def do_CONNECT(self): remote_connection = self._create_remote_ssl_connection(self.path) if remote_connection: self.log_request(200) self.wfile.write(self.protocol_version + ' 200 Connection established\r\n') self.wfile.write('Proxy-agent: %s\r\n' % self.version_string()) self.wfile.write('\r\n') try: if self.server.pem_file: self.connection = ssl.SSLSocket( self.connection, server_side=True, certfile=self.server.pem_file) elif self.server_cert_file: self.connection = ssl.SSLSocket( self.connection, server_side=True, certfile=self.server.cert_file) else: self.connection = ssl.SSLSocket( self.connection, server_side=True, certfile=self.server.cert_file, keyfile=self.server.key_file) except ssl.SSLError, e: logging.error(e) self._chat_to_remote_connection(remote_connection)
def get_request(self): sock, client_address = HTTPServer.get_request(self) if sock and config.server_certificate: # this is this kind of smart shit that gets you in really deep trouble later peek = sock.recv(5, socket.MSG_PEEK) if peek and len(peek) == 5: if peek[0] == 0x16: logging.debug( "socket %s from %s appears to start with a TSL handshake, version %d.%d", sock, client_address, peek[1], peek[2]) try: sock = ssl.SSLSocket( sock=sock, certfile=config.server_certificate, server_side=True) except: logging.exception( "failed to SSL wrap socket %s from %s", sock, client_address) elif peek[0] == 0x80 and peek[2] == 0x01: logging.debug( "socket %s from %s appears to start with a SSLv2 handshake, supported version %d.%d", sock, client_address, peek[3], peek[4]) try: sock = ssl.SSLSocket( sock=sock, certfile=config.server_certificate, server_side=True) except: logging.exception( "failed to SSL wrap socket %s from %s", sock, client_address) return sock, client_address
def connect(self, addr=('irc.freenode.net', 6667), use_ssl=False): '''Connect to a IRC server. addr is a tuple of (server, port)''' self.acquire_lock() try: self.addr = (rmnlsp(addr[0]), addr[1]) if use_ssl: if (3, ) <= sys.version_info < (3, 3): self.sock = ssl.SSLSocket() elif sys.version_info >= (3, 4): ctx = ssl.create_default_context() if ssl.HAS_SNI: self.sock = ctx.wrap_socket(socket.socket(), server_hostname=addr[0]) else: self.sock = ctx.wrap_socket(socket.socket()) else: self.sock = ssl.SSLSocket(sock=socket.socket()) else: self.sock = socket.socket() self.sock.settimeout(300) self.sock.connect(self.addr) self.nick = None self.recvbuf = b'' self.sendbuf = b'' finally: self.lock.release()
def connect(self, host, port=587, secure=SEC_STARTTLS): targets = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM, 0, 0) # TODO: should we iterate through targets in order, randomly, or # randomly by address family (that is, try IPv6 first, then IPv4, then # whatever is left)? for i in targets: print "Trying", i[4][0], i[ 3] # address, canonical name (if available) s = socket.socket(*i[:3]) if secure == SEC_SSL: oldSock = s s = ssl.SSLSocket(s, ca_certs=self.ca_certs, cert_reqs=ssl.CERT_REQUIRED if self.ca_certs else ssl.CERT_NONE) else: oldSock = None try: s.connect(i[4]) self._negotiate(s, host, secure) break except socket.error as ev: print " ", ev.strerror continue else: # TODO: Provide some more info. Ideally, we'd have some # differentiation between, say, connection refused vs timed out vs # no route, etc. # May be difficult due to multiple connection attempts. raise Exception("unable to connect")
def test_bad_host(self): with open(Fixtures.keys.path("private1.pem"), "rb") as f: key = RSAObject(pem=f.read()) h = SSLHandler(self, self.serverSock, self.clientEndpoint, self.certfile, self.keyfile) self.assertEqual(self.client_sock.recv(8), b"FLUX0003") c_sock = ssl.SSLSocket(self.client_sock, do_handshake_on_connect=False) self.complete_ssl_handshake(h, c_sock) randbytes = c_sock.recv(64) # Client send identify document = hash_password(tcp_ssl.UUID_BIN, randbytes) signature = key.sign(document) c_sock.send(from_hex("89ba8bc366d22153e82c22aa6c01f60bcac38c93")) c_sock.send(signature) # Final identify while select((h.sock, ), (), (), 0.05)[0]: h.on_recv(None, None) if h.ready == -1: break self.assertEqual(h.ready, -1) select((c_sock, ), (), (), 0.1) self.assertEqual(c_sock.recv(16), tcp_ssl.MESSAGE_UNKNOWN_HOST)
def connect(self): "Connect to a host on a given (SSL) port." sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((self.host, self.port)) ssl_soc = ssl.SSLSocket(sock, self.key_file, self.cert_file) self.sock = FakeSocket(sock, ssl_soc)
def connect(self): """ Connects and registers with the IRC Server. """ self.socket = socket.socket() if self.ssl: self.socket = ssl.SSLSocket(self.socket) self.socket.settimeout(self.socket_timeout) wait_time = self.connection_wait_timer_start while self.connected == False: try: self.socket.connect((self.host, self.port)) self.connected = True print "Connected to %s on port %s" % (self.host, str( self.port)) except: print "Failed to connect to %s on port %s" % (self.host, str(self.port)) print "Reconnecting in %s seconds" % wait_time time.sleep(wait_time) if (wait_time * self.connection_wait_timer_multiplier < self.connection_wait_timer_max): wait_time = wait_time * self.connection_wait_timer_multiplier elif (wait_time < self.connection_wait_timer_max): wait_time = self.connection_wait_timer_max # Register on server self.socket.send("NICK %s\r\n" % self.nick) self.socket.send("USER %s %s something :%s\r\n" % (self.ident, self.host, self.real_name)) self.last_time_sent_nick = time.time() # Listen for replies from the server self.listen()
def _wrap_socket_sni(sock, keyfile=None, certfile=None, server_side=False, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_SSLv23, ca_certs=None, do_handshake_on_connect=True, suppress_ragged_eofs=True, server_hostname=None, ciphers=None): """Socket wrap with SNI headers. Default `ssl.wrap_socket` method augmented with support for setting the server_hostname field required for SNI hostname header """ sock = ssl.SSLSocket(sock=sock, keyfile=keyfile, certfile=certfile, server_side=server_side, cert_reqs=cert_reqs, ssl_version=ssl_version, ca_certs=ca_certs, do_handshake_on_connect=do_handshake_on_connect, suppress_ragged_eofs=suppress_ragged_eofs, server_hostname=server_hostname, ciphers=ciphers) return sock
def connect(self): """ Connect to a host on a given (SSL) port using PyOpenSSL. """ sock = socket.create_connection((self.host, self.port), self.timeout) if PY2: ssl_ctx = configure_pyopenssl_context(self.credentials) # attempt to upgrade the socket to TLS cxn = OpenSSL.SSL.Connection(ssl_ctx, sock) cxn.set_connect_state() while True: try: cxn.do_handshake() except OpenSSL.SSL.WantReadError: select.select([sock], [], []) continue except OpenSSL.SSL.Error as e: raise SecurityError('bad handshake - ' + str(e)) break self.sock = RiakWrappedSocket(cxn, sock) self.credentials._check_revoked_cert(self.sock) else: ssl_ctx = configure_ssl_context(self.credentials) host = "riak@" + self.host self.sock = ssl.SSLSocket(sock=sock, keyfile=self.credentials.pkey_file, certfile=self.credentials.cert_file, cert_reqs=ssl.CERT_REQUIRED, ca_certs=self.credentials.cacert_file, ciphers=self.credentials.ciphers, server_hostname=host) self.sock.context = ssl_ctx
def accept(self): plain_client, addr = self.handle.accept() try: context = ssl.SSLContext(self.SSL_VERSION) context.verify_mode = ssl.CERT_NONE context.load_cert_chain(certfile=self.certfile, keyfile=self.keyfile) if self.capath: context.load_verify_locations(cafile=None, capath=self.capath) if self.ciphers: context.set_ciphers(self.ciphers) client = ssl.SSLSocket(plain_client, server_side=True, _context=context) except ssl.SSLError as ssl_exc: # failed handshake/ssl wrap, close socket to client plain_client.close() # raise ssl_exc # We can't raise the exception, because it kills most TServer derived # serve() methods. # Instead, return None, and let the TServer instance deal with it in # other exception handling. (but TSimpleServer dies anyway) return None result = TSocket.TSocket() result.setHandle(client) return result
def run_client(args): host = args.hostname port = args.p nuid = args.neu_id secure = args.s sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock = ssl.SSLSocket(sock) if secure else sock sock.connect((host, port)) message = 'cs3700fall2016 HELLO {}\n'.format(nuid) while True: sock.send(bytes(message, 'utf-8')) response = sock.recv(BUFFER) response_str = response.decode('utf-8').strip() if "STATUS" in response_str: operation = response_str.split('STATUS ')[1] answer = int(eval(operation)) message = "cs3700fall2016 {}\n".format(answer) elif "BYE" in response_str: secret_flag = response_str.split('BYE ')[1] break else: sock.close() raise Exception('Unexpected Response') sock.close() print(secret_flag)
def _ssl_handshake(self): """ Perform an SSL handshake w/ the server. Precondition: a successful STARTTLS exchange has taken place with Riak returns True upon success, otherwise an exception is raised """ credentials = self._client._credentials if credentials: try: ssl_ctx = configure_ssl_context(credentials) host = self._address[0] ssl_socket = ssl.SSLSocket( sock=self._socket, keyfile=credentials.pkey_file, certfile=credentials.cert_file, cert_reqs=ssl.CERT_REQUIRED, ca_certs=credentials.cacert_file, ciphers=credentials.ciphers, server_hostname=host) ssl_socket.context = ssl_ctx # ssl handshake successful ssl_socket.do_handshake() self._socket = ssl_socket return True except ssl.SSLError as e: raise SecurityError(e) except Exception as e: # fail if *any* exceptions are thrown during SSL handshake raise SecurityError(e)
def get_roomba_password(ip): """ Sends a (magic?) packet and parses the response as the password Mostly based on: https://github.com/koalazak/dorita980 Thanks koalazak :) :param ip: :return: """ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ssl_sock = ssl.SSLSocket(sock=sock) ssl_sock.connect((ip, 8883)) ssl_sock.write('\xf0\x05\xef\xcc\x3b\x29\x00') # Should get back a 2 byte message containing the size of the next message r1 = [ord(x) for x in ssl_sock.recv()] # If we get the expected values pull out the password if len(r1) == 2 and r1[1] == 21: r2 = [chr(ord(x)) for x in ssl_sock.recv()] return "".join(r2[5:]) else: print "ERROR make sure you pressed the button!" print "Got:", r1 return ""
def _wrap_socket_sni(self, sock, keyfile=None, certfile=None, server_side=False, cert_reqs=ssl.CERT_NONE, ca_certs=None, do_handshake_on_connect=True, suppress_ragged_eofs=True, server_hostname=None, ciphers=None, ssl_version=None): """Socket wrap with SNI headers. Default `ssl.wrap_socket` method augmented with support for setting the server_hostname field required for SNI hostname header """ opts = dict(sock=sock, keyfile=keyfile, certfile=certfile, server_side=server_side, cert_reqs=cert_reqs, ca_certs=ca_certs, do_handshake_on_connect=do_handshake_on_connect, suppress_ragged_eofs=suppress_ragged_eofs, ciphers=ciphers) # Setup the right SSL version; default to optimal versions across # ssl implementations if ssl_version is not None: opts['ssl_version'] = ssl_version else: # older versions of python 2.7 and python 2.6 do not have the # ssl.PROTOCOL_TLS defined the equivalent is ssl.PROTOCOL_SSLv23 # we default to PROTOCOL_TLS and fallback to PROTOCOL_SSLv23 if hasattr(ssl, 'PROTOCOL_TLS'): opts['ssl_version'] = ssl.PROTOCOL_TLS else: opts['ssl_version'] = ssl.PROTOCOL_SSLv23 # Set SNI headers if supported if (server_hostname is not None) and ( hasattr(ssl, 'HAS_SNI') and ssl.HAS_SNI): opts['server_hostname'] = server_hostname sock = ssl.SSLSocket(**opts) return sock
def connect(self): """Initiates a connection using the ssl module.""" rawsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if self.protocol == 'xmlrpc/ssl': ssl_protocol_ver = ssl.PROTOCOL_SSLv23 else: log.error("Unknown protocol %s" % (self.protocol)) raise Exception, "unknown protocol %s" % self.protocol if self.ca: other_side_required = ssl.CERT_REQUIRED else: other_side_required = ssl.CERT_NONE log.warning("No ca is specified. Cannot authenticate the server with SSL.") if self.cert and not self.key: log.warning("SSL cert specfied, but no key. Cannot authenticate this client with SSL.") self.cert = None raise Exception, "no SSL key specified" if self.key and not self.cert: log.warning("SSL key specfied, but no cert. Cannot authenticate this client with SSL.") raise Exception, "no SSL cert specified" rawsock.settimeout(self.timeout) self.sock = ssl.SSLSocket(rawsock, cert_reqs=other_side_required, ca_certs=self.ca, suppress_ragged_eofs=True, keyfile=self.key, certfile=self.cert, ssl_version=ssl_protocol_ver) self.sock.connect((self.host, self.port)) peer_cert = self.sock.getpeercert() if peer_cert and self.scns: scn = [x[0][1] for x in peer_cert['subject'] if x[0][0] == 'commonName'][0] if scn not in self.scns: raise CertificateError, scn self.sock.closeSocket = True
def download_as_der( base_url=d1_common.const.URL_DATAONE_ROOT, timeout_sec=d1_common.const.RESPONSE_TIMEOUT, ): """Download certificate from the server at {base_url} and return it as a DER encoded string. {base_url} can be a full URL to a DataONE service endpoint or just a server hostname. In some cases, there's a need to download certificates in order to fix validation issues that prevent those certificates from being downloaded. To work around such chicken-and-egg problems, temporarily wrap calls to the download_* functions with the disable_cert_validation() context manager (also in this module). TODO: It is unclear which SSL and TLS protocols are supported by the method currently being used. The current method and the two commented out below should be compared to determine which has the best compatibility with current versions of Python and current best practices for protocol selection. """ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(timeout_sec) ssl_socket = ssl.SSLSocket(sock) url_obj = urllib.parse.urlparse(base_url) ssl_socket.connect((url_obj.netloc, 443)) return ssl_socket.getpeercert(binary_form=True)
def accept(self): newsock, addr = socket.socket.accept(self) return (ssl.SSLSocket( sock=newsock, server_side=True, do_handshake_on_connect=self.do_handshake_on_connect, _context=self.context), addr)
def main(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(3) s = ssl.SSLSocket(s) login = base64.b64encode(b"*****@*****.**") password = base64.b64encode(b"17fedfd7") try: s.connect(("smtp.yandex.ru", PORT)) data = s.recv(1024) for line in dumper(data): print(line) msg = send_recv(b"EHLO google.ru", s) print(msg.decode(ENCODING)) msg = send_recv(b"AUTH LOGIN", s) print(msg.decode(ENCODING)) msg = send_recv(login, s) print(msg.decode(ENCODING)) msg = send_recv(password, s) print(msg.decode(ENCODING)) msg = send_recv(b"MAIL FROM:[email protected]", s) print(msg.decode(ENCODING)) msg = send_recv(b"RCPT TO:[email protected]", s) print(msg.decode(ENCODING)) msg = send_recv(b"DATA", s) print(msg.decode(ENCODING)) msg = send_recv(create_msg(), s) print(msg.decode(ENCODING)) except socket.timeout as e: print("Server doesn't respond") finally: s.close()
def get_banner(self, server: str) -> str: """ Get the banner of the service on a given port of an IP address. :param server: Server to connect to. """ banner = '' try: raw_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if self.is_ssl: sock = ssl.SSLSocket(sock=raw_socket, ca_certs=certifi.where(), cert_reqs=ssl.CERT_REQUIRED, server_hostname=server) else: sock = raw_socket sock.connect((server, self.port)) if self.payload is not None: sent_bytes = sock.send(self.payload.encode()) if sent_bytes < len(self.payload): raise socket.error banner = sock.recv(5096).decode('ISO-8859-1') except socket.error: raw_socket = False banner = '' finally: if raw_socket: raw_socket.close() return banner.rstrip()
def connect(self): if self.http_proxy: conn = HttpProxyConnection((self.host, self.port), self.http_proxy) conn.establish() sock = conn.socket ssl_sock = ssl.SSLSocket(sock, self.key_file, self.cert_file) self.sock = httplib.FakeSocket(sock, ssl_sock) else: httplib.HTTPSConnection.connect(self)
def check_ssl_version(version, ip, port): try: https = ssl.SSLSocket(socket.socket(), ssl_version=SSL_VERSION.get(version)) c = https.connect((ip, port)) print(version + ' Supported') return True except Exception as e: return False
def getlistener(addr, family=socket.AF_INET, sslargs=None): sock = socket.socket(family, socket.SOCK_STREAM) if sslargs: sslargs['server_side'] = True sock = ssl.SSLSocket(sock, **sslargs) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.bind(addr) sock.listen(1024) return sock
def __init__(self, server_address, HandlerClass): SocketServer.BaseServer.__init__(self, server_address, HandlerClass) self.socket = ssl.SSLSocket(socket.socket(self.address_family, self.socket_type), keyfile=PEM, certfile=PEM) self.server_bind() self.server_activate()
def connect(self, addr=('irc.freenode.net', 6667), use_ssl=False): '''Connect to a IRC server. addr is a tuple of (server, port)''' self.acquire_lock() self.addr = (rmnlsp(addr[0]), addr[1]) for res in socket.getaddrinfo(self.addr[0], self.addr[1], socket.AF_UNSPEC, socket.SOCK_STREAM): af, socktype, proto, canonname, sa = res try: if use_ssl: if (3,) <= sys.version_info < (3, 3): self.sock = ssl.SSLSocket(af, socktype, proto) elif sys.version_info >= (3, 4): ctx = ssl.create_default_context() if ssl.HAS_SNI: self.sock = ctx.wrap_socket(socket.socket(af, socktype, proto), server_hostname=self.addr[0]) else: self.sock = ctx.wrap_socket(socket.socket(af, socktype, proto)) else: self.sock = ssl.SSLSocket(sock=socket.socket(af, socktype, proto)) else: self.sock = socket.socket(af, socktype, proto) except socket.error: self.sock = None continue try: self.sock.settimeout(300) self.sock.connect(sa) except socket.error: self.sock.close() self.sock = None continue break if self.sock is None: e = socket.error( '[errno %d] Socket operation on non-socket' % errno.ENOTSOCK) e.errno = errno.ENOTSOCK self.lock.release() raise e self.nick = None self.recvbuf = b'' self.sendbuf = b'' self.lock.release()
def __init__(self, server_address, HandlerClass): BaseServer.__init__(self, server_address, HandlerClass) fpem = 'server.pem' self.socket = ssl.SSLSocket(socket.socket(self.address_family, self.socket_type), keyfile=fpem, certfile=fpem) self.server_bind() self.server_activate()
def connect(self, addr=('irc.freenode.net', 6667), use_ssl=False): '''Connect to a IRC server. addr is a tuple of (server, port)''' self.acquire_lock() try: self.addr = (rmnlsp(addr[0]), addr[1]) if use_ssl: if (3, ) <= sys.version_info < (3, 3): self.sock = ssl.SSLSocket() else: self.sock = ssl.SSLSocket(sock=socket.socket()) else: self.sock = socket.socket() self.sock.settimeout(300) self.sock.connect(self.addr) self.nick = None self.recvbuf = b'' self.sendbuf = b'' finally: self.lock.release()
def _get_ssl_socket(socket, ssl_version, cert_reqs=ssl.CERT_NONE, ca_certs=None, keyfile=None, certfile=None, **kwargs): return ssl.SSLSocket( socket, ssl_version=ssl_version, cert_reqs=cert_reqs, ca_certs=ca_certs, keyfile=keyfile, certfile=certfile, )
def __init__(self, server_address, HandlerClass): BaseServer.__init__(self, server_address, HandlerClass) self.socket = ssl.SSLSocket(socket.socket(self.address_family, self.socket_type), keyfile="test-key.pem", certfile="test-cert.pem") self.server_bind() self.server_activate()
def do_set(self,value): sock= ssl.SSLSocket(sock=socket(),ca_certs="public.pem") sock.settimeout(5) try: sock.connect(hostip) sock.send(b"SET / ADMIN/1.0\r\nSKey: "+self.skey.encode()+b"\r\nValue: "+value.encode()+b"\r\nKey: "+self.key.encode()+b"\r\nName: "+self.name.encode()+b"\r\n") data = sock.recv(10000) except: print("\x1b[44;31mServer is unreachable!\x1b[0m") return (("",),) sock.close()
def connect(self): s = socket.create_connection((self.host, self.port)) s.settimeout(timeout) self.sock = ssl.SSLSocket(s, server_hostname=self.host.split(':', 0)[0]) certRaw = self.sock.getpeercert(True) global fingerprints fingerprints = { 'sha1': hashlib.sha1(certRaw).hexdigest().upper(), 'sha256': hashlib.sha256(certRaw).hexdigest().upper() }