def setUp(self): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect(("www.google.com", 443)) ssl_client = DebugSslClient(ssl_version=SSLV23, sock=sock, ssl_verify=SSL_VERIFY_NONE) ssl_client.set_cipher_list('ECDH') # Needed for test_get_ecdh_param() ssl_client.do_handshake() self.ssl_client = ssl_client
def test_ignore_client_authentication_requests(self): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect(("auth.startssl.com", 443)) ssl_client = DebugSslClient(ssl_version=SSLV23, sock=sock, ssl_verify=SSL_VERIFY_NONE, ignore_client_authentication_requests=True) ssl_client.do_handshake() self.assertGreater(ssl_client.get_client_CA_list(), 2)
import sys sys.path.insert(1, os.path.join(os.path.dirname(__file__), u'lib')) from nassl.ssl_client import OpenSslVersionEnum import socket from nassl.debug_ssl_client import DebugSslClient sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((u'www.yahoo.com', 443)) ssl_client = DebugSslClient(ssl_version=OpenSslVersionEnum.TLSV1_2, sock=sock, ssl_verify_locations=u'mozilla.pem') ssl_client.set_tlsext_status_ocsp() ssl_client.do_handshake() print(u'Certificate chain') for cert in ssl_client.get_peer_cert_chain(): print(cert.as_dict()[u'subject'][u'commonName']) ocsp_resp = ssl_client.get_tlsext_status_ocsp_resp() print(ocsp_resp.verify(u'mozilla.pem')) print(u'\nCipher suite') print(ssl_client.get_current_cipher_name()) print(u'\nHTTP response') ssl_client.write( b'GET / HTTP/1.0\r\nUser-Agent: Test\r\nHost: www.google.com\r\n\r\n') print(ssl_client.read(2048))
#!/usr/bin/python2.7 import socket from nassl import TLSV1, SSL_VERIFY_NONE from nassl.debug_ssl_client import DebugSslClient sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect(("www.google.com", 443)) ssl_client = DebugSslClient(ssl_version=TLSV1, sock=sock, ssl_verify=SSL_VERIFY_NONE) ssl_client.do_handshake() print 'Certificate chain' for cert in ssl_client.get_peer_cert_chain(): print cert.as_dict()['subject']['commonName'] print '\nCipher suite' print ssl_client.get_current_cipher_name() print '\nHTTP response' ssl_client.write('GET / HTTP/1.0\r\nUser-Agent: Test\r\nHost: www.google.com\r\n\r\n') print ssl_client.read(2048)
class SSLConnection(object): """Base SSL connection class which leverages an nassl.SslClient for performing the SSL handshake. """ # The following errors mean that the server explicitly rejected the handshake. The goal to differentiate rejected # handshakes from random network errors such as the server going offline, etc. HANDSHAKE_REJECTED_SOCKET_ERRORS = {'was forcibly closed': 'Received FIN', 'reset by peer': 'Received RST'} HANDSHAKE_REJECTED_SSL_ERRORS = {'sslv3 alert handshake failure': 'Alert handshake failure', 'no ciphers available': 'No ciphers available', 'excessive message size': 'Excessive message size', 'bad mac decode': 'Bad mac decode', 'wrong version number': 'Wrong version number', 'no cipher match': 'No cipher match', 'bad decompression': 'Bad decompression', 'peer error no cipher': 'Peer error no cipher', 'no cipher list': 'No ciphers list', 'insufficient security': 'Insufficient security', 'block type is not 01': 'block type is not 01', # Actually an RSA error 'tlsv1 alert protocol version': 'Alert: protocol version '} # Constants for tunneling the traffic through a proxy HTTP_CONNECT_REQ = 'CONNECT {0}:{1} HTTP/1.1\r\n\r\n' HTTP_CONNECT_REQ_PROXY_AUTH_BASIC = 'CONNECT {0}:{1} HTTP/1.1\r\nProxy-Authorization: Basic {2}\r\n\r\n' # Errors caused by the proxy ERR_CONNECT_REJECTED = 'The proxy rejected the CONNECT request for this host' ERR_PROXY_OFFLINE = 'Could not connect to the proxy: "{0}"' # Restrict cipher list to make the client hello smaller so we don't run into # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665452 DEFAULT_SSL_CIPHER_LIST = 'HIGH:MEDIUM:-aNULL:-eNULL:-3DES:-SRP:-PSK:-CAMELLIA' # Default socket settings global to all SSLyze connections; can be overridden NETWORK_MAX_RETRIES = 3 NETWORK_TIMEOUT = 5 @classmethod def set_global_network_settings(cls, network_max_retries, network_timeout): # Not thread-safe cls.NETWORK_MAX_RETRIES = network_max_retries cls.NETWORK_TIMEOUT = network_timeout def __init__(self, hostname, # type: Text ip_address, # type: Text port, # type: int ssl_version, # type: OpenSslVersionEnum ssl_verify_locations=None, # type: Optional[Text] client_auth_creds=None, # type: Optional[ClientAuthenticationCredentials] should_ignore_client_auth=False # type: bool ): # type: (...) -> None if client_auth_creds: # A client certificate and private key were provided self.ssl_client = DebugSslClient(ssl_version=ssl_version, ssl_verify=OpenSslVerifyEnum.NONE, ssl_verify_locations=ssl_verify_locations, client_certchain_file=client_auth_creds.client_certificate_chain_path, client_key_file=client_auth_creds.client_key_path, client_key_type=client_auth_creds.client_key_type, client_key_password=client_auth_creds.client_key_password, ignore_client_authentication_requests=False) else: # No client cert and key self.ssl_client = DebugSslClient(ssl_version=ssl_version, ssl_verify=OpenSslVerifyEnum.NONE, ssl_verify_locations=ssl_verify_locations, ignore_client_authentication_requests=should_ignore_client_auth) self.ssl_client.set_cipher_list(self.DEFAULT_SSL_CIPHER_LIST) self._hostname = hostname self._ip_address = ip_address self._port = port # Can be set later self._tunnel_host = None self._tunnel_port = None self._tunnel_basic_auth_token = None def enable_http_connect_tunneling(self, tunnel_host, tunnel_port, tunnel_user=None, tunnel_password=None): # type: (Text, int, Optional[Text], Optional[Text]) -> None """Proxy the traffic through an HTTP Connect proxy. """ self._tunnel_host = tunnel_host self._tunnel_port = tunnel_port self._tunnel_basic_auth_token = None if tunnel_user is not None: self._tunnel_basic_auth_token = b64encode( '{0}:{1}'.format(quote(tunnel_user), quote(tunnel_password)).encode('utf-8') ) def write(self, data): # type: (bytes) -> int return self.ssl_client.write(data) def read(self, size): # type: (int) -> bytes return self.ssl_client.read(size) def do_pre_handshake(self, network_timeout): # type: (int) -> socket """Open a socket to the server; setup HTTP tunneling if a proxy was configured. """ if self._tunnel_host: # Proxy configured; setup HTTP tunneling try: sock = socket.create_connection((self._tunnel_host, self._tunnel_port), network_timeout) except socket.timeout as e: raise ProxyError(self.ERR_PROXY_OFFLINE.format(str(e))) except socket.error as e: raise ProxyError(self.ERR_PROXY_OFFLINE.format(str(e))) # Send a CONNECT request with the host we want to tunnel to if self._tunnel_basic_auth_token is None: sock.send(self.HTTP_CONNECT_REQ.format(self._hostname, self._port).encode('utf-8')) else: sock.send(self.HTTP_CONNECT_REQ_PROXY_AUTH_BASIC.format(self._hostname, self._port, self._tunnel_basic_auth_token).encode('utf-8')) http_response = HttpResponseParser.parse(sock) # Check if the proxy was able to connect to the host if http_response.status != 200: raise ProxyError(self.ERR_CONNECT_REJECTED) else: # No proxy; connect directly to the server sock = socket.create_connection(address=(self._ip_address, self._port), timeout=network_timeout) # Pass the connected socket to the SSL client self.ssl_client.set_underlying_socket(sock) return sock def connect(self, network_timeout=None, network_max_retries=None): # type: (int, int) -> None final_timeout = self.NETWORK_TIMEOUT if network_timeout is None else network_timeout final_max_retries = self.NETWORK_MAX_RETRIES if network_max_retries is None else network_max_retries retry_attempts = 0 delay = 0 while True: try: # Sleep if it's a retry attempt time.sleep(delay) # StartTLS negotiation or proxy setup if needed self.do_pre_handshake(final_timeout) try: # SSL handshake self.ssl_client.do_handshake() except ClientCertificateRequested: # Server expected a client certificate and we didn't provide one raise except socket.timeout: # Network timeout, propagate the error to trigger a retry raise except (socket.error, IOError) as e: # On Python 3.3+ socket.error == IOError but on Python 2.7 they are different # We use the same except block so it works on all versions of Python # This section is meant to handle IOErrors if 'Nassl SSL handshake failed' in str(e.args): raise SSLHandshakeRejected('TLS / Unexpected EOF') # This section is meant to handle socket.errors for error_msg in self.HANDSHAKE_REJECTED_SOCKET_ERRORS.keys(): if error_msg in str(e.args): raise SSLHandshakeRejected('TCP / ' + self.HANDSHAKE_REJECTED_SOCKET_ERRORS[error_msg]) # Unknown socket error raise except _nassl.OpenSSLError as e: for error_msg in self.HANDSHAKE_REJECTED_SSL_ERRORS.keys(): if error_msg in str(e.args): raise SSLHandshakeRejected('TLS / ' + self.HANDSHAKE_REJECTED_SSL_ERRORS[error_msg]) raise # Unknown SSL error if we get there # Pass on exceptions for rejected handshakes except SSLHandshakeRejected: raise except ClientCertificateRequested: raise except _nassl.OpenSSLError: # Raise unknown OpenSSL errors raise except socket.timeout: # Attempt to retry connection if a network error occurred during connection or the handshake retry_attempts += 1 if retry_attempts >= final_max_retries: # Exhausted the number of retry attempts, give up raise elif retry_attempts == 1: delay = random.random() else: # Exponential back off delay = min(6, 2 * delay) # Cap max delay at 6 seconds else: # No network error occurred break def close(self): # type: () -> None self.ssl_client.shutdown() sock = self.ssl_client.get_underlying_socket() if sock: sock.close() def post_handshake_check(self): # type: () -> Text return ''