time_begin
ssl_sock.connect_time = connect_time
ssl_sock.handshake_time = handshake_time
ssl_sock.sni = sni
ssl_sock.top_domain = top_domain
return ssl_sock
def connect_ssl(ip, port=443, timeout=5, top_domain=None):
sni = sni_generater.get()
if not top_domain:
top_domain = sni
xlog.debug("top_domain:%s sni:%s", top_domain, sni)
if config.PROXY_ENABLE:
sock = socks.socksocket(socket.AF_INET if ':' not in
ip else socket.AF_INET6)
else:
sock = socket.socket(socket.AF_INET if ':' not in
ip else socket.AF_INET6)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error
sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER,
struct.pack('ii', 1, 0))
# resize socket recv buffer 8K->32K to improve browser releated application performance
sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32 * 1024)
sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True)
sock.settimeout(timeout)
ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip)
ssl_sock.set_connect_state()
ssl_sock.set_tlsext_host_name(sni)
time_begin = time.time()
ip_port = (ip, port)
ssl_sock.connect(ip_port)
time_connected = time.time()
ssl_sock.do_handshake()
try:
h2 = ssl_sock.get_alpn_proto_negotiated()
if h2 == "h2":
ssl_sock.h2 = True
else:
ssl_sock.h2 = False
except Exception as e:
#xlog.exception("alpn:%r", e)
if hasattr(ssl_sock._connection,
"protos") and ssl_sock._connection.protos == "h2":
ssl_sock.h2 = True
else:
ssl_sock.h2 = False
time_handshaked = time.time()
# report network ok
check_local_network.network_stat = "OK"
check_local_network.last_check_time = time_handshaked
check_local_network.continue_fail_count = 0
cert = ssl_sock.get_peer_certificate()
if not cert:
raise socket.error(' certficate is none')
issuer_commonname = next(
(v for k, v in cert.get_issuer().get_components() if k == 'CN'), '')
if not issuer_commonname.startswith('DigiCert'):
# and issuer_commonname not in ['DigiCert ECC Extended Validation Server CA']
raise socket.error(' certficate is issued by %r, not COMODO' %
(issuer_commonname))
connect_time = int((time_connected - time_begin) * 1000)
handshake_time = int((time_handshaked - time_begin) * 1000)
if __name__ == "__main__":
xlog.debug("h2:%s", ssl_sock.h2)
xlog.debug("issued by:%s", issuer_commonname)
xlog.debug("conn: %d handshake:%d", connect_time, handshake_time)
# sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket.
ssl_sock.ip = ip
ssl_sock._sock = sock
ssl_sock.fd = sock.fileno()
ssl_sock.create_time = time_begin
ssl_sock.connect_time = connect_time
ssl_sock.handshake_time = handshake_time
ssl_sock.sni = sni
ssl_sock.top_domain = top_domain
return ssl_sock
def load(self):
ConfigParser.RawConfigParser.OPTCRE = re.compile(
r'(?P<option>[^=\s][^=]*)\s*(?P<vi>[=])\s*(?P<value>.*)$')
self.DEFAULT_CONFIG = ConfigParser.ConfigParser()
DEFAULT_CONFIG_FILENAME = os.path.abspath(
os.path.join(current_path, 'proxy.ini'))
self.USER_CONFIG = ConfigParser.ConfigParser()
CONFIG_USER_FILENAME = os.path.join(data_path, 'config.ini')
try:
if os.path.isfile(DEFAULT_CONFIG_FILENAME):
self.DEFAULT_CONFIG.read(DEFAULT_CONFIG_FILENAME)
self.user_special.scan_ip_thread_num = self.DEFAULT_CONFIG.getint(
'google_ip', 'max_scan_ip_thread_num')
else:
return
if os.path.isfile(CONFIG_USER_FILENAME):
self.USER_CONFIG.read(CONFIG_USER_FILENAME)
else:
return
try:
self.user_special.appid = self.USER_CONFIG.get('gae', 'appid')
self.user_special.password = self.USER_CONFIG.get(
'gae', 'password')
except:
pass
try:
self.user_special.host_appengine_mode = self.USER_CONFIG.get(
'hosts', 'appengine.google.com')
except:
pass
try:
self.user_special.scan_ip_thread_num = config.CONFIG.getint(
'google_ip', 'max_scan_ip_thread_num')
except:
self.user_special.scan_ip_thread_num = self.DEFAULT_CONFIG.getint(
'google_ip', 'max_scan_ip_thread_num')
try:
self.user_special.auto_adjust_scan_ip_thread_num = config.CONFIG.getint(
'google_ip', 'auto_adjust_scan_ip_thread_num')
except:
pass
try:
self.user_special.use_ipv6 = config.CONFIG.get(
'google_ip', 'use_ipv6')
if self.user_special.use_ipv6 not in [
"auto", "force_ipv4", "force_ipv6"
]:
self.user_special.use_ipv6 = "auto"
except:
pass
self.user_special.proxy_enable = self.USER_CONFIG.get(
'proxy', 'enable')
self.user_special.proxy_type = self.USER_CONFIG.get(
'proxy', 'type')
self.user_special.proxy_host = self.USER_CONFIG.get(
'proxy', 'host')
self.user_special.proxy_port = self.USER_CONFIG.get(
'proxy', 'port')
self.user_special.proxy_user = self.USER_CONFIG.get(
'proxy', 'user')
self.user_special.proxy_passwd = self.USER_CONFIG.get(
'proxy', 'passwd')
try:
self.user_special.LISTEN_IP = self.USER_CONFIG.get(
'listen', 'ip')
except:
pass
try:
self.user_special.fake_host = self.USER_CONFIG.get(
'system', 'fake_host')
except:
self.user_special.fake_host = sni_generater.get()
self.save()
except Exception as e:
xlog.warn("User_config.load except:%s", e)
def connect_ssl(ip, port=443, timeout=5, check_cert=True, close_cb=None):
if check_local_network.is_ok(ip):
with network_fail_lock:
time.sleep(0.1)
ip_port = (ip, port)
sni = sni_generater.get()
if config.PROXY_ENABLE:
sock = socks.socksocket(socket.AF_INET if ':' not in
ip else socket.AF_INET6)
else:
sock = socket.socket(socket.AF_INET if ':' not in
ip else socket.AF_INET6)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error
sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER,
struct.pack('ii', 1, 0))
# resize socket recv buffer 8K->32K to improve browser releated application performance
sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32 * 1024)
sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True)
sock.settimeout(timeout)
ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip, close_cb)
ssl_sock.set_connect_state()
ssl_sock.set_tlsext_host_name(sni)
time_begin = time.time()
ssl_sock.connect(ip_port)
time_connected = time.time()
ssl_sock.do_handshake()
try:
h2 = ssl_sock.get_alpn_proto_negotiated()
if h2 == "h2":
ssl_sock.h2 = True
else:
ssl_sock.h2 = False
except Exception as e:
if hasattr(ssl_sock._connection,
"protos") and ssl_sock._connection.protos == "h2":
ssl_sock.h2 = True
else:
ssl_sock.h2 = False
time_handshaked = time.time()
# report network ok
check_local_network.report_ok(ip)
cert = ssl_sock.get_peer_certificate()
if not cert:
raise socket.error(' certficate is none')
if check_cert:
issuer_commonname = next(
(v for k, v in cert.get_issuer().get_components() if k == 'CN'),
'')
if not issuer_commonname.startswith('Google'):
raise socket.error(' certficate is issued by %r, not Google' %
(issuer_commonname))
connct_time = int((time_connected - time_begin) * 1000)
handshake_time = int((time_handshaked - time_connected) * 1000)
# sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket.
ssl_sock._sock = sock
ssl_sock.connct_time = connct_time
ssl_sock.handshake_time = handshake_time
ssl_sock.fd = sock.fileno()
ssl_sock.create_time = time_begin
ssl_sock.last_use_time = time_begin
ssl_sock.received_size = 0
ssl_sock.load = 0
ssl_sock.sni = sni
ssl_sock.host = ""
return ssl_sock
def connect_ssl(ip, port=443, timeout=5, check_cert=True, close_cb=None):
if check_local_network.is_ok(ip):
with network_fail_lock:
time.sleep(0.1)
ip_port = (ip, port)
sni = sni_generater.get()
if config.PROXY_ENABLE:
sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6)
else:
sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error
sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
# resize socket recv buffer 8K->32K to improve browser releated application performance
sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32*1024)
sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True)
sock.settimeout(timeout)
ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip, close_cb)
ssl_sock.set_connect_state()
ssl_sock.set_tlsext_host_name(sni)
time_begin = time.time()
ssl_sock.connect(ip_port)
time_connected = time.time()
ssl_sock.do_handshake()
try:
h2 = ssl_sock.get_alpn_proto_negotiated()
if h2 == "h2":
ssl_sock.h2 = True
else:
ssl_sock.h2 = False
except Exception as e:
if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2":
ssl_sock.h2 = True
else:
ssl_sock.h2 = False
time_handshaked = time.time()
# report network ok
check_local_network.report_ok(ip)
cert = ssl_sock.get_peer_certificate()
if not cert:
raise socket.error(' certficate is none')
if check_cert:
issuer_commonname = next((v for k, v in cert.get_issuer().get_components() if k == 'CN'), '')
if not issuer_commonname.startswith('Google'):
raise socket.error(' certficate is issued by %r, not Google' % ( issuer_commonname))
connct_time = int((time_connected - time_begin) * 1000)
handshake_time = int((time_handshaked - time_connected) * 1000)
# sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket.
ssl_sock._sock = sock
ssl_sock.connct_time = connct_time
ssl_sock.handshake_time = handshake_time
ssl_sock.fd = sock.fileno()
ssl_sock.create_time = time_begin
ssl_sock.last_use_time = time_begin
ssl_sock.received_size = 0
ssl_sock.load = 0
ssl_sock.sni = sni
ssl_sock.host = ""
return ssl_sock
