def __init__(self): self.appid = '' self.password = '' self.proxy_enable = "0" self.proxy_type = "HTTP" self.proxy_host = "" self.proxy_port = "" self.proxy_user = "" self.proxy_passwd = "" self.host_appengine_mode = "gae" self.auto_adjust_scan_ip_thread_num = 1 self.scan_ip_thread_num = 0 self.use_ipv6 = "auto" self.LISTEN_IP = "127.0.0.1" self.fake_host = sni_generater.get()
def connect_ssl(ip, port=443, timeout=5, check_cert=True, close_cb=None): if not check_local_network.is_ok(ip): with network_fail_lock: time.sleep(0.1) ip_port = (ip, port) sni = sni_generater.get() if int(config.PROXY_ENABLE): sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6) else: sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) # resize socket recv buffer 8K->32K to improve browser releated application performance sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32*1024) sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True) sock.settimeout(timeout) ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip, close_cb) ssl_sock.set_connect_state() if hasattr(ssl_sock, 'set_tlsext_host_name'): try: ssl_sock.set_tlsext_host_name(sni) except: pass time_begin = time.time() ssl_sock.connect(ip_port) time_connected = time.time() ssl_sock.do_handshake() try: h2 = ssl_sock.get_alpn_proto_negotiated() if h2 == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False xlog.debug("%s alpn h2:%s", ip, h2) except Exception as e: #xlog.exception("alpn:%r", e) if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2": ssl_sock.h2 = True # xlog.debug("ip:%s http/2", ip) else: ssl_sock.h2 = False # xlog.debug("ip:%s http/1.1", ip) time_handshaked = time.time() check_local_network.report_ok(ip) def verify_SSL_certificate_issuer(ssl_sock): # cert = ssl_sock.get_peer_certificate() # if not cert: # #google_ip.report_bad_ip(ssl_sock.ip) # #connect_control.fall_into_honeypot() # raise socket.error(' certficate is none') # issuer_commonname = next((v for k, v in cert.get_issuer().get_components() if k == 'CN'), '') # if not issuer_commonname.startswith('Google'): # google_ip.report_connect_fail(ip, force_remove=True) # raise socket.error(' certficate is issued by %r, not Google' % ( issuer_commonname)) certs = ssl_sock.get_peer_cert_chain() if not certs: # google_ip.report_bad_ip(ssl_sock.ip) # connect_control.fall_into_honeypot() raise socket.error(' certficate is none') if len(certs) < 3: # google_ip.report_connect_fail(ip, force_remove=True) raise Cert_Exception('No intermediate CA was found.') if hasattr(OpenSSL.crypto, "dump_publickey"): # old OpenSSL not support this function. if OpenSSL.crypto.dump_publickey(OpenSSL.crypto.FILETYPE_PEM, certs[1].get_pubkey()) not in GoogleG23PKP: # google_ip.report_connect_fail(ip, force_remove=True) raise Cert_Exception('The intermediate CA is mismatching.') issuer_commonname = next((v for k, v in certs[0].get_issuer().get_components() if k == 'CN'), '') if not issuer_commonname.startswith('Google'): # google_ip.report_connect_fail(ip, force_remove=True) raise Cert_Exception(' certficate is issued by %r, not Google' % (issuer_commonname)) if check_cert: verify_SSL_certificate_issuer(ssl_sock) connct_time = int((time_connected - time_begin) * 1000) handshake_time = int((time_handshaked - time_connected) * 1000) #xlog.debug("conn: %d handshake:%d", connct_time, handshake_time) # sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket. ssl_sock._sock = sock ssl_sock.connct_time = connct_time ssl_sock.handshake_time = handshake_time ssl_sock.fd = sock.fileno() ssl_sock.create_time = time_begin ssl_sock.last_use_time = time_begin ssl_sock.received_size = 0 ssl_sock.load = 0 ssl_sock.sni = sni ssl_sock.host = "" return ssl_sock
def connect_ssl(ip, port=443, timeout=5, check_cert=True, close_cb=None): if check_local_network.network_stat != "OK": with network_fail_lock: time.sleep(0.1) ip_port = (ip, port) sni = sni_generater.get() if config.PROXY_ENABLE: sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6) else: sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) # resize socket recv buffer 8K->32K to improve browser releated application performance sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32*1024) sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True) sock.settimeout(timeout) ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip, close_cb) ssl_sock.set_connect_state() ssl_sock.set_tlsext_host_name(sni) time_begin = time.time() ssl_sock.connect(ip_port) time_connected = time.time() ssl_sock.do_handshake() try: h2 = ssl_sock.get_alpn_proto_negotiated() if h2 == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False xlog.debug("%s alpn h2:%s", ip, h2) except Exception as e: #xlog.exception("alpn:%r", e) if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2": ssl_sock.h2 = True # xlog.debug("ip:%s http/2", ip) else: ssl_sock.h2 = False # xlog.debug("ip:%s http/1.1", ip) time_handshaked = time.time() # report network ok check_local_network.network_stat = "OK" check_local_network.last_check_time = time_handshaked check_local_network.continue_fail_count = 0 def verify_SSL_certificate_issuer(ssl_sock): # cert = ssl_sock.get_peer_certificate() # if not cert: # #google_ip.report_bad_ip(ssl_sock.ip) # #connect_control.fall_into_honeypot() # raise socket.error(' certficate is none') # issuer_commonname = next((v for k, v in cert.get_issuer().get_components() if k == 'CN'), '') # if not issuer_commonname.startswith('Google'): # google_ip.report_connect_fail(ip, force_remove=True) # raise socket.error(' certficate is issued by %r, not Google' % ( issuer_commonname)) certs = ssl_sock.get_peer_cert_chain() if not certs: # google_ip.report_bad_ip(ssl_sock.ip) # connect_control.fall_into_honeypot() raise socket.error(' certficate is none') if len(certs) < 3: # google_ip.report_connect_fail(ip, force_remove=True) raise Cert_Exception('No intermediate CA was found.') if hasattr(OpenSSL.crypto, "dump_publickey"): # old OpenSSL not support this function. if OpenSSL.crypto.dump_publickey(OpenSSL.crypto.FILETYPE_PEM, certs[1].get_pubkey()) not in GoogleG23PKP: # google_ip.report_connect_fail(ip, force_remove=True) raise Cert_Exception('The intermediate CA is mismatching.') issuer_commonname = next((v for k, v in certs[0].get_issuer().get_components() if k == 'CN'), '') if not issuer_commonname.startswith('Google'): # google_ip.report_connect_fail(ip, force_remove=True) raise Cert_Exception(' certficate is issued by %r, not Google' % (issuer_commonname)) if check_cert: verify_SSL_certificate_issuer(ssl_sock) connct_time = int((time_connected - time_begin) * 1000) handshake_time = int((time_handshaked - time_connected) * 1000) #xlog.debug("conn: %d handshake:%d", connct_time, handshake_time) # sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket. ssl_sock._sock = sock ssl_sock.connct_time = connct_time ssl_sock.handshake_time = handshake_time ssl_sock.fd = sock.fileno() ssl_sock.create_time = time_begin ssl_sock.last_use_time = time_begin ssl_sock.received_size = 0 ssl_sock.load = 0 ssl_sock.sni = sni ssl_sock.host = "" return ssl_sock
def connect_ssl(ip, port=443, timeout=5, top_domain=None, on_close=None): if check_local_network.network_stat != "OK": with network_fail_lock: time.sleep(0.1) sni = sni_generater.get() if not top_domain: top_domain = sni xlog.debug("top_domain:%s sni:%s", top_domain, sni) if config.PROXY_ENABLE: sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6) else: sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) # resize socket recv buffer 8K->32K to improve browser releated application performance sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32*1024) sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True) sock.settimeout(timeout) ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip, on_close=on_close) ssl_sock.set_connect_state() ssl_sock.set_tlsext_host_name(sni) time_begin = time.time() ip_port = (ip, port) ssl_sock.connect(ip_port) time_connected = time.time() ssl_sock.do_handshake() try: h2 = ssl_sock.get_alpn_proto_negotiated() if h2 == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False except Exception as e: #xlog.exception("alpn:%r", e) if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False time_handshaked = time.time() # report network ok check_local_network.network_stat = "OK" check_local_network.last_check_time = time_handshaked check_local_network.continue_fail_count = 0 cert = ssl_sock.get_peer_certificate() if not cert: raise socket.error(' certficate is none') issuer_commonname = next((v for k, v in cert.get_issuer().get_components() if k == 'CN'), '') if not issuer_commonname.startswith('DigiCert'): # and issuer_commonname not in ['DigiCert ECC Extended Validation Server CA'] raise socket.error(' certficate is issued by %r, not COMODO' % ( issuer_commonname)) connect_time = int((time_connected - time_begin) * 1000) handshake_time = int((time_handshaked - time_begin) * 1000) if __name__ == "__main__": xlog.debug("h2:%s", ssl_sock.h2) xlog.debug("issued by:%s", issuer_commonname) xlog.debug("conn: %d handshake:%d", connect_time, handshake_time) # sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket. ssl_sock.ip = ip ssl_sock._sock = sock ssl_sock.fd = sock.fileno() ssl_sock.create_time = time_begin ssl_sock.connect_time = connect_time ssl_sock.handshake_time = handshake_time ssl_sock.sni = sni ssl_sock.top_domain = top_domain return ssl_sock
def connect_ssl(ip, port=443, timeout=5, top_domain=None): sni = sni_generater.get() if not top_domain: top_domain = sni xlog.debug("top_domain:%s sni:%s", top_domain, sni) if config.PROXY_ENABLE: sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6) else: sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) # resize socket recv buffer 8K->32K to improve browser releated application performance sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32 * 1024) sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True) sock.settimeout(timeout) ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip) ssl_sock.set_connect_state() ssl_sock.set_tlsext_host_name(sni) time_begin = time.time() ip_port = (ip, port) ssl_sock.connect(ip_port) time_connected = time.time() ssl_sock.do_handshake() try: h2 = ssl_sock.get_alpn_proto_negotiated() if h2 == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False except Exception as e: #xlog.exception("alpn:%r", e) if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False time_handshaked = time.time() # report network ok check_local_network.network_stat = "OK" check_local_network.last_check_time = time_handshaked check_local_network.continue_fail_count = 0 cert = ssl_sock.get_peer_certificate() if not cert: raise socket.error(' certficate is none') issuer_commonname = next( (v for k, v in cert.get_issuer().get_components() if k == 'CN'), '') if not issuer_commonname.startswith('DigiCert'): # and issuer_commonname not in ['DigiCert ECC Extended Validation Server CA'] raise socket.error(' certficate is issued by %r, not COMODO' % (issuer_commonname)) connect_time = int((time_connected - time_begin) * 1000) handshake_time = int((time_handshaked - time_begin) * 1000) if __name__ == "__main__": xlog.debug("h2:%s", ssl_sock.h2) xlog.debug("issued by:%s", issuer_commonname) xlog.debug("conn: %d handshake:%d", connect_time, handshake_time) # sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket. ssl_sock.ip = ip ssl_sock._sock = sock ssl_sock.fd = sock.fileno() ssl_sock.create_time = time_begin ssl_sock.connect_time = connect_time ssl_sock.handshake_time = handshake_time ssl_sock.sni = sni ssl_sock.top_domain = top_domain return ssl_sock
def load(self): ConfigParser.RawConfigParser.OPTCRE = re.compile( r'(?P<option>[^=\s][^=]*)\s*(?P<vi>[=])\s*(?P<value>.*)$') self.DEFAULT_CONFIG = ConfigParser.ConfigParser() DEFAULT_CONFIG_FILENAME = os.path.abspath( os.path.join(current_path, 'proxy.ini')) self.USER_CONFIG = ConfigParser.ConfigParser() CONFIG_USER_FILENAME = os.path.join(data_path, 'config.ini') try: if os.path.isfile(DEFAULT_CONFIG_FILENAME): self.DEFAULT_CONFIG.read(DEFAULT_CONFIG_FILENAME) self.user_special.scan_ip_thread_num = self.DEFAULT_CONFIG.getint( 'google_ip', 'max_scan_ip_thread_num') else: return if os.path.isfile(CONFIG_USER_FILENAME): self.USER_CONFIG.read(CONFIG_USER_FILENAME) else: return try: self.user_special.appid = self.USER_CONFIG.get('gae', 'appid') self.user_special.password = self.USER_CONFIG.get( 'gae', 'password') except: pass try: self.user_special.host_appengine_mode = self.USER_CONFIG.get( 'hosts', 'appengine.google.com') except: pass try: self.user_special.scan_ip_thread_num = config.CONFIG.getint( 'google_ip', 'max_scan_ip_thread_num') except: self.user_special.scan_ip_thread_num = self.DEFAULT_CONFIG.getint( 'google_ip', 'max_scan_ip_thread_num') try: self.user_special.auto_adjust_scan_ip_thread_num = config.CONFIG.getint( 'google_ip', 'auto_adjust_scan_ip_thread_num') except: pass try: self.user_special.use_ipv6 = config.CONFIG.get( 'google_ip', 'use_ipv6') if self.user_special.use_ipv6 not in [ "auto", "force_ipv4", "force_ipv6" ]: self.user_special.use_ipv6 = "auto" except: pass self.user_special.proxy_enable = self.USER_CONFIG.get( 'proxy', 'enable') self.user_special.proxy_type = self.USER_CONFIG.get( 'proxy', 'type') self.user_special.proxy_host = self.USER_CONFIG.get( 'proxy', 'host') self.user_special.proxy_port = self.USER_CONFIG.get( 'proxy', 'port') self.user_special.proxy_user = self.USER_CONFIG.get( 'proxy', 'user') self.user_special.proxy_passwd = self.USER_CONFIG.get( 'proxy', 'passwd') try: self.user_special.LISTEN_IP = self.USER_CONFIG.get( 'listen', 'ip') except: pass try: self.user_special.fake_host = self.USER_CONFIG.get( 'system', 'fake_host') except: self.user_special.fake_host = sni_generater.get() self.save() except Exception as e: xlog.warn("User_config.load except:%s", e)
def connect_ssl(ip, port=443, timeout=5, check_cert=True, close_cb=None): if check_local_network.is_ok(ip): with network_fail_lock: time.sleep(0.1) ip_port = (ip, port) sni = sni_generater.get() if config.PROXY_ENABLE: sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6) else: sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) # resize socket recv buffer 8K->32K to improve browser releated application performance sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32 * 1024) sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True) sock.settimeout(timeout) ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip, close_cb) ssl_sock.set_connect_state() ssl_sock.set_tlsext_host_name(sni) time_begin = time.time() ssl_sock.connect(ip_port) time_connected = time.time() ssl_sock.do_handshake() try: h2 = ssl_sock.get_alpn_proto_negotiated() if h2 == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False except Exception as e: if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False time_handshaked = time.time() # report network ok check_local_network.report_ok(ip) cert = ssl_sock.get_peer_certificate() if not cert: raise socket.error(' certficate is none') if check_cert: issuer_commonname = next( (v for k, v in cert.get_issuer().get_components() if k == 'CN'), '') if not issuer_commonname.startswith('Google'): raise socket.error(' certficate is issued by %r, not Google' % (issuer_commonname)) connct_time = int((time_connected - time_begin) * 1000) handshake_time = int((time_handshaked - time_connected) * 1000) # sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket. ssl_sock._sock = sock ssl_sock.connct_time = connct_time ssl_sock.handshake_time = handshake_time ssl_sock.fd = sock.fileno() ssl_sock.create_time = time_begin ssl_sock.last_use_time = time_begin ssl_sock.received_size = 0 ssl_sock.load = 0 ssl_sock.sni = sni ssl_sock.host = "" return ssl_sock
def connect_ssl(ip, port=443, timeout=5, check_cert=True, close_cb=None): if check_local_network.is_ok(ip): with network_fail_lock: time.sleep(0.1) ip_port = (ip, port) sni = sni_generater.get() if config.PROXY_ENABLE: sock = socks.socksocket(socket.AF_INET if ':' not in ip else socket.AF_INET6) else: sock = socket.socket(socket.AF_INET if ':' not in ip else socket.AF_INET6) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) # set struct linger{l_onoff=1,l_linger=0} to avoid 10048 socket error sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0)) # resize socket recv buffer 8K->32K to improve browser releated application performance sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 32*1024) sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, True) sock.settimeout(timeout) ssl_sock = openssl_wrap.SSLConnection(openssl_context, sock, ip, close_cb) ssl_sock.set_connect_state() ssl_sock.set_tlsext_host_name(sni) time_begin = time.time() ssl_sock.connect(ip_port) time_connected = time.time() ssl_sock.do_handshake() try: h2 = ssl_sock.get_alpn_proto_negotiated() if h2 == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False except Exception as e: if hasattr(ssl_sock._connection, "protos") and ssl_sock._connection.protos == "h2": ssl_sock.h2 = True else: ssl_sock.h2 = False time_handshaked = time.time() # report network ok check_local_network.report_ok(ip) cert = ssl_sock.get_peer_certificate() if not cert: raise socket.error(' certficate is none') if check_cert: issuer_commonname = next((v for k, v in cert.get_issuer().get_components() if k == 'CN'), '') if not issuer_commonname.startswith('Google'): raise socket.error(' certficate is issued by %r, not Google' % ( issuer_commonname)) connct_time = int((time_connected - time_begin) * 1000) handshake_time = int((time_handshaked - time_connected) * 1000) # sometimes, we want to use raw tcp socket directly(select/epoll), so setattr it to ssl socket. ssl_sock._sock = sock ssl_sock.connct_time = connct_time ssl_sock.handshake_time = handshake_time ssl_sock.fd = sock.fileno() ssl_sock.create_time = time_begin ssl_sock.last_use_time = time_begin ssl_sock.received_size = 0 ssl_sock.load = 0 ssl_sock.sni = sni ssl_sock.host = "" return ssl_sock