def tryProtocolCombo(server_protocol, client_protocol, expectedToWork, certsreqs=None):
if certsreqs is None:
certsreqs = ssl.CERT_NONE
if certsreqs == ssl.CERT_NONE:
certtype = "CERT_NONE"
elif certsreqs == ssl.CERT_OPTIONAL:
certtype = "CERT_OPTIONAL"
elif certsreqs == ssl.CERT_REQUIRED:
certtype = "CERT_REQUIRED"
if test_support.verbose:
formatstr = (expectedToWork and " %s->%s %s\n") or " {%s->%s} %s\n"
sys.stdout.write(
formatstr % (ssl.get_protocol_name(client_protocol), ssl.get_protocol_name(server_protocol), certtype)
)
try:
serverParamsTest(CERTFILE, server_protocol, certsreqs, CERTFILE, CERTFILE, client_protocol, chatty=False)
except test_support.TestFailed:
if expectedToWork:
raise
else:
if not expectedToWork:
raise test_support.TestFailed(
"Client protocol %s succeeded with server protocol %s!"
% (ssl.get_protocol_name(client_protocol), ssl.get_protocol_name(server_protocol))
)
def try_protocol_combo(server_protocol, client_protocol, expect_success, certsreqs=None):
if certsreqs is None:
certsreqs = ssl.CERT_NONE
certtype = {ssl.CERT_NONE: "CERT_NONE", ssl.CERT_OPTIONAL: "CERT_OPTIONAL", ssl.CERT_REQUIRED: "CERT_REQUIRED"}[
certsreqs
]
if test_support.verbose:
formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n"
sys.stdout.write(
formatstr % (ssl.get_protocol_name(client_protocol), ssl.get_protocol_name(server_protocol), certtype)
)
try:
server_params_test(CERTFILE, server_protocol, certsreqs, CERTFILE, CERTFILE, client_protocol, chatty=False)
# Protocol mismatch can result in either an SSLError, or a
# "Connection reset by peer" error.
except ssl.SSLError:
if expect_success:
raise
except socket.error as e:
if expect_success or e.errno != errno.ECONNRESET:
raise
else:
if not expect_success:
raise AssertionError(
"Client protocol %s succeeded with server protocol %s!"
% (ssl.get_protocol_name(client_protocol), ssl.get_protocol_name(server_protocol))
)
def tryProtocolCombo (server_protocol,
client_protocol,
expectedToWork,
certsreqs=None):
if certsreqs is None:
certsreqs = ssl.CERT_NONE
if certsreqs == ssl.CERT_NONE:
certtype = "CERT_NONE"
elif certsreqs == ssl.CERT_OPTIONAL:
certtype = "CERT_OPTIONAL"
elif certsreqs == ssl.CERT_REQUIRED:
certtype = "CERT_REQUIRED"
if support.verbose:
formatstr = (expectedToWork and " %s->%s %s\n") or " {%s->%s} %s\n"
sys.stdout.write(formatstr %
(ssl.get_protocol_name(client_protocol),
ssl.get_protocol_name(server_protocol),
certtype))
try:
serverParamsTest(CERTFILE, server_protocol, certsreqs,
CERTFILE, CERTFILE, client_protocol,
chatty=False, connectionchatty=False)
except support.TestFailed:
if expectedToWork:
raise
else:
if not expectedToWork:
raise support.TestFailed(
"Client protocol %s succeeded with server protocol %s!"
% (ssl.get_protocol_name(client_protocol),
ssl.get_protocol_name(server_protocol)))
def accept(self):
'''
modified ssl.SSLSocket.accept() of ssl.py.
'''
#import pdb; pdb.set_trace()
newsock, addr = socket.accept(self)
self.logger.debug("Connection from {}".format(addr))
self.logger.debug("begin SSL handshake")
newsock = self.context.wrap_socket(
newsock,
do_handshake_on_connect=self.do_handshake_on_connect,
suppress_ragged_eofs=self.suppress_ragged_eofs,
server_side=True)
self.logger.debug("end SSL handshake: ssl_ver={}({})".format(
ssl.get_protocol_name(self.ssl_version), self.ssl_version))
'''
if not server_side:
print(self.getpeercert())
print(self.context.get_ca_certs())
#print(self.context.check_hostname)
#print(type(self.cipher()))
#print(type(self.shared_ciphers()))
#print(type(self.compression()))
#print(self.context.session_stats())
'''
return newsock, addr
def handle_failed_ssl_handshake(self):
# TLS/SSL handshake failure, probably client's fault which
# used a SSL version different from server's.
# We can't rely on the control connection anymore so we just
# disconnect the client without sending any response.
ssl_version = ssl.get_protocol_name(self.socket.ssl_version)
self.log("%s handshake failed." % ssl_version)
self.close()
def handle_failed_ssl_handshake(self):
# TLS/SSL handshake failure, probably client's fault which
# used a SSL version different from server's.
# RFC-4217, chapter 10.2 expects us to return 522 over the
# command channel.
proto = ssl.get_protocol_name(self.socket.ssl_version)
self.cmd_channel.respond("522 %s handshake failed." % proto)
self.close()
def handle_failed_ssl_handshake(self):
# TLS/SSL handshake failure, probably client's fault which
# used a SSL version different from server's.
# We can't rely on the control connection anymore so we just
# disconnect the client without sending any response.
ssl_version = ssl.get_protocol_name(self.socket.ssl_version)
self.log("%s handshake failed." % ssl_version)
self.close()
def handle_failed_ssl_handshake(self):
# TLS/SSL handshake failure, probably client's fault which
# used a SSL version different from server's.
# RFC-4217, chapter 10.2 expects us to return 522 over the
# command channel.
proto = ssl.get_protocol_name(self.socket.ssl_version)
self.cmd_channel.respond("522 %s handshake failed." % proto)
self.close()
def _conn_request(self, conn, request_uri, method, body, headers):
try:
if DEBUG:
print("Connecting to https://%s:%s%s using protocol %s" % (
conn.host, conn.port, request_uri, ssl.get_protocol_name(self.ssl_version)))
##if False and DEBUG and self.ssl_version != ssl.PROTOCOL_TLSv1:
## raise ssl.SSLError
return httplib2.Http._conn_request(self, conn, request_uri, method, body, headers)
except Exception as e:
# fallback to previous protocols
if hasattr(ssl, "PROTOCOL_TLSv1_2") and self.ssl_version == ssl.PROTOCOL_TLSv1_2:
new_ssl_version = ssl.PROTOCOL_TLSv1
##elif self.ssl_version == ssl.PROTOCOL_TLSv1:
## new_ssl_version = ssl.PROTOCOL_SSLv3
##elif self.ssl_version == ssl.PROTOCOL_SSLv3:
## new_ssl_version = ssl.PROTOCOL_SSLv23
else:
raise
if DEBUG:
warnings.warn("Protocol %s failed: %s; downgrading to %s" %
(ssl.get_protocol_name(self.ssl_version), e,
ssl.get_protocol_name(new_ssl_version)))
self.ssl_version = new_ssl_version
return Httplib2Transport._conn_request(self, conn, request_uri, method, body, headers)
def get_ssl_version_name(ssl_version):
if ssl_version is None:
# create_default_context added after the OpenSSL bugfix in
# Python 2.7.9 etc. It's the best way to get the default SSL
# protocol from Python ... otherwise, we just assume it's the
# old default of PROTOCOL_SSLv23.
if hasattr(ssl, 'create_default_context'):
context = ssl.create_default_context()
ssl_version = context.protocol
else:
ssl_version = ssl.PROTOCOL_TLSv1
# get_protocol_name is an undocumented method
if hasattr(ssl, 'get_protocol_name'):
return ssl.get_protocol_name(ssl_version)
else:
# Not all versions of Python support all protocols,
# so we have to only accept those that are present.
for protocol in ['SSLv2', 'SSLv23', 'SSLv3', 'TLSv1', 'TLSv1_1',
'TLSv1_2']:
value = getattr(ssl, 'PROTOCOL_' + protocol, None)
if ssl_version == value:
return protocol
return '<unknown>'
def run_server(args):
'Load app in a standalone Gunicorn container'
# XXX
from flask.logging import default_handler
app.logger.removeHandler(default_handler)
# Flask has default stream logging configuration in debug mode, so set
# log parameters here only for production mode
app_formatter = app.config['LOG_FORMATTER']
if not app.debug:
stream_handler = logging.StreamHandler()
stream_handler.setLevel((args.loglevel
or app.config.get('LOGLEVEL')).upper())
stream_handler.setFormatter(app_formatter)
app.logger.addHandler(stream_handler)
app.logger.setLevel((args.loglevel
or app.config.get('LOGLEVEL')).upper())
# Logging to the application logfile occurs regardless of debug mode
if app.config.get('LOGFILE'):
file_handler = logging.FileHandler(app.config['LOGFILE'])
file_handler.setLevel((args.loglevel
or app.config.get('LOGLEVEL')).upper())
file_handler.setFormatter(app_formatter)
app.logger.addHandler(file_handler)
app.logger.setLevel((args.loglevel
or app.config.get('LOGLEVEL')).upper())
# Gunicorn options
# Logging options: these settings apply to Gunicorn and not the application.
# The server's access logs are always written to the app instance's
# access logs and not sent to stdout. Error/etc. logs are always sent
# to stdout.
# Workers option: allow the number of workers to scale based on available
# CPU count, but no more than a conservative MAX_WORKERS
options = {
'bind':
'%s:%s' % (args.listen_address or app.config['LISTEN_ADDRESS'],
args.listen_port or app.config['LISTEN_PORT']),
'workers':
CPU_WORKERS if CPU_WORKERS < MAX_WORKERS else MAX_WORKERS,
'proc_name':
'ampt-manager',
'certfile':
app.config['SERVER_CERTIFICATE'],
'keyfile':
app.config['SERVER_PRIVATE_KEY'],
'ssl_version':
ssl.PROTOCOL_TLSv1_2,
'accesslog':
app.config.get('ACCESS_LOGFILE') or '-',
'errorlog':
'-',
'loglevel':
args.loglevel or app.config['LOGLEVEL'],
}
sa = StandaloneApplication(app, options)
ver_dep_msg = ('running on Python %s using Flask %s')
py_version = '.'.join([str(x) for x in sys.version_info[:3]])
crypto_msg = ('configuring server for TLS using %s and cipher set %s (%s)')
ssl_version = ssl.get_protocol_name(sa.cfg.ssl_options.get('ssl_version'))
ciphers = sa.cfg.ssl_options.get('ciphers')
app.logger.info('starting %s', get_version())
app.logger.debug(ver_dep_msg, py_version, flask_version)
app.logger.info(crypto_msg, ssl_version, ciphers, ssl.OPENSSL_VERSION)
sa.run()
def update_event(self, inp=-1):
self.set_output_val(0, ssl.get_protocol_name(self.input(0)))
