def ssl_wrap_socket( sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None ): """ All arguments except `server_hostname` have the same meaning as for :func:`ssl.wrap_socket` :param server_hostname: Hostname of the expected certificate """ context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: try: context.load_verify_locations(ca_certs) # Py32 raises IOError # Py33 raises FileNotFoundError except Exception: # Reraise as SSLError e = sys.exc_info()[1] raise SSLError(e) if certfile: # FIXME: This block needs a test. context.load_cert_chain(certfile, keyfile) if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None): """ All arguments except `server_hostname` have the same meaning as for :func:`ssl.wrap_socket` :param server_hostname: Hostname of the expected certificate """ context = SSLContext(ssl_version) context.verify_mode = cert_reqs # Disable TLS compression to migitate CRIME attack (issue #309) OP_NO_COMPRESSION = 0x20000 context.options |= OP_NO_COMPRESSION if ca_certs: try: context.load_verify_locations(ca_certs) # Py32 raises IOError # Py33 raises FileNotFoundError except Exception as e: # Reraise as SSLError raise SSLError(e) if certfile: # FIXME: This block needs a test. context.load_cert_chain(certfile, keyfile) if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None): context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: try: context.load_verify_locations(ca_certs) print('------') except Exception as e: raise SSLError(e) else: context.load_default_certs(purpose=Purpose.SERVER_AUTH) if certfile: context.load_cert_chain(certfile, keyfile) if HAS_SNI: # server name indication enabled by OpenSSL return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=CERT_NONE, ca_certs=None, server_hostname=None, ssl_version=PROTOCOL_SSLv23): """ All arguments except `server_hostname` have the same meaning as for :func:`ssl.wrap_socket` :param server_hostname: Hostname of the expected certificate """ context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: try: context.load_verify_locations(ca_certs) except TypeError as e: # Reraise as SSLError # fixme: This block needs a test. raise SSLError(e) if certfile: # fixme: This block needs a test. context.load_cert_chain(certfile, keyfile) if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None): """ All arguments except `server_hostname` have the same meaning as for :func:`ssl.wrap_socket` :param server_hostname: Hostname of the expected certificate """ context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: try: context.load_verify_locations(ca_certs) # Py32 raises IOError # Py33 raises FileNotFoundError except Exception as e: # Reraise as SSLError raise SSLError(e) if certfile: # FIXME: This block needs a test. context.load_cert_chain(certfile, keyfile) if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None): """ All arguments except `server_hostname` have the same meaning as for :func:`ssl.wrap_socket` :param server_hostname: Hostname of the expected certificate """ context = SSLContext(ssl_version) context.verify_mode = cert_reqs OP_NO_COMPRESSION = 131072 context.options |= OP_NO_COMPRESSION if ca_certs: try: context.load_verify_locations(ca_certs) except Exception as e: raise SSLError(e) if certfile: context.load_cert_chain(certfile, keyfile) if HAS_SNI: return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
def sslify_socket(sock: socket.socket, ssl_context: ssl.SSLContext, server_side: bool = False, server_hostname: str = None) -> ssl.SSLSocket: """ Wraps the socket creating an ssl.SSLSocket for client or server side """ ssock = sock if ssl_context: if server_side: log.d("Wrapping a server_side socket") ssock = ssl_context.wrap_socket(sock, server_side=server_side) elif server_hostname: log.d(f"Wrapping a client_side socket - server hostname = {server_hostname}") ssock = ssl_context.wrap_socket(sock, server_hostname=server_hostname) else: log.w("Wrapping a socket without knowning whether is a client or a server side") ssock = ssl_context.wrap_socket(sock) return ssock
async def test_receive_send_after_eof( self, server_context: ssl.SSLContext, client_context: ssl.SSLContext) -> None: def serve_sync() -> None: conn, addr = server_sock.accept() conn.sendall(b"hello") conn.unwrap() conn.close() server_sock = server_context.wrap_socket(socket.socket(), server_side=True, suppress_ragged_eofs=False) server_sock.settimeout(1) server_sock.bind(("127.0.0.1", 0)) server_sock.listen() server_thread = Thread(target=serve_sync, daemon=True) server_thread.start() stream = await connect_tcp(*server_sock.getsockname()) async with await TLSStream.wrap(stream, hostname="localhost", ssl_context=client_context) as wrapper: assert await wrapper.receive() == b"hello" with pytest.raises(EndOfStream): await wrapper.receive() server_thread.join() server_sock.close()
async def test_send_receive(self, server_context: ssl.SSLContext, client_context: ssl.SSLContext) -> None: def serve_sync() -> None: conn, addr = server_sock.accept() conn.settimeout(1) data = conn.recv(10) conn.send(data[::-1]) conn.close() server_sock = server_context.wrap_socket(socket.socket(), server_side=True, suppress_ragged_eofs=False) server_sock.settimeout(1) server_sock.bind(("127.0.0.1", 0)) server_sock.listen() server_thread = Thread(target=serve_sync) server_thread.start() async with await connect_tcp(*server_sock.getsockname()) as stream: wrapper = await TLSStream.wrap(stream, hostname="localhost", ssl_context=client_context) await wrapper.send(b"hello") response = await wrapper.receive() server_thread.join() server_sock.close() assert response == b"olleh"
async def test_alpn_negotiation(self, server_context: ssl.SSLContext, client_context: ssl.SSLContext) -> None: def serve_sync() -> None: conn, addr = server_sock.accept() conn.settimeout(1) selected_alpn_protocol = conn.selected_alpn_protocol() assert selected_alpn_protocol is not None conn.send(selected_alpn_protocol.encode()) conn.close() server_context.set_alpn_protocols(["dummy1", "dummy2"]) client_context.set_alpn_protocols(["dummy2", "dummy3"]) server_sock = server_context.wrap_socket(socket.socket(), server_side=True, suppress_ragged_eofs=False) server_sock.settimeout(1) server_sock.bind(("127.0.0.1", 0)) server_sock.listen() server_thread = Thread(target=serve_sync) server_thread.start() async with await connect_tcp(*server_sock.getsockname()) as stream: wrapper = await TLSStream.wrap(stream, hostname="localhost", ssl_context=client_context) assert wrapper.extra(TLSAttribute.alpn_protocol) == "dummy2" server_alpn_protocol = await wrapper.receive() server_thread.join() server_sock.close() assert server_alpn_protocol == b"dummy2"
async def test_unwrap(self, server_context: ssl.SSLContext, client_context: ssl.SSLContext) -> None: def serve_sync() -> None: conn, addr = server_sock.accept() conn.settimeout(1) conn.send(b"encrypted") unencrypted = conn.unwrap() unencrypted.send(b"unencrypted") unencrypted.close() server_sock = server_context.wrap_socket(socket.socket(), server_side=True, suppress_ragged_eofs=False) server_sock.settimeout(1) server_sock.bind(("127.0.0.1", 0)) server_sock.listen() server_thread = Thread(target=serve_sync) server_thread.start() async with await connect_tcp(*server_sock.getsockname()) as stream: wrapper = await TLSStream.wrap(stream, hostname="localhost", ssl_context=client_context) msg1 = await wrapper.receive() unwrapped_stream, msg2 = await wrapper.unwrap() if msg2 != b"unencrypted": msg2 += await unwrapped_stream.receive() server_thread.join() server_sock.close() assert msg1 == b"encrypted" assert msg2 == b"unencrypted"
def wrap(client, _socket): """ Wrap socket in SSL wrapper. """ if client.init_kwargs.get('use_ssl', None): keyfile = client.init_kwargs.get('ssl_keyfile', None) certfile = client.init_kwargs.get('ssl_certfile', None) if keyfile and not certfile: raise ValueError("certfile must be specified") password = client.init_kwargs.get('ssl_keyfile_password', None) ssl_version = client.init_kwargs.get('ssl_version', SSL_DEFAULT_VERSION) ciphers = client.init_kwargs.get('ssl_ciphers', SSL_DEFAULT_CIPHERS) cert_reqs = client.init_kwargs.get('ssl_cert_reqs', ssl.CERT_NONE) ca_certs = client.init_kwargs.get('ssl_ca_certfile', None) context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: context.load_verify_locations(ca_certs) if certfile: context.load_cert_chain(certfile, keyfile, password) if ciphers: context.set_ciphers(ciphers) _socket = context.wrap_socket(sock=_socket) return _socket
def Manejador(ClienteSocket): ContextoSSL = SSLContext(protocol=ssl.PROTOCOL_SSLv23) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) socketSeguro = ContextoSSL.wrap_socket(sock, server_hostname=SNI) socketSeguro.connect((HOST, PORT)) socketSeguro.do_handshake() der = socketSeguro.getpeercert(binary_form=True) pem_data = ssl.DER_cert_to_PEM_cert(der) print "Algoritmo de cifrado " + socketSeguro.cipher()[0] try: while True: socketPaleer = [ClienteSocket, socketSeguro] socketSel, _, _ = select.select(socketPaleer, [], []) if not socketSel: socketSeguro.close() ClienteSocket.close() print "TERMINO AL CONEXION" break for s in socketSel: if s is socketSeguro: data = s.recv(BUFSERVERLEN) ClienteSocket.send(data) else: data = s.recv(BUFCLIENTLEN) socketSeguro.send(data) except: ClienteSocket.close() socketSeguro.close() print "encontre un error"
def run_simple_https_server(ssl_context: ssl.SSLContext): server = HTTPServer(('127.0.0.1', 8080), HTTPRequestHandlerForTest) server.socket = ssl_context.wrap_socket(server.socket, server_side=True) server.serve_forever()
def _assert_good_server(self, ssl_context: ssl.SSLContext = None): # Note: all those time.sleep()s are necessary # Remember that we're running in "Threaded" mode, and there's the GIL... # The time.sleep()s lets go of the GIL allowing the asyncio loop to move # forward assert self.sockfile.exists() with ExitStack() as stk: sock: socket.socket = stk.enter_context( socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)) sock.connect(str(self.sockfile)) if ssl_context: sock = stk.enter_context(ssl_context.wrap_socket(sock)) time.sleep(0.1) resp = sock.recv(1024) assert resp.startswith(b"220 ") assert resp.endswith(b"\r\n") sock.send(b"EHLO socket.test\r\n") # We need to "build" resparr because, especially when socket is wrapped # in SSL, the SMTP server takes it sweet time responding with the list # of ESMTP features ... resparr = bytearray() while not resparr.endswith(b"250 HELP\r\n"): time.sleep(0.1) resp = sock.recv(1024) if not resp: break resparr += resp assert resparr.endswith(b"250 HELP\r\n") sock.send(b"QUIT\r\n") time.sleep(0.1) resp = sock.recv(1024) assert resp.startswith(b"221")
def _check_protocols(self, protocols: List) -> int: exit_code = 0 for protocol in protocols: print("\n-------\nProtocol: {}\nShould be active: {}".format( protocol.protocol, protocol.is_allowed())) try: with create_connection((self.domain, 443)) as sock: ctx = SSLContext(protocol.get_ssl_attribute()) for opposite in protocol \ .get_opposite_ssl_as_op_no(_configurations): ctx.options |= opposite with ctx.wrap_socket(sock, server_hostname=self.domain) \ as context_sock: print("Connected with: {}".format( context_sock.version())) print("Using cipher: {}".format(context_sock.cipher())) failed = False except gaierror: print("{} is not valid".format(self.domain)) return 1 except (ValueError, SSLError): failed = True if (failed and protocol.is_allowed()) or \ (not failed and not protocol.is_allowed()): print("\033[91m\tWrong configuration\033[0m") exit_code = 1 print("\nTest on {} \033[91mfailed\033[0m".format(self.domain) if exit_code == 1 else "\033[94mpassed\033[0m") if self.slide and exit_code: print("But we'll let it slide for now" "(you are testing an appspot domain)") return exit_code if not self.slide else 0
def ssl_wrap_socket(sock, keyfile = None, certfile = None, cert_reqs = None, ca_certs = None, server_hostname = None, ssl_version = None): context = SSLContext(ssl_version) context.verify_mode = cert_reqs OP_NO_COMPRESSION = 131072 context.options |= OP_NO_COMPRESSION if ca_certs: try: context.load_verify_locations(ca_certs) except Exception as e: raise SSLError(e) if certfile: context.load_cert_chain(certfile, keyfile) if HAS_SNI: return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
async def start_tls( self, hostname: bytes, ssl_context: SSLContext, timeout: TimeoutDict ) -> "AsyncSocketStream": connect_timeout = convert_timeout(timeout.get("connect")) exc_map = { curio.TaskTimeout: ConnectTimeout, curio.CurioError: ConnectError, OSError: ConnectError, } with map_exceptions(exc_map): wrapped_sock = curio.io.Socket( ssl_context.wrap_socket( self.socket._socket, do_handshake_on_connect=False, server_hostname=hostname.decode("ascii"), ) ) await curio.timeout_after( connect_timeout, wrapped_sock.do_handshake(), ) return SocketStream(wrapped_sock)
def secure(self, verify=True, hostname=None): """ Apply a layer of security onto this connection. """ from ssl import SSLContext, SSLError try: # noinspection PyUnresolvedReferences from ssl import PROTOCOL_TLS except ImportError: from ssl import PROTOCOL_SSLv23 context = SSLContext(PROTOCOL_SSLv23) else: context = SSLContext(PROTOCOL_TLS) if verify: from ssl import CERT_REQUIRED context.verify_mode = CERT_REQUIRED context.check_hostname = bool(hostname) else: from ssl import CERT_NONE context.verify_mode = CERT_NONE context.load_default_certs() try: self.__socket = context.wrap_socket(self.__socket, server_hostname=hostname) except (IOError, OSError) as error: # TODO: add connection failure/diagnostic callback if error.errno == 0: raise BrokenWireError( "Peer closed connection during TLS handshake; " "server may not be configured for secure connections") else: raise WireError( "Unable to establish secure connection with remote peer") else: self.__active_time = monotonic()
def _wrap_socket(self, sock: socket.socket, context: ssl.SSLContext) -> ssl.SSLSocket: ssock = context.wrap_socket(sock, server_side=False, do_handshake_on_connect=False, server_hostname=self.host) try: self.log.info("Start SSL handshake") timer = start_timer() ssock.do_handshake() self.results['ssl.handshake.time.perf'], self.results[ 'ssl.handshake.time.process'] = stop_timer(*timer) self._update_results(context, ssock, True) self.log.info("SSL handshake successfull") return ssock except ssl.SSLError as e: self._update_results(context, ssock, False) self.log.error(f"SSL handshake failed: {e.reason}", exc_info=False) return None
def main(port=None): # load db db = pickle.loads(Path('users.pickle').read_bytes()) # read user id splash_screen() print('Assume the role of a card reader, and type the card id, will you?') userid = sys.stdin.readline()[:-1].encode() # read card pin print('\nGood, good... Now punch in the pin:') pin = sys.stdin.readline()[:-1].encode() # fetch secret _, _, _, pin_salt = db[userid] pin = hash_pin(pin, pin_salt) # start server ctx = SSLContext(PROTOCOL_TLSv1_2) ctx.load_verify_locations('cert.pem') ok = 'ok' err = 'err' with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock: with ctx.wrap_socket(sock, server_hostname='localhost') as c: print('\nDialing backend...') # connect c.connect(('localhost', port)) print('...All good!\n') # send user id and pin msg = pickle.dumps(dict(userid=userid, pin=pin)) c.sendall(msg) # check if ok msg = pickle.loads(c.recv(1024)) if not msg[ok]: print(f'Error: {msg[err]}') return # read 2fa token print('Punch in your 2fa token:') token = sys.stdin.readline()[:-1] # send token msg = pickle.dumps(dict(token=token)) c.sendall(msg) # check if ok msg = pickle.loads(c.recv(1024)) if not msg[ok]: print(f'Error: {msg[err]}') return print(f'\n\nAutheticated as: {str(userid, "utf8")}') print('Alright, time to order some Uber Eats(tm)!')
def factory(uri, ssl=False, **init_args): from urllib.parse import urlparse, unquote, parse_qs o = urlparse(uri) srv = None if o.scheme == "irc" or o.scheme == "ircs": # https://www.w3.org/Addressing/draft-mirashi-url-irc-01.txt # https://www-archive.mozilla.org/projects/rt-messaging/chatzilla/irc-urls.html args = init_args if o.scheme == "ircs": ssl = True if o.hostname is not None: args["host"] = o.hostname if o.port is not None: args["port"] = o.port if o.username is not None: args["username"] = o.username if o.password is not None: args["password"] = o.password modifiers = o.path.split(",") target = unquote(modifiers.pop(0)[1:]) # Read query string params = parse_qs(o.query) if "msg" in params: if "on_connect" not in args: args["on_connect"] = [] args["on_connect"].append("PRIVMSG %s :%s" % (target, params["msg"])) if "key" in params: if "channels" not in args: args["channels"] = [] args["channels"].append((target, params["key"])) if "pass" in params: args["password"] = params["pass"] if "charset" in params: args["encoding"] = params["charset"] # if "channels" not in args and "isnick" not in modifiers: args["channels"] = [ target ] from nemubot.server.IRC import IRC as IRCServer srv = IRCServer(**args) if ssl: try: from ssl import create_default_context context = create_default_context() except ImportError: # Python 3.3 compat from ssl import SSLContext, PROTOCOL_TLSv1 context = SSLContext(PROTOCOL_TLSv1) from ssl import wrap_socket srv._fd = context.wrap_socket(srv._fd, server_hostname=o.hostname) return srv
def __init__(self, server_address, HandlerClass, dir): super().__init__(server_address, HandlerClass, bind_and_activate=False) ctx = SSLContext(PROTOCOL_TLSv1) ctx.load_cert_chain(join(dir, 'server-cert.pem'), join(dir, 'server-key.pem')) # ctx.load_verify_locations(join(dir, 'ca-cert.pem')) self.socket = ctx.wrap_socket(self.socket, server_side=True) self.server_bind() self.server_activate()
async def test_ragged_eofs( self, server_context: ssl.SSLContext, client_context: ssl.SSLContext, server_compatible: bool, client_compatible: bool, ) -> None: server_exc = None def serve_sync() -> None: nonlocal server_exc conn, addr = server_sock.accept() try: conn.settimeout(1) conn.sendall(b"hello") if server_compatible: conn.unwrap() except BaseException as exc: server_exc = exc finally: conn.close() client_cm: ContextManager = ExitStack() if client_compatible and not server_compatible: client_cm = pytest.raises(BrokenResourceError) server_sock = server_context.wrap_socket( socket.socket(), server_side=True, suppress_ragged_eofs=not server_compatible, ) server_sock.settimeout(1) server_sock.bind(("127.0.0.1", 0)) server_sock.listen() server_thread = Thread(target=serve_sync, daemon=True) server_thread.start() async with await connect_tcp(*server_sock.getsockname()) as stream: wrapper = await TLSStream.wrap( stream, hostname="localhost", ssl_context=client_context, standard_compatible=client_compatible, ) with client_cm: assert await wrapper.receive() == b"hello" await wrapper.aclose() server_thread.join() server_sock.close() if not client_compatible and server_compatible: assert isinstance(server_exc, OSError) assert not isinstance(server_exc, socket.timeout) else: assert server_exc is None
def load_TLS(self): context = SSLContext(PROTOCOL_TLS) context.minimum_version = TLSVersion.TLSv1_3 context.verify_mode = CERT_REQUIRED context.check_hostname = True if self.CA != 'default' and self.CA != '': context.load_verify_locations(self.CA) else: context.load_default_certs() self.server = create_connection((self.SERVER_HOST, self.SERVER_PORT)) self.server = context.wrap_socket(self.server, server_hostname=self.SERVER_HOST)
async def test_extra_attributes(self, server_context: ssl.SSLContext, client_context: ssl.SSLContext) -> None: def serve_sync() -> None: conn, addr = server_sock.accept() with conn: conn.settimeout(1) conn.recv(1) server_context.set_alpn_protocols(["h2"]) client_context.set_alpn_protocols(["h2"]) server_sock = server_context.wrap_socket(socket.socket(), server_side=True, suppress_ragged_eofs=True) server_sock.settimeout(1) server_sock.bind(("127.0.0.1", 0)) server_sock.listen() server_thread = Thread(target=serve_sync) server_thread.start() async with await connect_tcp(*server_sock.getsockname()) as stream: wrapper = await TLSStream.wrap( stream, hostname="localhost", ssl_context=client_context, standard_compatible=False, ) async with wrapper: for name, attribute in SocketAttribute.__dict__.items(): if not name.startswith("_"): assert wrapper.extra(attribute) == stream.extra( attribute) assert wrapper.extra(TLSAttribute.alpn_protocol) == "h2" assert isinstance( wrapper.extra(TLSAttribute.channel_binding_tls_unique), bytes) assert isinstance(wrapper.extra(TLSAttribute.cipher), tuple) assert isinstance(wrapper.extra(TLSAttribute.peer_certificate), dict) assert isinstance( wrapper.extra(TLSAttribute.peer_certificate_binary), bytes) assert wrapper.extra(TLSAttribute.server_side) is False assert isinstance(wrapper.extra(TLSAttribute.shared_ciphers), list) assert isinstance(wrapper.extra(TLSAttribute.ssl_object), ssl.SSLObject) assert wrapper.extra(TLSAttribute.standard_compatible) is False assert wrapper.extra( TLSAttribute.tls_version).startswith("TLSv") await wrapper.send(b"\x00") server_thread.join() server_sock.close()
def start_tls(self, hostname: bytes, ssl_context: SSLContext, timeout: TimeoutDict) -> "SyncSocketStream": connect_timeout = timeout.get("connect") exc_map = {socket.timeout: ConnectTimeout, socket.error: ConnectError} with map_exceptions(exc_map): self.sock.settimeout(connect_timeout) wrapped = ssl_context.wrap_socket( self.sock, server_hostname=hostname.decode("ascii")) return SyncSocketStream(wrapped)
def connect_server(): global client HOSTNAME = 'example.org' SERVER = "127.0.0.1" PORT = 3443 context = SSLContext(PROTOCOL_TLS_CLIENT) context.load_verify_locations('certificates/cert.pem') tls = create_connection((SERVER, PORT)) client = context.wrap_socket(tls, server_hostname=HOSTNAME) print("insert the input then press ENTER") print("press q + ENTER so exit") print() #sending the data to server
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None): context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: try: context.load_verify_locations(ca_certs) except Exception as e: raise SSLError(e) if certfile: context.load_cert_chain(certifile, keyfile) if HAS_SNI: return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None): context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: try: context.load_verify_locations(ca_certs) # Py32 raises IOError # Py33 raises FileNotFoundError except Exception as e: # Reraise as SSLError raise SSLError(e) if certfile: # FIXME: This block needs a test. context.load_cert_chain(certfile, keyfile) if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI return (context, context.wrap_socket(sock, server_hostname=server_hostname)) return (context, context.wrap_socket(sock))
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=CERT_NONE, ca_certs=None, server_hostname=None, ssl_version=PROTOCOL_SSLv23): """ All arguments except `server_hostname` have the same meaning as for :func:`ssl.wrap_socket` :param server_hostname: Hostname of the expected certificate """ context = SSLContext(ssl_version) context.verify_mode = cert_reqs if ca_certs: try: context.load_verify_locations(ca_certs) except TypeError as e: # Reraise as SSLError # FIXME: This block needs a test. raise SSLError(e) if certfile: # FIXME: This block needs a test. context.load_cert_chain(certfile, keyfile) if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI return context.wrap_socket(sock, server_hostname=server_hostname) return context.wrap_socket(sock)
class secureStream(stream): def __init__(self): stream.createsocket(stream) self.contxt = SSLContext(PROTOCOL_TLSv1_2) self.contxt.verify_mode = CERT_REQUIRED self.contxt.load_default_certs() def connect(self,host,port): self.connection.settimeout(15) self.connection.connect((host,port)) self.connection = self.contxt.wrap_socket(self.connection)#stream.connection self.connection.settimeout(0) def twitchconnect(self): self.connect('api.twitch.tv',443) def receive(self,buffer=4096): try: data = self.connection.recv(buffer).decode() #print(data)#temporary except: return(None) else: return(data) def transmit(self,data): junk = self.receive() data = data.encode() try: self.connection.sendall(data) except ConnectionAbortedError: print('Break detected!') self.connection = None self.connection = socket(AF_INET,SOCK_STREAM) self.twitchconnect() self.connection.settimeout(0) except ConnectionResetError: print('Break detected!') self.connection = None self.connection = socket(AF_INET,SOCK_STREAM) self.twitchconnect() self.connection.settimeout(0) junk = None def close(self): self.connection.close()
def start_tls( self, ssl_context: ssl.SSLContext, server_hostname: str = None, timeout: float = None, ) -> NetworkStream: exc_map = {socket.timeout: ConnectTimeout, socket.error: ConnectError} with map_exceptions(exc_map): try: self._sock.settimeout(timeout) sock = ssl_context.wrap_socket(self._sock, server_hostname=server_hostname) except Exception as exc: # pragma: nocover self.close() raise exc return SyncStream(sock)
async def start_tls(self, context: ssl.SSLContext, server_hostname: Optional[str] = None, suppress_ragged_eofs: bool = False) -> None: plain_socket = self._raw_socket self._raw_socket = context.wrap_socket( self._raw_socket, server_side=not server_hostname, do_handshake_on_connect=False, server_hostname=server_hostname, suppress_ragged_eofs=suppress_ragged_eofs) while True: try: self._raw_socket.do_handshake() return except ssl.SSLWantReadError: await self._wait_readable() except ssl.SSLWantWriteError: await self._wait_writable() except BaseException: self._raw_socket = plain_socket raise
def secure(self, verify=True, hostname=None): """ Apply a layer of security onto this connection. """ from ssl import SSLContext, PROTOCOL_TLS, CERT_NONE, CERT_REQUIRED context = SSLContext(PROTOCOL_TLS) if verify: context.verify_mode = CERT_REQUIRED context.check_hostname = bool(hostname) else: context.verify_mode = CERT_NONE context.load_default_certs() try: self.__socket = context.wrap_socket(self.__socket, server_hostname=hostname) except (IOError, OSError): # TODO: add connection failure/diagnostic callback raise WireError( "Unable to establish secure connection with remote peer")
async def test_send_eof_not_implemented(self, server_context: ssl.SSLContext, ca: CA, force_tlsv12: bool) -> None: def serve_sync() -> None: conn, addr = server_sock.accept() conn.sendall(b"hello") conn.unwrap() conn.close() client_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH) ca.configure_trust(client_context) if force_tlsv12: expected_pattern = r"send_eof\(\) requires at least TLSv1.3" if hasattr(ssl, "TLSVersion"): client_context.maximum_version = ssl.TLSVersion.TLSv1_2 else: # Python 3.6 client_context.options |= ssl.OP_NO_TLSv1_3 else: expected_pattern = ( r"send_eof\(\) has not yet been implemented for TLS streams") server_sock = server_context.wrap_socket(socket.socket(), server_side=True, suppress_ragged_eofs=False) server_sock.settimeout(1) server_sock.bind(("127.0.0.1", 0)) server_sock.listen() server_thread = Thread(target=serve_sync, daemon=True) server_thread.start() stream = await connect_tcp(*server_sock.getsockname()) async with await TLSStream.wrap(stream, hostname="localhost", ssl_context=client_context) as wrapper: assert await wrapper.receive() == b"hello" with pytest.raises(NotImplementedError) as exc: await wrapper.send_eof() exc.match(expected_pattern) server_thread.join() server_sock.close()
def main(port=None): ctx = SSLContext(PROTOCOL_TLSv1_2) ctx.load_cert_chain(certfile='cert.pem', keyfile='key.pem') with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as listener: listener.bind(('127.0.0.1', port)) listener.listen(8) db = SharedState('users.pickle') while True: try: s, addr = listener.accept() addr = f'{addr[0]}:{addr[1]}' print(f'{addr} : connected') s = ctx.wrap_socket(s, server_side=True) SockHandler(s, addr, db).start() except KeyboardInterrupt: print('\n*Windows shutdown jingle*') break
def create_socket(ip: str, port: int, context: ssl.SSLContext = None, verify_hostname: bool = True, timeout: int = 10) -> ssl.SSLSocket: """ Creates a new SSL-wrapped socket. :param ip: The IP to connect to. :param port: The port to connect to. :param context: The SSL context to use, or None for a default one to be created. :param verify_hostname: Ignored :param timeout: The timeout for recv(). :return: A new SSLSocket. """ verify_hostname = current_app.conf["SERVER_LOGIN_ON_CLIENT_VERIFY"] s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(timeout) if context: sock = context.wrap_socket(s) else: sock = ssl.wrap_socket(s, cert_reqs=ssl.CERT_REQUIRED if verify_hostname else ssl.CERT_NONE) sock.connect((ip, port)) return sock
class SMTPServer(smtpd.SMTPServer): def __init__(self, localaddr, remoteaddr, ssl=False, certfile=None, keyfile=None, ssl_version=ssl.PROTOCOL_SSLv23, require_authentication=False, credential_validator=None, maximum_execution_time=30, process_count=5): smtpd.SMTPServer.__init__(self, localaddr, remoteaddr) self.logger = logging.getLogger( secure_smtpd.LOG_NAME ) self.certfile = certfile self.keyfile = keyfile self.ssl_version = ssl_version self.subprocesses = [] self.require_authentication = require_authentication self.credential_validator = credential_validator self.ssl = ssl self.maximum_execution_time = maximum_execution_time self.process_count = process_count self.process_pool = None self.context = SSLContext(ssl_version) self.context.load_cert_chain(certfile=certfile, keyfile=keyfile) def handle_accept(self): self.process_pool = ProcessPool(self._accept_subprocess, process_count=self.process_count) self.close() def _accept_subprocess(self, queue): while True: try: self.socket.setblocking(1) pair = self.accept() map = {} if pair is not None: self.logger.info('_accept_subprocess(): smtp connection accepted within subprocess.') newsocket, fromaddr = pair newsocket.settimeout(self.maximum_execution_time) if self.ssl: newsocket = self.context.wrap_socket( newsocket, server_side=True, ) channel = SMTPChannel( self, newsocket, fromaddr, require_authentication=self.require_authentication, credential_validator=self.credential_validator, map=map ) self.logger.info('_accept_subprocess(): starting asyncore within subprocess.') asyncore.loop(map=map) self.logger.error('_accept_subprocess(): asyncore loop exited.') except (ExitNow, SSLError): self._shutdown_socket(newsocket) self.logger.info('_accept_subprocess(): smtp channel terminated asyncore.') except Exception as e: self._shutdown_socket(newsocket) self.logger.error('_accept_subprocess(): uncaught exception: %s' % str(e)) def _shutdown_socket(self, s): try: s.shutdown(socket.SHUT_RDWR) s.close() except Exception as e: self.logger.error('_shutdown_socket(): failed to cleanly shutdown socket: %s' % str(e)) def run(self): asyncore.loop() if hasattr(signal, 'SIGTERM'): def sig_handler(signal,frame): self.logger.info("Got signal %s, shutting down." % signal) sys.exit(0) signal.signal(signal.SIGTERM, sig_handler) while 1: time.sleep(1)
def secure_socket(s, host): ssl_context = SSLContext(PROTOCOL_SSLv23) ssl_context.options |= OP_NO_SSLv2 return ssl_context.wrap_socket(s, server_hostname=host if HAS_SNI else None)