def getContext(self): ctx = Context(SSLv23_METHOD) ctx.load_verify_locations(ca_certs_pem, '/etc/ssl/certs') ctx.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, self.verifyCertificate) ctx.set_options(OP_NO_SSLv2) if self.hostname: ctx.set_info_callback(self.handshake_callback) return ctx
def getContext(self): ctx = Context(TLSv1_METHOD) store = ctx.get_cert_store() store.add_cert(self.cert) ctx.load_verify_locations(self.certfile) ctx.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, self.verifyHostname) ctx.set_options(OP_NO_SSLv2) return ctx
def verify_cert(host, ca, timeout): server_ctx = Context(TLSv1_METHOD) server_cert_chain = [] if os.path.isdir(ca): server_ctx.load_verify_locations(None, ca) else: server_ctx.load_verify_locations(ca, None) def verify_cb(conn, cert, errnum, depth, ok): server_cert_chain.append(cert) return ok server_ctx.set_verify(VERIFY_PEER, verify_cb) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setblocking(1) sock.settimeout(timeout) sock.connect((host, 443)) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() def iosock_try(): ok = True try: server_conn.do_handshake() sleep(0.5) except SSLWantReadError as e: ok = False pass except Exception as e: raise e return ok try: while True: if iosock_try(): break server_subject = server_cert_chain[-1].get_subject() if host != server_subject.CN: raise SSLError('Server certificate CN does not match %s' % host) except SSLError as e: raise e finally: server_conn.shutdown() server_conn.close() return True
def server_ok(serverarg, capath, timeout): server_ctx = Context(TLSv1_METHOD) server_ctx.load_verify_locations(None, capath) def verify_cb(conn, cert, errnum, depth, ok): return ok server_ctx.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb) serverarg = re.split("/*", serverarg)[1] if ':' in serverarg: serverarg = serverarg.split(':') server = serverarg[0] port = int(serverarg[1] if not '?' in serverarg[1] else serverarg[1]. split('?')[0]) else: server = serverarg port = DEFAULT_PORT try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((server, port)) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() try: def handler(signum, frame): raise socket.error([('Timeout', 'after', str(timeout) + 's')]) signal.signal(signal.SIGALRM, handler) signal.alarm(timeout) server_conn.do_handshake() signal.alarm(0) except socket.timeout as e: nagios_out( 'Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)), 2) server_conn.shutdown() server_conn.close() except (SSLError, socket.error) as e: if 'sslv3 alert handshake failure' in errmsg_from_excp(e): pass else: nagios_out( 'Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)), 2) return True
def getContext(self): """Create an SSL context. This is a sample implementation that loads a certificate from a file called 'server.pem'.""" ctx = SSL_Context(SSLv23_METHOD) ctx.use_certificate_file(self.certificateFileName) ctx.use_privatekey_file(self.privateKeyFileName) ctx.load_client_ca(self.certificateChainFile) ctx.load_verify_locations(self.certificateChainFile) ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT, self._verify) ctx.set_verify_depth(10) return ctx
def server_ok(serverarg, capath, timeout): "Check if the server is active and responsive" server_ctx = Context(TLSv1_METHOD) server_ctx.load_verify_locations(None, capath) def verify_cb(conn, cert, errnum, depth, ok): return ok server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb) serverarg = re.split("/*", serverarg)[1] if ':' in serverarg: serverarg = serverarg.split(':') server = serverarg[0] port = int(serverarg[1] if not '?' in serverarg[1] else serverarg[1].split('?')[0]) else: server = serverarg port = DEFAULT_PORT try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((server, port)) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() try: def handler(signum, frame): raise socket.error([('Timeout', 'after', str(timeout) + 's')]) signal.signal(signal.SIGALRM, handler) signal.alarm(timeout) server_conn.do_handshake() signal.alarm(0) except socket.timeout as e: nagios_out('Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)),2) server_conn.shutdown() server_conn.close() except (SSLError, socket.error) as e: if 'sslv3 alert handshake failure' in errmsg_from_excp(e): pass else: nagios_out('Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)), 2) return True
def verify_servercert(host, timeout, capath): server_ctx = Context(TLSv1_METHOD) server_ctx.load_verify_locations(None, capath) server_cert_chain = [] def verify_cb(conn, cert, errnum, depth, ok): server_cert_chain.append(cert) return ok server_ctx.set_verify(VERIFY_PEER, verify_cb) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setblocking(1) sock.settimeout(timeout) sock.connect((host, 443)) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() def iosock_try(): ok = True try: server_conn.do_handshake() sleep(0.5) except SSLWantReadError as e: ok = False pass except Exception as e: raise e return ok try: while True: if iosock_try(): break global server_expire server_expire = server_cert_chain[-1].get_notAfter() except PyOpenSSLError as e: raise e finally: server_conn.shutdown() server_conn.close() return True
def _load_verify_locations_test(self, *args): port = socket() port.bind(('', 0)) port.listen(1) client = socket() client.setblocking(False) client.connect_ex(port.getsockname()) clientContext = Context(TLSv1_METHOD) clientContext.load_verify_locations(*args) # Require that the server certificate verify properly or the # connection will fail. clientContext.set_verify( VERIFY_PEER, lambda conn, cert, errno, depth, preverify_ok: preverify_ok) clientSSL = Connection(clientContext, client) clientSSL.set_connect_state() server, _ = port.accept() server.setblocking(False) serverContext = Context(TLSv1_METHOD) serverContext.use_certificate( load_certificate(FILETYPE_PEM, cleartextCertificatePEM)) serverContext.use_privatekey( load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)) serverSSL = Connection(serverContext, server) serverSSL.set_accept_state() for i in range(3): for ssl in clientSSL, serverSSL: try: # Without load_verify_locations above, the handshake # will fail: # Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', # 'certificate verify failed')] ssl.do_handshake() except WantReadError: pass cert = clientSSL.get_peer_certificate() self.assertEqual(cert.get_subject().CN, 'Testing Root CA')
def _check_certificate(self, certificate): certificate = crypto.load_certificate( crypto.FILETYPE_PEM, certificate) serialnumber=certificate.get_serial_number() context = Context(TLSv1_METHOD) context.load_verify_locations(self.ca_crt) dev=False try: store = context.get_cert_store() # Create a certificate context using the store and the downloaded # certificate store_ctx = crypto.X509StoreContext(store, certificate) # Verify the certificate, returns None if it can validate the # certificate store_ctx.verify_certificate() dev=True except Exception as e: dev=False return dev
def _load_verify_locations_test(self, *args): (server, client) = socket_pair() clientContext = Context(TLSv1_METHOD) clientContext.load_verify_locations(*args) # Require that the server certificate verify properly or the # connection will fail. clientContext.set_verify( VERIFY_PEER, lambda conn, cert, errno, depth, preverify_ok: preverify_ok) clientSSL = Connection(clientContext, client) clientSSL.set_connect_state() serverContext = Context(TLSv1_METHOD) serverContext.use_certificate( load_certificate(FILETYPE_PEM, cleartextCertificatePEM)) serverContext.use_privatekey( load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)) serverSSL = Connection(serverContext, server) serverSSL.set_accept_state() for i in range(3): for ssl in clientSSL, serverSSL: try: # Without load_verify_locations above, the handshake # will fail: # Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', # 'certificate verify failed')] ssl.do_handshake() except WantReadError: pass cert = clientSSL.get_peer_certificate() self.assertEqual(cert.get_subject().CN, 'Testing Root CA')
def verify_cert(host, capath, timeout, cncheck=True): server_ctx = Context(TLSv1_METHOD) server_cert_chain = [] server_ctx.load_verify_locations(None, capath) host = re.split("/*", host)[1] if ':' in host: host = host.split(':') server = host[0] port = int(host[1] if not '?' in host[1] else host[1].split('?')[0]) else: server = host port = 443 def verify_cb(conn, cert, errnum, depth, ok): server_cert_chain.append(cert) return ok server_ctx.set_verify(VERIFY_PEER, verify_cb) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setblocking(1) sock.settimeout(timeout) sock.connect((server, port)) except (socket.error, socket.timeout) as e: nagios_out('Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)), 2) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() def iosock_try(): ok = True try: server_conn.do_handshake() sleep(0.5) except SSLWantReadError as e: ok = False pass except Exception as e: raise e return ok try: while True: if iosock_try(): break if cncheck: server_subject = server_cert_chain[-1].get_subject() if server != server_subject.CN: nagios_out('Critical', 'Server certificate CN %s does not match %s' % (server_subject.CN, server), 2) except SSLError as e: if 'sslv3 alert handshake failure' in errmsg_from_excp(e): pass else: nagios_out('Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e, level=1)), 2) finally: server_conn.shutdown() server_conn.close() return True
def verify_cert(host, capath, timeout, cncheck=True): server_ctx = Context(TLSv1_METHOD) server_cert_chain = [] server_ctx.load_verify_locations(None, capath) host = re.split("/*", host)[1] if ':' in host: host = host.split(':') server = host[0] port = int(host[1] if not '?' in host[1] else host[1].split('?')[0]) else: server = host port = 443 def verify_cb(conn, cert, errnum, depth, ok): server_cert_chain.append(cert) return ok server_ctx.set_verify(VERIFY_PEER, verify_cb) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setblocking(1) sock.settimeout(timeout) sock.connect((server, port)) except (socket.error, socket.timeout) as e: nagios_out( 'Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e)), 2) server_conn = Connection(server_ctx, sock) server_conn.set_connect_state() def iosock_try(): ok = True try: server_conn.do_handshake() sleep(0.5) except SSLWantReadError as e: ok = False pass except Exception as e: raise e return ok try: while True: if iosock_try(): break if cncheck: server_subject = server_cert_chain[-1].get_subject() if server != server_subject.CN: nagios_out( 'Critical', 'Server certificate CN %s does not match %s' % (server_subject.CN, server), 2) except SSLError as e: if 'sslv3 alert handshake failure' in errmsg_from_excp(e): pass else: nagios_out( 'Critical', 'Connection error %s - %s' % (server + ':' + str(port), errmsg_from_excp(e, level=1)), 2) finally: server_conn.shutdown() server_conn.close() return True