def __init__(self, sock=None, sslVersion=SSLV23, sslVerify=SSL_VERIFY_PEER, sslVerifyLocations=None): # A Python socket handles transmission of the data self._sock = sock self._handshakeDone = False # OpenSSL objects # SSL_CTX self._sslCtx = SSL_CTX(sslVersion) self._sslCtx.set_verify(sslVerify) if sslVerifyLocations: self._sslCtx.load_verify_locations(sslVerifyLocations) # SSL self._ssl = SSL(self._sslCtx) self._ssl.set_connect_state() # Specific servers do not reply to a client hello that is bigger than 255 bytes # See http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest # So we make the default cipher list smaller (to make the client hello smaller) if sslVersion != SSLV2: # This makes SSLv2 fail self._ssl.set_cipher_list('HIGH:-aNULL:-eNULL:-3DES:-SRP:-PSK:-CAMELLIA') else: # Handshake workaround for SSL2 + IIS 7 self.do_handshake = self.do_ssl2_iis_handshake # BIOs self._internalBio = BIO() self._networkBio = BIO() # http://www.openssl.org/docs/crypto/BIO_s_bio.html BIO.make_bio_pair(self._internalBio, self._networkBio) self._ssl.set_bio(self._internalBio)
def __init__(self, sock=None, ssl_version=SSLV23, ssl_verify=SSL_VERIFY_PEER, ssl_verify_locations=None, client_certchain_file=None, client_key_file=None, client_key_type=SSL_FILETYPE_PEM, client_key_password='', ignore_client_authentication_requests=False): # A Python socket handles transmission of the data self._sock = sock self._is_handshake_completed = False self._client_CA_list = [] # OpenSSL objects # SSL_CTX self._ssl_ctx = SSL_CTX(ssl_version) self._ssl_ctx.set_verify(ssl_verify) if ssl_verify_locations: self._ssl_ctx.load_verify_locations(ssl_verify_locations) if client_certchain_file is not None: self._use_private_key(client_certchain_file, client_key_file, client_key_type, client_key_password) if ignore_client_authentication_requests: if client_certchain_file: raise ValueError( 'Cannot enable both client_certchain_file and ignore_client_authentication_requests' ) self._ssl_ctx.set_client_cert_cb_NULL() # SSL self._ssl = SSL(self._ssl_ctx) self._ssl.set_connect_state() # Specific servers do not reply to a client hello that is bigger than 255 bytes # See http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest # So we make the default cipher list smaller (to make the client hello smaller) if ssl_version != SSLV2: # This makes SSLv2 fail self._ssl.set_cipher_list( 'HIGH:-aNULL:-eNULL:-3DES:-SRP:-PSK:-CAMELLIA') else: # Handshake workaround for SSL2 + IIS 7 self.do_handshake = self.do_ssl2_iis_handshake # BIOs self._internal_bio = BIO() self._network_bio = BIO() # http://www.openssl.org/docs/crypto/BIO_s_bio.html BIO.make_bio_pair(self._internal_bio, self._network_bio) self._ssl.set_bio(self._internal_bio)
def __init__(self, sock=None, ssl_version=SSLV23, ssl_verify=SSL_VERIFY_PEER, ssl_verify_locations=None, client_certchain_file=None, client_key_file=None, client_key_type=SSL_FILETYPE_PEM, client_key_password='', ignore_client_authentication_requests=False): # type: (socket.socket, int, int, str, str, str, int, str, bool) -> None # A Python socket handles transmission of the data self._sock = sock self._is_handshake_completed = False self._client_CA_list = [] # OpenSSL objects # SSL_CTX self._ssl_ctx = SSL_CTX(ssl_version) self._ssl_ctx.set_verify(ssl_verify) if ssl_verify_locations: self._ssl_ctx.load_verify_locations(ssl_verify_locations) if client_certchain_file is not None: self._use_private_key(client_certchain_file, client_key_file, client_key_type, client_key_password) if ignore_client_authentication_requests: if client_certchain_file: raise ValueError('Cannot enable both client_certchain_file and ignore_client_authentication_requests') self._ssl_ctx.set_client_cert_cb_NULL() # SSL self._ssl = SSL(self._ssl_ctx) self._ssl.set_connect_state() # Specific servers do not reply to a client hello that is bigger than 255 bytes # See http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest # So we make the default cipher list smaller (to make the client hello smaller) if ssl_version != SSLV2: # This makes SSLv2 fail self._ssl.set_cipher_list('HIGH:-aNULL:-eNULL:-3DES:-SRP:-PSK:-CAMELLIA') else: # Handshake workaround for SSL2 + IIS 7 self.do_handshake = self.do_ssl2_iis_handshake # BIOs self._internal_bio = BIO() self._network_bio = BIO() # http://www.openssl.org/docs/crypto/BIO_s_bio.html BIO.make_bio_pair(self._internal_bio, self._network_bio) self._ssl.set_bio(self._internal_bio)
class SslClient(object): """ High level API implementing an insecure SSL client. """ def __init__(self, sock=None, sslVersion=SSLV23, sslVerify=SSL_VERIFY_PEER, sslVerifyLocations=None): # A Python socket handles transmission of the data self._sock = sock self._handshakeDone = False # OpenSSL objects # SSL_CTX self._sslCtx = SSL_CTX(sslVersion) self._sslCtx.set_verify(sslVerify) if sslVerifyLocations: self._sslCtx.load_verify_locations(sslVerifyLocations) # SSL self._ssl = SSL(self._sslCtx) self._ssl.set_connect_state() # Specific servers do not reply to a client hello that is bigger than 255 bytes # See http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest # So we make the default cipher list smaller (to make the client hello smaller) if sslVersion != SSLV2: # This makes SSLv2 fail self._ssl.set_cipher_list('HIGH:-aNULL:-eNULL:-3DES:-SRP:-PSK:-CAMELLIA') else: # Handshake workaround for SSL2 + IIS 7 self.do_handshake = self.do_ssl2_iis_handshake # BIOs self._internalBio = BIO() self._networkBio = BIO() # http://www.openssl.org/docs/crypto/BIO_s_bio.html BIO.make_bio_pair(self._internalBio, self._networkBio) self._ssl.set_bio(self._internalBio) def do_handshake(self): if self._sock is None: # TODO: Auto create a socket ? raise IOError('Internal socket set to None; cannot perform handshake.') while True: try: if self._ssl.do_handshake() == 1: self._handshakeDone = True return True # Handshake was successful except WantReadError: # OpenSSL is expecting more data from the peer # Send available handshake data to the peer lenToRead = self._networkBio.pending() while lenToRead: # Get the data from the SSL engine handshakeDataOut = self._networkBio.read(lenToRead) # Send it to the peer self._sock.send(handshakeDataOut) lenToRead = self._networkBio.pending() # Recover the peer's encrypted response handshakeDataIn = self._sock.recv(DEFAULT_BUFFER_SIZE) if len(handshakeDataIn) == 0: raise IOError('Nassl SSL handshake failed: peer did not send data back.') # Pass the data to the SSL engine self._networkBio.write(handshakeDataIn) except WantX509LookupError: # Server asked for a client certificate and we didn't provide one raise ClientCertificateRequested(self._ssl.get_client_CA_list()) def do_ssl2_iis_handshake(self): if self._sock is None: # TODO: Auto create a socket ? raise IOError('Internal socket set to None; cannot perform handshake.') while True: try: if self._ssl.do_handshake() == 1: self._handshakeDone = True return True # Handshake was successful except WantReadError: # OpenSSL is expecting more data from the peer # Send available handshake data to the peer lenToRead = self._networkBio.pending() while lenToRead: # Get the data from the SSL engine handshakeDataOut = self._networkBio.read(lenToRead) if 'SSLv2 read server verify A' in self._ssl.state_string_long(): # Awful h4ck for SSLv2 when connecting to IIS7 (like in the 90s) # OpenSSL sends the client's CMK and data message in the same packet without # waiting for the server's response, causing IIS 7 to hang on the connection. # This workaround forces our client to send the CMK message, then wait for the server's # response, and then send the data packet if '\x02' in handshakeDataOut[2]: # Make sure we're looking at the CMK message cmkSize = handshakeDataOut[0:2] test1 = int(handshakeDataOut[0].encode('hex'), base=16) test2 = int(handshakeDataOut[1].encode('hex'), base=16) test1 = (test1 & 0x7f) << 8 size = test1 + test2 # Manually split the two records to force them to be sent separately cmkPacket = handshakeDataOut[0:size+2] dataPacket = handshakeDataOut[size+2::] self._sock.send(cmkPacket) handshakeDataIn = self._sock.recv(DEFAULT_BUFFER_SIZE) #print repr(handshakeDataIn) if len(handshakeDataIn) == 0: raise IOError('Nassl SSL handshake failed: peer did not send data back.') # Pass the data to the SSL engine self._networkBio.write(handshakeDataIn) handshakeDataOut = dataPacket # Send it to the peer self._sock.send(handshakeDataOut) lenToRead = self._networkBio.pending() handshakeDataIn = self._sock.recv(DEFAULT_BUFFER_SIZE) if len(handshakeDataIn) == 0: raise IOError('Nassl SSL handshake failed: peer did not send data back.') # Pass the data to the SSL engine self._networkBio.write(handshakeDataIn) except WantX509LookupError: # Server asked for a client certificate and we didn't provide one raise ClientCertificateRequested(self._ssl.get_client_CA_list()) def read(self, size): if not self._handshakeDone: raise IOError('SSL Handshake was not completed; cannot receive data.') while True: # Receive available encrypted data from the peer encData = self._sock.recv(DEFAULT_BUFFER_SIZE) # Pass it to the SSL engine self._networkBio.write(encData) try: # Try to read the decrypted data decData = self._ssl.read(size) return decData except WantReadError: # The SSL engine needs more data # before it can decrypt the whole message pass def write(self, data): """ Returns the number of (encrypted) bytes sent. """ if not self._handshakeDone: raise IOError('SSL Handshake was not completed; cannot send data.') # Pass the cleartext data to the SSL engine self._ssl.write(data) # Recover the corresponding encrypted data lenToRead = self._networkBio.pending() finalLen = lenToRead while lenToRead: encData = self._networkBio.read(lenToRead) # Send the encrypted data to the peer self._sock.send(encData) lenToRead = self._networkBio.pending() finalLen += lenToRead return finalLen def shutdown(self): self._handshakeDone = False try: self._ssl.shutdown() except OpenSSLError as e: # Ignore "uninitialized" exception if 'SSL_shutdown:uninitialized' not in str(e): raise def set_verify(self, verifyMode): """Set the OpenSSL verify mode.""" return self._ssl.set_verify(verifyMode) def set_tlsext_host_name(self, nameIndication): """Set the hostname within the Server Name Indication extension in the client SSL Hello.""" return self._ssl.set_tlsext_host_name(nameIndication) def get_peer_certificate(self): _x509 = self._ssl.get_peer_certificate() if _x509: return X509Certificate(_x509) else: return None def get_peer_cert_chain(self): """ See the OpenSSL documentation for differences between get_peer_cert_chain() and get_peer_certificate(). https://www.openssl.org/docs/ssl/SSL_get_peer_cert_chain.html """ _x509_list = self._ssl.get_peer_cert_chain() final_list = [] if _x509_list: for _x509 in _x509_list: final_list.append(X509Certificate(_x509)) return final_list def set_cipher_list(self, cipherList): return self._ssl.set_cipher_list(cipherList) def get_cipher_list(self): return self._ssl.get_cipher_list() def get_current_cipher_name(self): return self._ssl.get_cipher_name() def get_current_cipher_bits(self): return self._ssl.get_cipher_bits() def use_private_key(self, certFile, certType, keyFile, keyType, keyPassword=''): self._ssl.use_certificate_file(certFile, certType) if isinstance(keyPassword, basestring): self._sslCtx.set_private_key_password(keyPassword) else: raise TypeError('keyPassword is not a string') self._ssl.use_PrivateKey_file(keyFile, keyType) return self._ssl.check_private_key() def get_certificate_chain_verify_result(self): verifyResult = self._ssl.get_verify_result() verifyResultStr = X509.verify_cert_error_string(verifyResult) return verifyResult, verifyResultStr def set_tlsext_status_ocsp(self): """Enable the OCSP Stapling extension.""" return self._ssl.set_tlsext_status_type(TLSEXT_STATUSTYPE_ocsp) def get_tlsext_status_ocsp_resp(self): """Retrieve the server's OCSP Stapling status.""" ocspResp = self._ssl.get_tlsext_status_ocsp_resp() if ocspResp: return OcspResponse(ocspResp) else: return None
class SslClient(object): """ High level API implementing an insecure SSL client. """ def __init__(self, sock=None, sslVersion=SSLV23, sslVerify=SSL_VERIFY_PEER, sslVerifyLocations=None): # A Python socket handles transmission of the data self._sock = sock self._handshakeDone = False # OpenSSL objects # SSL_CTX self._sslCtx = SSL_CTX(sslVersion) self._sslCtx.set_verify(sslVerify) if sslVerifyLocations: self._sslCtx.load_verify_locations(sslVerifyLocations) # SSL self._ssl = SSL(self._sslCtx) self._ssl.set_connect_state() # Specific servers do not reply to a client hello that is bigger than 255 bytes # See http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest # So we make the default cipher list smaller (to make the client hello smaller) if sslVersion != SSLV2: # This makes SSLv2 fail self._ssl.set_cipher_list( 'HIGH:-aNULL:-eNULL:-3DES:-SRP:-PSK:-CAMELLIA') # BIOs self._internalBio = BIO() self._networkBio = BIO() # http://www.openssl.org/docs/crypto/BIO_s_bio.html BIO.make_bio_pair(self._internalBio, self._networkBio) self._ssl.set_bio(self._internalBio) def do_handshake(self): if (self._sock == None): # TODO: Auto create a socket ? raise IOError( 'Internal socket set to None; cannot perform handshake.') while True: try: if self._ssl.do_handshake() == 1: self._handshakeDone = True return True # Handshake was successful except WantReadError: # OpenSSL is expecting more data from the peer # Send available handshake data to the peer lenToRead = self._networkBio.pending() while lenToRead: # Get the data from the SSL engine handshakeDataOut = self._networkBio.read(lenToRead) # Send it to the peer self._sock.send(handshakeDataOut) lenToRead = self._networkBio.pending() # Recover the peer's encrypted response handshakeDataIn = self._sock.recv(DEFAULT_BUFFER_SIZE) if len(handshakeDataIn) == 0: raise IOError( 'Nassl SSL handshake failed: peer did not send data back.' ) # Pass the data to the SSL engine self._networkBio.write(handshakeDataIn) except WantX509LookupError: # Server asked for a client certificate and we didn't provide one raise ClientCertificateRequested( self._ssl.get_client_CA_list()) def read(self, size): if (self._handshakeDone == False): raise IOError( 'SSL Handshake was not completed; cannot receive data.') while True: # Receive available encrypted data from the peer encData = self._sock.recv(DEFAULT_BUFFER_SIZE) # Pass it to the SSL engine self._networkBio.write(encData) try: # Try to read the decrypted data decData = self._ssl.read(size) return decData except WantReadError: # The SSL engine needs more data # before it can decrypt the whole message pass def write(self, data): """ Returns the number of (encrypted) bytes sent. """ if (self._handshakeDone == False): raise IOError('SSL Handshake was not completed; cannot send data.') # Pass the cleartext data to the SSL engine self._ssl.write(data) # Recover the corresponding encrypted data lenToRead = self._networkBio.pending() finalLen = lenToRead while lenToRead: encData = self._networkBio.read(lenToRead) # Send the encrypted data to the peer self._sock.send(encData) lenToRead = self._networkBio.pending() finalLen += lenToRead return finalLen def shutdown(self): self._handshakeDone = False try: self._ssl.shutdown() except OpenSSLError as e: # Ignore "uninitialized" exception if 'SSL_shutdown:uninitialized' not in str(e): raise def get_secure_renegotiation_support(self): return self._ssl.get_secure_renegotiation_support() def get_current_compression_method(self): return self._ssl.get_current_compression_method() @staticmethod def get_available_compression_methods(): """ Returns the list of SSL compression methods supported by SslClient. """ return SSL.get_available_compression_methods() def set_verify(self, verifyMode): return self._ssl.set_verify(verifyMode) def set_tlsext_host_name(self, nameIndication): return self._ssl.set_tlsext_host_name(nameIndication) def get_peer_certificate(self): _x509 = self._ssl.get_peer_certificate() if _x509: return X509Certificate(_x509) else: return None def set_cipher_list(self, cipherList): return self._ssl.set_cipher_list(cipherList) def get_cipher_list(self): return self._ssl.get_cipher_list() def get_current_cipher_name(self): return self._ssl.get_cipher_name() def get_current_cipher_bits(self): return self._ssl.get_cipher_bits() def use_private_key(self, certFile, certType, keyFile, keyType, keyPassword=''): self._ssl.use_certificate_file(certFile, certType) if isinstance(keyPassword, basestring): self._sslCtx.set_private_key_password(keyPassword) else: raise TypeError('keyPassword is not a string') self._ssl.use_PrivateKey_file(keyFile, keyType) return self._ssl.check_private_key() def get_certificate_chain_verify_result(self): verifyResult = self._ssl.get_verify_result() verifyResultStr = X509.verify_cert_error_string(verifyResult) return (verifyResult, verifyResultStr) def do_renegotiate(self): if (self._handshakeDone == False): raise IOError( 'SSL Handshake was not completed; cannot renegotiate.') self._ssl.renegotiate() return self.do_handshake() def get_session(self): return self._ssl.get_session() def set_session(self, sslSession): return self._ssl.set_session(sslSession) def set_options(self, options): return self._ssl.set_options(options) def set_tlsext_status_ocsp(self): return self._ssl.set_tlsext_status_type(TLSEXT_STATUSTYPE_ocsp) def get_tlsext_status_ocsp_resp(self): ocspResp = self._ssl.get_tlsext_status_ocsp_resp() if ocspResp: return OcspResponse(ocspResp) else: return None
class SslClient(object): """ High level API implementing an insecure SSL client. """ def __init__(self, sock=None, sslVersion=SSLV23, sslVerify=SSL_VERIFY_PEER, sslVerifyLocations=None): # A Python socket handles transmission of the data self._sock = sock self._handshakeDone = False # OpenSSL objects # SSL_CTX self._sslCtx = SSL_CTX(sslVersion) self._sslCtx.set_verify(sslVerify) if sslVerifyLocations: self._sslCtx.load_verify_locations(sslVerifyLocations) # SSL self._ssl = SSL(self._sslCtx) self._ssl.set_connect_state() # Specific servers do not reply to a client hello that is bigger than 255 bytes # See http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest # So we make the default cipher list smaller (to make the client hello smaller) if sslVersion != SSLV2: # This makes SSLv2 fail self._ssl.set_cipher_list('HIGH:-aNULL:-eNULL:-3DES:-SRP:-PSK:-CAMELLIA') # BIOs self._internalBio = BIO() self._networkBio = BIO() # http://www.openssl.org/docs/crypto/BIO_s_bio.html BIO.make_bio_pair(self._internalBio, self._networkBio) self._ssl.set_bio(self._internalBio) def do_handshake(self): if self._sock is None: # TODO: Auto create a socket ? raise IOError('Internal socket set to None; cannot perform handshake.') while True: try: if self._ssl.do_handshake() == 1: self._handshakeDone = True return True # Handshake was successful except WantReadError: # OpenSSL is expecting more data from the peer # Send available handshake data to the peer lenToRead = self._networkBio.pending() while lenToRead: # Get the data from the SSL engine handshakeDataOut = self._networkBio.read(lenToRead) # Send it to the peer self._sock.send(handshakeDataOut) lenToRead = self._networkBio.pending() # Recover the peer's encrypted response handshakeDataIn = self._sock.recv(DEFAULT_BUFFER_SIZE) if len(handshakeDataIn) == 0: raise IOError('Nassl SSL handshake failed: peer did not send data back.') # Pass the data to the SSL engine self._networkBio.write(handshakeDataIn) except WantX509LookupError: # Server asked for a client certificate and we didn't provide one raise ClientCertificateRequested(self._ssl.get_client_CA_list()) def read(self, size): if not self._handshakeDone: raise IOError('SSL Handshake was not completed; cannot receive data.') while True: # Receive available encrypted data from the peer encData = self._sock.recv(DEFAULT_BUFFER_SIZE) # Pass it to the SSL engine self._networkBio.write(encData) try: # Try to read the decrypted data decData = self._ssl.read(size) return decData except WantReadError: # The SSL engine needs more data # before it can decrypt the whole message pass def write(self, data): """ Returns the number of (encrypted) bytes sent. """ if not self._handshakeDone: raise IOError('SSL Handshake was not completed; cannot send data.') # Pass the cleartext data to the SSL engine self._ssl.write(data) # Recover the corresponding encrypted data lenToRead = self._networkBio.pending() finalLen = lenToRead while lenToRead: encData = self._networkBio.read(lenToRead) # Send the encrypted data to the peer self._sock.send(encData) lenToRead = self._networkBio.pending() finalLen += lenToRead return finalLen def shutdown(self): self._handshakeDone = False try: self._ssl.shutdown() except OpenSSLError as e: # Ignore "uninitialized" exception if 'SSL_shutdown:uninitialized' not in str(e): raise def get_secure_renegotiation_support(self): return self._ssl.get_secure_renegotiation_support() def get_current_compression_method(self): return self._ssl.get_current_compression_method() @staticmethod def get_available_compression_methods(): """ Returns the list of SSL compression methods supported by SslClient. """ return SSL.get_available_compression_methods() def set_verify(self, verifyMode): return self._ssl.set_verify(verifyMode) def set_tlsext_host_name(self, nameIndication): return self._ssl.set_tlsext_host_name(nameIndication) def get_peer_certificate(self): _x509 = self._ssl.get_peer_certificate() if _x509: return X509Certificate(_x509) else: return None def set_cipher_list(self, cipherList): return self._ssl.set_cipher_list(cipherList) def get_cipher_list(self): return self._ssl.get_cipher_list() def get_current_cipher_name(self): return self._ssl.get_cipher_name() def get_current_cipher_bits(self): return self._ssl.get_cipher_bits() def use_private_key(self, certFile, certType, keyFile, keyType, keyPassword=''): self._ssl.use_certificate_file(certFile, certType) if isinstance(keyPassword, basestring): self._sslCtx.set_private_key_password(keyPassword) else: raise TypeError('keyPassword is not a string') self._ssl.use_PrivateKey_file(keyFile, keyType) return self._ssl.check_private_key() def get_certificate_chain_verify_result(self): verifyResult = self._ssl.get_verify_result() verifyResultStr = X509.verify_cert_error_string(verifyResult) return verifyResult, verifyResultStr def do_renegotiate(self): if not self._handshakeDone: raise IOError('SSL Handshake was not completed; cannot renegotiate.') self._ssl.renegotiate() return self.do_handshake() def get_session(self): return self._ssl.get_session() def set_session(self, sslSession): return self._ssl.set_session(sslSession) def set_options(self, options): return self._ssl.set_options(options) def set_tlsext_status_ocsp(self): return self._ssl.set_tlsext_status_type(TLSEXT_STATUSTYPE_ocsp) def get_tlsext_status_ocsp_resp(self): ocspResp = self._ssl.get_tlsext_status_ocsp_resp() if ocspResp: return OcspResponse(ocspResp) else: return None
class SslClient(object): """High level API implementing an SSL client. """ _DEFAULT_BUFFER_SIZE = 4096 def __init__( self, sock=None, # type: Optional[socket.socket] ssl_version=OpenSslVersionEnum.SSLV23, # type: OpenSslVersionEnum ssl_verify=OpenSslVerifyEnum.PEER, # type: OpenSslVerifyEnum ssl_verify_locations=None, # type: Optional[Text] client_certchain_file=None, # type: Optional[Text] client_key_file=None, # type: Optional[Text] client_key_type=OpenSslFileTypeEnum.PEM, # type: OpenSslFileTypeEnum client_key_password='', # type: Text ignore_client_authentication_requests=False # type: bool ): # type: (...) -> None # A Python socket handles transmission of the data self._sock = sock self._is_handshake_completed = False self._client_CA_list = [] # OpenSSL objects # SSL_CTX self._ssl_ctx = SSL_CTX(ssl_version.value) self._ssl_ctx.set_verify(ssl_verify.value) if ssl_verify_locations: # Ensure the file exists with open(ssl_verify_locations): pass self._ssl_ctx.load_verify_locations(ssl_verify_locations) if client_certchain_file is not None: self._use_private_key(client_certchain_file, client_key_file, client_key_type.value, client_key_password) if ignore_client_authentication_requests: if client_certchain_file: raise ValueError( 'Cannot enable both client_certchain_file and ignore_client_authentication_requests' ) self._ssl_ctx.set_client_cert_cb_NULL() # SSL self._ssl = SSL(self._ssl_ctx) self._ssl.set_connect_state() # Specific servers do not reply to a client hello that is bigger than 255 bytes # See http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest # So we make the default cipher list smaller (to make the client hello smaller) if ssl_version != OpenSslVersionEnum.SSLV2: # This makes SSLv2 fail self._ssl.set_cipher_list( 'HIGH:-aNULL:-eNULL:-3DES:-SRP:-PSK:-CAMELLIA') else: # Handshake workaround for SSL2 + IIS 7 self.do_handshake = self.do_ssl2_iis_handshake # BIOs self._internal_bio = BIO() self._network_bio = BIO() # http://www.openssl.org/docs/crypto/BIO_s_bio.html BIO.make_bio_pair(self._internal_bio, self._network_bio) self._ssl.set_bio(self._internal_bio) def do_handshake(self): # type: () -> None if self._sock is None: # TODO: Auto create a socket ? raise IOError( 'Internal socket set to None; cannot perform handshake.') while True: try: self._ssl.do_handshake() self._is_handshake_completed = True # Handshake was successful return except WantReadError: # OpenSSL is expecting more data from the peer # Send available handshake data to the peer self._flush_ssl_engine() # Recover the peer's encrypted response handshake_data_in = self._sock.recv(self._DEFAULT_BUFFER_SIZE) if len(handshake_data_in) == 0: raise IOError( 'Nassl SSL handshake failed: peer did not send data back.' ) # Pass the data to the SSL engine self._network_bio.write(handshake_data_in) except WantX509LookupError: # Server asked for a client certificate and we didn't provide one raise ClientCertificateRequested(self.get_client_CA_list()) def do_ssl2_iis_handshake(self): # type: () -> None if self._sock is None: # TODO: Auto create a socket ? raise IOError( 'Internal socket set to None; cannot perform handshake.') while True: try: self._ssl.do_handshake() self._is_handshake_completed = True # Handshake was successful return except WantReadError: # OpenSSL is expecting more data from the peer # Send available handshake data to the peer lengh_to_read = self._network_bio.pending() while lengh_to_read: # Get the data from the SSL engine handshake_data_out = self._network_bio.read(lengh_to_read) if 'SSLv2 read server verify A' in self._ssl.state_string_long( ): # Awful h4ck for SSLv2 when connecting to IIS7 (like in the 90s) # OpenSSL sends the client's CMK and data message in the same packet without # waiting for the server's response, causing IIS 7 to hang on the connection. # This workaround forces our client to send the CMK message, then wait for the server's # response, and then send the data packet if '\x02' in handshake_data_out[ 2]: # Make sure we're looking at the CMK message # cmk_size = handshake_data_out[0:2] test1 = int(handshake_data_out[0].encode('hex'), base=16) test2 = int(handshake_data_out[1].encode('hex'), base=16) test1 = (test1 & 0x7f) << 8 size = test1 + test2 # Manually split the two records to force them to be sent separately cmk_packet = handshake_data_out[0:size + 2] data_packet = handshake_data_out[size + 2::] self._sock.send(cmk_packet) handshake_data_in = self._sock.recv( self._DEFAULT_BUFFER_SIZE) # print repr(handshake_data_in) if len(handshake_data_in) == 0: raise IOError( 'Nassl SSL handshake failed: peer did not send data back.' ) # Pass the data to the SSL engine self._network_bio.write(handshake_data_in) handshake_data_out = data_packet # Send it to the peer self._sock.send(handshake_data_out) lengh_to_read = self._network_bio.pending() handshake_data_in = self._sock.recv(self._DEFAULT_BUFFER_SIZE) if len(handshake_data_in) == 0: raise IOError( 'Nassl SSL handshake failed: peer did not send data back.' ) # Pass the data to the SSL engine self._network_bio.write(handshake_data_in) except WantX509LookupError: # Server asked for a client certificate and we didn't provide one raise ClientCertificateRequested(self.get_client_CA_list()) def read(self, size): # type: (int) -> bytes if not self._is_handshake_completed: raise IOError( 'SSL Handshake was not completed; cannot receive data.') while True: # Receive available encrypted data from the peer encrypted_data = self._sock.recv(self._DEFAULT_BUFFER_SIZE) if len(encrypted_data) == 0: raise IOError('Could not read() - peer closed the connection.') # Pass it to the SSL engine self._network_bio.write(encrypted_data) try: # Try to read the decrypted data decrypted_data = self._ssl.read(size) return decrypted_data except WantReadError: # The SSL engine needs more data # before it can decrypt the whole message pass def write(self, data): # type: (bytes) -> int """Returns the number of (encrypted) bytes sent. """ if not self._is_handshake_completed: raise IOError('SSL Handshake was not completed; cannot send data.') # Pass the cleartext data to the SSL engine self._ssl.write(data) # Recover the corresponding encrypted data final_length = self._flush_ssl_engine() return final_length def _flush_ssl_engine(self): # type: () -> int length_to_read = self._network_bio.pending() final_length = length_to_read while length_to_read: encrypted_data = self._network_bio.read(length_to_read) # Send the encrypted data to the peer self._sock.send(encrypted_data) length_to_read = self._network_bio.pending() final_length += length_to_read return final_length def shutdown(self): # type: () -> None self._is_handshake_completed = False try: self._ssl.shutdown() self._flush_ssl_engine() except OpenSSLError as e: # Ignore "uninitialized" exception if 'SSL_shutdown:uninitialized' not in str( e) and 'shutdown while in init' not in str(e): raise def set_tlsext_host_name(self, name_indication): # type: (Text) -> None """Set the hostname within the Server Name Indication extension in the client SSL Hello. """ self._ssl.set_tlsext_host_name(name_indication) def get_peer_certificate(self): # type: () -> Optional[X509Certificate] _x509 = self._ssl.get_peer_certificate() if _x509: return X509Certificate(_x509) else: return None def get_peer_cert_chain(self): # type: () -> List[X509Certificate] """See the OpenSSL documentation for differences between get_peer_cert_chain() and get_peer_certificate(). https://www.openssl.org/docs/ssl/SSL_get_peer_cert_chain.html """ x509_list = self._ssl.get_peer_cert_chain() final_list = [] if x509_list: for x509_cert in x509_list: final_list.append(X509Certificate(x509_cert)) return final_list def set_cipher_list(self, cipher_list): # type: (Text) -> None self._ssl.set_cipher_list(cipher_list) def get_cipher_list(self): # type: () -> List[Text] return self._ssl.get_cipher_list() def get_current_cipher_name(self): # type: () -> Text return self._ssl.get_cipher_name() def get_current_cipher_bits(self): # type: () -> int return self._ssl.get_cipher_bits() def _use_private_key(self, client_certchain_file, client_key_file, client_key_type, client_key_password): # type: (Text, Text, OpenSslFileTypeEnum, Text) -> None """The certificate chain file must be in PEM format. Private method because it should be set via the constructor. """ # Ensure the files exist with open(client_certchain_file): pass with open(client_key_file): pass self._ssl_ctx.use_certificate_chain_file(client_certchain_file) self._ssl_ctx.set_private_key_password(client_key_password) try: self._ssl_ctx.use_PrivateKey_file(client_key_file, client_key_type.value) except OpenSSLError as e: if 'bad password read' in str(e) or 'bad decrypt' in str(e): raise ValueError('Invalid Private Key') else: raise self._ssl_ctx.check_private_key() def get_certificate_chain_verify_result(self): # type: () -> Tuple[int, Text] verify_result = self._ssl.get_verify_result() verify_result_str = X509.verify_cert_error_string(verify_result) return verify_result, verify_result_str _TLSEXT_STATUSTYPE_ocsp = 1 def set_tlsext_status_ocsp(self): # type: () -> None """Enable the OCSP Stapling extension. """ self._ssl.set_tlsext_status_type(self._TLSEXT_STATUSTYPE_ocsp) def get_tlsext_status_ocsp_resp(self): # type: () -> Optional[OcspResponse] """Retrieve the server's OCSP Stapling status. """ ocsp_response = self._ssl.get_tlsext_status_ocsp_resp() if ocsp_response: return OcspResponse(ocsp_response) else: return None def get_client_CA_list(self): # type: () -> List[Text] if not self._client_CA_list: self._client_CA_list = self._ssl.get_client_CA_list() return self._client_CA_list
class SslClient(object): """High level API implementing an SSL client. """ def __init__(self, sock=None, ssl_version=SSLV23, ssl_verify=SSL_VERIFY_PEER, ssl_verify_locations=None, client_certchain_file=None, client_key_file=None, client_key_type=SSL_FILETYPE_PEM, client_key_password='', ignore_client_authentication_requests=False): # type: (socket.socket, int, int, str, str, str, int, str, bool) -> None # A Python socket handles transmission of the data self._sock = sock self._is_handshake_completed = False self._client_CA_list = [] # OpenSSL objects # SSL_CTX self._ssl_ctx = SSL_CTX(ssl_version) self._ssl_ctx.set_verify(ssl_verify) if ssl_verify_locations: self._ssl_ctx.load_verify_locations(ssl_verify_locations) if client_certchain_file is not None: self._use_private_key(client_certchain_file, client_key_file, client_key_type, client_key_password) if ignore_client_authentication_requests: if client_certchain_file: raise ValueError('Cannot enable both client_certchain_file and ignore_client_authentication_requests') self._ssl_ctx.set_client_cert_cb_NULL() # SSL self._ssl = SSL(self._ssl_ctx) self._ssl.set_connect_state() # Specific servers do not reply to a client hello that is bigger than 255 bytes # See http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest # So we make the default cipher list smaller (to make the client hello smaller) if ssl_version != SSLV2: # This makes SSLv2 fail self._ssl.set_cipher_list('HIGH:-aNULL:-eNULL:-3DES:-SRP:-PSK:-CAMELLIA') else: # Handshake workaround for SSL2 + IIS 7 self.do_handshake = self.do_ssl2_iis_handshake # BIOs self._internal_bio = BIO() self._network_bio = BIO() # http://www.openssl.org/docs/crypto/BIO_s_bio.html BIO.make_bio_pair(self._internal_bio, self._network_bio) self._ssl.set_bio(self._internal_bio) def do_handshake(self): # type: () -> None if self._sock is None: # TODO: Auto create a socket ? raise IOError('Internal socket set to None; cannot perform handshake.') while True: try: self._ssl.do_handshake() self._is_handshake_completed = True # Handshake was successful return except WantReadError: # OpenSSL is expecting more data from the peer # Send available handshake data to the peer self._flush_ssl_engine() # Recover the peer's encrypted response handshake_data_in = self._sock.recv(DEFAULT_BUFFER_SIZE) if len(handshake_data_in) == 0: raise IOError('Nassl SSL handshake failed: peer did not send data back.') # Pass the data to the SSL engine self._network_bio.write(handshake_data_in) except WantX509LookupError: # Server asked for a client certificate and we didn't provide one raise ClientCertificateRequested(self.get_client_CA_list()) def do_ssl2_iis_handshake(self): # type: () -> None if self._sock is None: # TODO: Auto create a socket ? raise IOError('Internal socket set to None; cannot perform handshake.') while True: try: self._ssl.do_handshake() self._is_handshake_completed = True # Handshake was successful return except WantReadError: # OpenSSL is expecting more data from the peer # Send available handshake data to the peer lengh_to_read = self._network_bio.pending() while lengh_to_read: # Get the data from the SSL engine handshake_data_out = self._network_bio.read(lengh_to_read) if 'SSLv2 read server verify A' in self._ssl.state_string_long(): # Awful h4ck for SSLv2 when connecting to IIS7 (like in the 90s) # OpenSSL sends the client's CMK and data message in the same packet without # waiting for the server's response, causing IIS 7 to hang on the connection. # This workaround forces our client to send the CMK message, then wait for the server's # response, and then send the data packet if '\x02' in handshake_data_out[2]: # Make sure we're looking at the CMK message # cmk_size = handshake_data_out[0:2] test1 = int(handshake_data_out[0].encode('hex'), base=16) test2 = int(handshake_data_out[1].encode('hex'), base=16) test1 = (test1 & 0x7f) << 8 size = test1 + test2 # Manually split the two records to force them to be sent separately cmk_packet = handshake_data_out[0:size+2] data_packet = handshake_data_out[size+2::] self._sock.send(cmk_packet) handshake_data_in = self._sock.recv(DEFAULT_BUFFER_SIZE) # print repr(handshake_data_in) if len(handshake_data_in) == 0: raise IOError('Nassl SSL handshake failed: peer did not send data back.') # Pass the data to the SSL engine self._network_bio.write(handshake_data_in) handshake_data_out = data_packet # Send it to the peer self._sock.send(handshake_data_out) lengh_to_read = self._network_bio.pending() handshake_data_in = self._sock.recv(DEFAULT_BUFFER_SIZE) if len(handshake_data_in) == 0: raise IOError('Nassl SSL handshake failed: peer did not send data back.') # Pass the data to the SSL engine self._network_bio.write(handshake_data_in) except WantX509LookupError: # Server asked for a client certificate and we didn't provide one raise ClientCertificateRequested(self.get_client_CA_list()) def read(self, size): # type: (int) -> str if not self._is_handshake_completed: raise IOError('SSL Handshake was not completed; cannot receive data.') while True: # Receive available encrypted data from the peer encrypted_data = self._sock.recv(DEFAULT_BUFFER_SIZE) if len(encrypted_data) == 0: raise IOError('Could not read() - peer closed the connection.') # Pass it to the SSL engine self._network_bio.write(encrypted_data) try: # Try to read the decrypted data decrypted_data = self._ssl.read(size) return decrypted_data except WantReadError: # The SSL engine needs more data # before it can decrypt the whole message pass def write(self, data): # type: (str) -> int """Returns the number of (encrypted) bytes sent. """ if not self._is_handshake_completed: raise IOError('SSL Handshake was not completed; cannot send data.') # Pass the cleartext data to the SSL engine self._ssl.write(data) # Recover the corresponding encrypted data final_length = self._flush_ssl_engine() return final_length def _flush_ssl_engine(self): # type: () -> int length_to_read = self._network_bio.pending() final_length = length_to_read while length_to_read: encrypted_data = self._network_bio.read(length_to_read) # Send the encrypted data to the peer self._sock.send(encrypted_data) length_to_read = self._network_bio.pending() final_length += length_to_read return final_length def shutdown(self): # type: () -> None self._is_handshake_completed = False try: self._ssl.shutdown() self._flush_ssl_engine() except OpenSSLError as e: # Ignore "uninitialized" exception if 'SSL_shutdown:uninitialized' not in str(e) and 'shutdown while in init' not in str(e): raise def _set_verify(self, verify_mode): # type: (int) -> None """Set the OpenSSL verify mode. Private method because it should be set via the constructor. """ self._ssl._set_verify(verify_mode) def set_tlsext_host_name(self, name_indication): # type: (str) -> None """Set the hostname within the Server Name Indication extension in the client SSL Hello. """ self._ssl.set_tlsext_host_name(name_indication) def get_peer_certificate(self): # type: () -> Optional[X509Certificate] _x509 = self._ssl.get_peer_certificate() if _x509: return X509Certificate(_x509) else: return None def get_peer_cert_chain(self): # type: () -> List[X509Certificate] """See the OpenSSL documentation for differences between get_peer_cert_chain() and get_peer_certificate(). https://www.openssl.org/docs/ssl/SSL_get_peer_cert_chain.html """ x509_list = self._ssl.get_peer_cert_chain() final_list = [] if x509_list: for x509_cert in x509_list: final_list.append(X509Certificate(x509_cert)) return final_list def set_cipher_list(self, cipher_list): # type: (str) -> None self._ssl.set_cipher_list(cipher_list) def get_cipher_list(self): # type: () -> List[str] return self._ssl.get_cipher_list() def get_current_cipher_name(self): # type: () -> str return self._ssl.get_cipher_name() def get_current_cipher_bits(self): # type: () -> int return self._ssl.get_cipher_bits() def _use_private_key(self, client_certchain_file, client_key_file, client_key_type, client_key_password): # type: (str, str, int, str) -> None """The certificate chain file must be in PEM format. Private method because it should be set via the constructor. """ self._ssl_ctx.use_certificate_chain_file(client_certchain_file) if isinstance(client_key_password, basestring): self._ssl_ctx.set_private_key_password(client_key_password) else: raise TypeError('client_key_password is not a string') try: self._ssl_ctx.use_PrivateKey_file(client_key_file, client_key_type) except OpenSSLError as e: if 'bad password read' in str(e) or 'bad decrypt' in str(e): raise ValueError('Invalid Private Key') else: raise self._ssl_ctx.check_private_key() def get_certificate_chain_verify_result(self): # type: () -> Tuple[int, str] verify_result = self._ssl.get_verify_result() verify_result_str = X509.verify_cert_error_string(verify_result) return verify_result, verify_result_str def set_tlsext_status_ocsp(self): # type: () -> None """Enable the OCSP Stapling extension. """ self._ssl.set_tlsext_status_type(TLSEXT_STATUSTYPE_ocsp) def get_tlsext_status_ocsp_resp(self): # type: () -> Optional[OcspResponse] """Retrieve the server's OCSP Stapling status. """ ocsp_response = self._ssl.get_tlsext_status_ocsp_resp() if ocsp_response: return OcspResponse(ocsp_response) else: return None def get_client_CA_list(self): # type: () -> List[str] if not self._client_CA_list: self._client_CA_list = self._ssl.get_client_CA_list() return self._client_CA_list def set_mode(self, mode): # type: (int) -> None self._ssl.set_mode(mode)