def main(): parser = OptionParser(usage='%prog host filename [options]', description='A Simple https client used with tlslite-ng') parser.add_option("--port", dest="port", help="port", default = 4443, type="int", metavar="4443") parser.add_option("--algo", dest="algo", help="algo", default = "speck128") parser.add_option("--keyEx", dest="keyEx", help="Key Exchange", default="ecdhe_rsa") (options, arguments) = parser.parse_args() if len(arguments) < 1: parser.print_help() exit(1) host = arguments[0] if (len(arguments)==1): filename="index.html" else: filename = arguments[1] port = options.port algo = options.algo keyEx = options.keyEx settings.cipherNames = [algo] settings.keyExchangeNames = [keyEx] h = HTTPTLSConnection(host, port, settings=settings) h.request("GET", filename) r = h.getresponse() print(r.read())
def from_id(cls, video_id): try: connection = HTTPTLSConnection(google_domain, 443) connection.request('GET', url_fmt.format(id=video_id)) result = loads(connection.getresponse().read()) item = result['items'][0] except: return else: return cls(item)
def aq(self): try: qs = ','.join([v.id for v in self]) connection = HTTPTLSConnection('colons.co', 443, timeout=5) connection.request('GET', '/business-aq?videos={}'.format(qs)) connection.getresponse().read() except: pass
def _init_connection(self, pure_python_tls=False): try: if self._use_ssl: if not pure_python_tls: # If we do not have the SSL library, then we cannot do server certificate validation anyway. if __has_ssl__: ca_file = self._ca_file else: ca_file = None self.__connection = HTTPSConnectionWithTimeoutAndVerification( self._host, self._port, self._request_deadline, ca_file, __has_ssl__, ) self.__connection.connect() else: # Pure python implementation of TLS does not require ssl library settings = HandshakeSettings() settings.minVersion = (3, 3) # TLS 1.2 self.__connection = HTTPTLSConnection( self._host, self._port, timeout=self._request_deadline, settings=settings, ) self.__connection.connect() # Non-null _ca_file signifies server cert validation is requireds if self._ca_file: try: self._validate_chain_certvalidator(self.__connection) except Exception as e: log.exception("Failure in _validate_chain_certvalidator()") self._validate_chain_openssl() else: # unencrypted connection self.__connection = HTTPConnectionWithTimeout( self._host, self._port, self._request_deadline ) self.__connection.connect() except Exception as error: if hasattr(error, "errno"): errno = error.errno else: errno = None if isinstance(error, CertValidationError): log.error( 'Failed to connect to "%s" because of server certificate validation error: "%s"', self._full_address, error.message, error_code="client/connectionFailed", ) elif __has_ssl__ and isinstance(error, ssl.SSLError): log.error( 'Failed to connect to "%s" due to some SSL error. Possibly the configured certificate ' "for the root Certificate Authority could not be parsed, or we attempted to connect to " "a server whose certificate could not be trusted (if so, maybe Scalyr's SSL cert has " "changed and you should update your agent to get the new certificate). The returned " "errno was %d and the full exception was '%s'. Closing connection, will re-attempt", self._full_address, errno, str(error), error_code="client/connectionFailed", ) elif errno == 61: # Connection refused log.error( 'Failed to connect to "%s" because connection was refused. Server may be unavailable.', self._full_address, error_code="client/connectionFailed", ) elif errno == 8: # Unknown name log.error( 'Failed to connect to "%s" because could not resolve address. Server host may be bad.', self._full_address, error_code="client/connectionFailed", ) elif errno is not None: log.error( 'Failed to connect to "%s" due to errno=%d. Exception was "%s". Closing connection, ' "will re-attempt", self._full_address, errno, str(error), error_code="client/connectionFailed", ) else: log.error( 'Failed to connect to "%s" due to exception. Exception was "%s". Closing connection, ' "will re-attempt", self._full_address, str(error), error_code="client/connectionFailed", ) raise Exception("client/connectionFailed")
def clientTestCmd(argv): address = argv[0] dir = argv[1] #Split address into hostname/port tuple address = address.split(":") address = ( address[0], int(address[1]) ) #open synchronisation FIFO synchro = socket.socket(socket.AF_INET, socket.SOCK_STREAM) synchro.settimeout(5) synchro.connect((address[0], address[1]-1)) def connect(): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if hasattr(sock, 'settimeout'): #It's a python 2.3 feature sock.settimeout(5) sock.connect(address) c = TLSConnection(sock) return c test = 0 badFault = False print("Test 0 - anonymous handshake") synchro.recv(1) connection = connect() connection.handshakeClientAnonymous() testConnClient(connection) connection.close() print("Test 1 - good X509 (plus SNI)") synchro.recv(1) connection = connect() connection.handshakeClientCert(serverName=address[0]) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) connection.close() print("Test 1.a - good X509, SSLv3") synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeClientCert(settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 1.b - good X509, RC4-MD5") synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.macNames = ["md5"] connection.handshakeClientCert(settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5) connection.close() if tackpyLoaded: settings = HandshakeSettings() settings.useExperimentalTackExtension = True print("Test 2.a - good X.509, TACK") synchro.recv(1) connection = connect() connection.handshakeClientCert(settings=settings) assert(connection.session.tackExt.tacks[0].getTackId() == "5lcbe.eyweo.yxuan.rw6xd.jtoz7") assert(connection.session.tackExt.activation_flags == 1) testConnClient(connection) connection.close() print("Test 2.b - good X.509, TACK unrelated to cert chain") synchro.recv(1) connection = connect() try: connection.handshakeClientCert(settings=settings) assert(False) except TLSLocalAlert as alert: if alert.description != AlertDescription.illegal_parameter: raise connection.close() print("Test 3 - good SRP") synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "password") testConnClient(connection) connection.close() print("Test 4 - SRP faults") for fault in Fault.clientSrpFaults + Fault.genericFaults: synchro.recv(1) connection = connect() connection.fault = fault try: connection.handshakeClientSRP("test", "password") print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 6 - good SRP: with X.509 certificate, TLSv1.0") settings = HandshakeSettings() settings.minVersion = (3,1) settings.maxVersion = (3,1) synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "password", settings=settings) assert(isinstance(connection.session.serverCertChain, X509CertChain)) testConnClient(connection) connection.close() print("Test 7 - X.509 with SRP faults") for fault in Fault.clientSrpFaults + Fault.genericFaults: synchro.recv(1) connection = connect() connection.fault = fault try: connection.handshakeClientSRP("test", "password") print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 11 - X.509 faults") for fault in Fault.clientNoAuthFaults + Fault.genericFaults: synchro.recv(1) connection = connect() connection.fault = fault try: connection.handshakeClientCert() print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 14 - good mutual X509") x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read()) x509Chain = X509CertChain([x509Cert]) s = open(os.path.join(dir, "clientX509Key.pem")).read() x509Key = parsePEMKey(s, private=True) synchro.recv(1) connection = connect() connection.handshakeClientCert(x509Chain, x509Key) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 14.a - good mutual X509, TLSv1.1") synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.minVersion = (3,2) settings.maxVersion = (3,2) connection.handshakeClientCert(x509Chain, x509Key, settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 14.b - good mutual X509, SSLv3") synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeClientCert(x509Chain, x509Key, settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 15 - mutual X.509 faults") for fault in Fault.clientCertFaults + Fault.genericFaults: synchro.recv(1) connection = connect() connection.fault = fault try: connection.handshakeClientCert(x509Chain, x509Key) print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 18 - good SRP, prepare to resume... (plus SNI)") synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "password", serverName=address[0]) testConnClient(connection) connection.close() session = connection.session print("Test 19 - resumption (plus SNI)") synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "garbage", serverName=address[0], session=session) testConnClient(connection) #Don't close! -- see below print("Test 20 - invalidated resumption (plus SNI)") synchro.recv(1) connection.sock.close() #Close the socket without a close_notify! synchro.recv(1) connection = connect() try: connection.handshakeClientSRP("test", "garbage", serverName=address[0], session=session) assert(False) except TLSRemoteAlert as alert: if alert.description != AlertDescription.bad_record_mac: raise connection.close() print("Test 21 - HTTPS test X.509") address = address[0], address[1]+1 if hasattr(socket, "timeout"): timeoutEx = socket.timeout else: timeoutEx = socket.error while 1: try: htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8") fingerprint = None for y in range(2): checker =Checker(x509Fingerprint=fingerprint) h = HTTPTLSConnection(\ address[0], address[1], checker=checker) for x in range(3): synchro.recv(1) h.request("GET", "/index.html") r = h.getresponse() assert(r.status == 200) b = bytearray(r.read()) assert(b == htmlBody) fingerprint = h.tlsSession.serverCertChain.getFingerprint() assert(fingerprint) break except timeoutEx: print("timeout, retrying...") pass address = address[0], address[1]+1 implementations = [] if m2cryptoLoaded: implementations.append("openssl") if pycryptoLoaded: implementations.append("pycrypto") implementations.append("python") print("Test 22 - different ciphers, TLSv1.0") for implementation in implementations: for cipher in ["aes128", "aes256", "rc4"]: print("Test 22:", end=' ') synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] settings.minVersion = (3,1) settings.maxVersion = (3,1) connection.handshakeClientCert(settings=settings) testConnClient(connection) print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation())) connection.close() print("Test 23 - throughput test") for implementation in implementations: for cipher in ["aes128", "aes256", "3des", "rc4"]: if cipher == "3des" and implementation not in ("openssl", "pycrypto"): continue print("Test 23:", end=' ') synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] connection.handshakeClientCert(settings=settings) print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ') startTime = time.clock() connection.write(b"hello"*10000) h = connection.read(min=50000, max=50000) stopTime = time.clock() if stopTime-startTime: print("100K exchanged at rate of %d bytes/sec" % int(100000/(stopTime-startTime))) else: print("100K exchanged very fast") assert(h == b"hello"*10000) connection.close() print("Test 24.a - Next-Protocol Client Negotiation") synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'http/1.1') connection.close() print("Test 24.b - Next-Protocol Client Negotiation") synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 24.c - Next-Protocol Client Negotiation") synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 24.d - Next-Protocol Client Negotiation") synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 24.e - Next-Protocol Client Negotiation") synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/3') connection.close() print("Test 24.f - Next-Protocol Client Negotiation") synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'http/1.1') connection.close() print("Test 24.g - Next-Protocol Client Negotiation") synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 25.a - FALLBACK_SCSV") synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.sendFallbackSCSV = True connection.handshakeClientCert(settings=settings) testConnClient(connection) connection.close() print("Test 25.b - FALLBACK_SCSV") synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.sendFallbackSCSV = True settings.maxVersion = (3, 2) try: connection.handshakeClientCert(settings=settings) assert() except TLSRemoteAlert as alert: if alert.description != AlertDescription.inappropriate_fallback: raise connection.close() print("Test 26.a - server checks cipher version") synchro.recv(1) connection = connect() # Configure the ClientHello to only advertise SHA-256 ciphers, but not # support TLS 1.2. connection.fault = Fault.ignoreVersionForCipher settings = HandshakeSettings() settings.maxVersion = (3, 2) settings.macNames = ["sha256"] connection.handshakeClientCert(settings=settings) connection.close() print("Test 26.b - client checks cipher version") synchro.recv(1) connection = connect() try: connection.handshakeClientCert() assert() except TLSLocalAlert as alert: # The client should reject the ServerHello because it selected an # invalid cipher for the version. if alert.description != AlertDescription.illegal_parameter: raise connection.close() print('Test 27 - good standard XMLRPC https client') address = address[0], address[1]+1 synchro.recv(1) try: # python 2.7.9 introduced certificate verification (context option) # python 3.4.2 doesn't have it though context = ssl.create_default_context(\ cafile=os.path.join(dir, "serverX509Cert.pem")) server = xmlrpclib.Server('https://%s:%s' % address, context=context) except (TypeError, AttributeError): server = xmlrpclib.Server('https://%s:%s' % address) synchro.recv(1) assert server.add(1,2) == 3 synchro.recv(1) assert server.pow(2,4) == 16 print('Test 28 - good tlslite XMLRPC client') transport = XMLRPCTransport(ignoreAbruptClose=True) server = xmlrpclib.Server('https://%s:%s' % address, transport) synchro.recv(1) assert server.add(1,2) == 3 synchro.recv(1) assert server.pow(2,4) == 16 print('Test 29 - good XMLRPC ignored protocol') server = xmlrpclib.Server('http://%s:%s' % address, transport) synchro.recv(1) assert server.add(1,2) == 3 synchro.recv(1) assert server.pow(2,4) == 16 print("Test 30 - Internet servers test") try: i = IMAP4_TLS("cyrus.andrew.cmu.edu") i.login("anonymous", "*****@*****.**") i.logout() print("Test 30: IMAP4 good") p = POP3_TLS("pop.gmail.com") p.quit() print("Test 31: POP3 good") except socket.error as e: print("Non-critical error: socket error trying to reach internet server: ", e) synchro.close() if not badFault: print("Test succeeded") else: print("Test failed")
connection.close() print "Test 21 - HTTPS test X.509" address = address[0], address[1]+1 if hasattr(socket, "timeout"): timeoutEx = socket.timeout else: timeoutEx = socket.error while 1: try: time.sleep(2) htmlBody = open(os.path.join(dir, "index.html")).read() fingerprint = None for y in range(2): checker =Checker(x509Fingerprint=fingerprint) h = HTTPTLSConnection(\ address[0], address[1], checker=checker) for x in range(3): h.request("GET", "/index.html") r = h.getresponse() assert(r.status == 200) s = r.read() assert(s == htmlBody) fingerprint = h.tlsSession.serverCertChain.getFingerprint() assert(fingerprint) time.sleep(2) break except timeoutEx: print "timeout, retrying..." pass address = address[0], address[1]+1
def clientTestCmd(argv): address = argv[0] dir = argv[1] #Split address into hostname/port tuple address = address.split(":") address = ( address[0], int(address[1]) ) def connect(): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if hasattr(sock, 'settimeout'): #It's a python 2.3 feature sock.settimeout(5) sock.connect(address) c = TLSConnection(sock) return c test = 0 badFault = False print("Test 0 - anonymous handshake") connection = connect() connection.handshakeClientAnonymous() testConnClient(connection) connection.close() print("Test 1 - good X509 (plus SNI)") connection = connect() connection.handshakeClientCert(serverName=address[0]) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) connection.close() print("Test 1.a - good X509, SSLv3") connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeClientCert(settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 1.b - good X509, RC4-MD5") connection = connect() settings = HandshakeSettings() settings.macNames = ["md5"] connection.handshakeClientCert(settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5) connection.close() if tackpyLoaded: settings = HandshakeSettings() settings.useExperimentalTackExtension = True print("Test 2.a - good X.509, TACK") connection = connect() connection.handshakeClientCert(settings=settings) assert(connection.session.tackExt.tacks[0].getTackId() == "rrted.ptvtl.d2uiq.ox2xe.w4ss3") assert(connection.session.tackExt.activation_flags == 1) testConnClient(connection) connection.close() print("Test 2.b - good X.509, TACK unrelated to cert chain") connection = connect() try: connection.handshakeClientCert(settings=settings) assert(False) except TLSLocalAlert as alert: if alert.description != AlertDescription.illegal_parameter: raise connection.close() print("Test 3 - good SRP") connection = connect() connection.handshakeClientSRP("test", "password") testConnClient(connection) connection.close() print("Test 4 - SRP faults") for fault in Fault.clientSrpFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientSRP("test", "password") print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 6 - good SRP: with X.509 certificate, TLSv1.0") settings = HandshakeSettings() settings.minVersion = (3,1) settings.maxVersion = (3,1) connection = connect() connection.handshakeClientSRP("test", "password", settings=settings) assert(isinstance(connection.session.serverCertChain, X509CertChain)) testConnClient(connection) connection.close() print("Test 7 - X.509 with SRP faults") for fault in Fault.clientSrpFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientSRP("test", "password") print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 11 - X.509 faults") for fault in Fault.clientNoAuthFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientCert() print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 14 - good mutual X509") x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read()) x509Chain = X509CertChain([x509Cert]) s = open(os.path.join(dir, "clientX509Key.pem")).read() x509Key = parsePEMKey(s, private=True) connection = connect() connection.handshakeClientCert(x509Chain, x509Key) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 14.a - good mutual X509, SSLv3") connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeClientCert(x509Chain, x509Key, settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 15 - mutual X.509 faults") for fault in Fault.clientCertFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientCert(x509Chain, x509Key) print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 18 - good SRP, prepare to resume... (plus SNI)") connection = connect() connection.handshakeClientSRP("test", "password", serverName=address[0]) testConnClient(connection) connection.close() session = connection.session print("Test 19 - resumption (plus SNI)") connection = connect() connection.handshakeClientSRP("test", "garbage", serverName=address[0], session=session) testConnClient(connection) #Don't close! -- see below print("Test 20 - invalidated resumption (plus SNI)") connection.sock.close() #Close the socket without a close_notify! connection = connect() try: connection.handshakeClientSRP("test", "garbage", serverName=address[0], session=session) assert(False) except TLSRemoteAlert as alert: if alert.description != AlertDescription.bad_record_mac: raise connection.close() print("Test 21 - HTTPS test X.509") address = address[0], address[1]+1 if hasattr(socket, "timeout"): timeoutEx = socket.timeout else: timeoutEx = socket.error while 1: try: time.sleep(2) htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8") fingerprint = None for y in range(2): checker =Checker(x509Fingerprint=fingerprint) h = HTTPTLSConnection(\ address[0], address[1], checker=checker) for x in range(3): h.request("GET", "/index.html") r = h.getresponse() assert(r.status == 200) b = bytearray(r.read()) assert(b == htmlBody) fingerprint = h.tlsSession.serverCertChain.getFingerprint() assert(fingerprint) time.sleep(2) break except timeoutEx: print("timeout, retrying...") pass address = address[0], address[1]+1 implementations = [] if m2cryptoLoaded: implementations.append("openssl") if pycryptoLoaded: implementations.append("pycrypto") implementations.append("python") print("Test 22 - different ciphers, TLSv1.0") for implementation in implementations: for cipher in ["aes128", "aes256", "rc4"]: print("Test 22:", end=' ') connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] settings.minVersion = (3,1) settings.maxVersion = (3,1) connection.handshakeClientCert(settings=settings) testConnClient(connection) print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation())) connection.close() print("Test 23 - throughput test") for implementation in implementations: for cipher in ["aes128", "aes256", "3des", "rc4"]: if cipher == "3des" and implementation not in ("openssl", "pycrypto"): continue print("Test 23:", end=' ') connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] connection.handshakeClientCert(settings=settings) print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ') startTime = time.clock() connection.write(b"hello"*10000) h = connection.read(min=50000, max=50000) stopTime = time.clock() if stopTime-startTime: print("100K exchanged at rate of %d bytes/sec" % int(100000/(stopTime-startTime))) else: print("100K exchanged very fast") assert(h == b"hello"*10000) connection.close() print("Test 24.a - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'http/1.1') connection.close() print("Test 24.b - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 24.c - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 24.d - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 24.e - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/3') connection.close() print("Test 24.f - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'http/1.1') connection.close() print("Test 24.g - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print('Test 25 - good standard XMLRPC https client') time.sleep(2) # Hack for lack of ability to set timeout here address = address[0], address[1]+1 server = xmlrpclib.Server('https://%s:%s' % address) assert server.add(1,2) == 3 assert server.pow(2,4) == 16 print('Test 26 - good tlslite XMLRPC client') transport = XMLRPCTransport(ignoreAbruptClose=True) server = xmlrpclib.Server('https://%s:%s' % address, transport) assert server.add(1,2) == 3 assert server.pow(2,4) == 16 print('Test 27 - good XMLRPC ignored protocol') server = xmlrpclib.Server('http://%s:%s' % address, transport) assert server.add(1,2) == 3 assert server.pow(2,4) == 16 print("Test 28 - Internet servers test") try: i = IMAP4_TLS("cyrus.andrew.cmu.edu") i.login("anonymous", "*****@*****.**") i.logout() print("Test 28: IMAP4 good") p = POP3_TLS("pop.gmail.com") p.quit() print("Test 29: POP3 good") except socket.error as e: print("Non-critical error: socket error trying to reach internet server: ", e) if not badFault: print("Test succeeded") else: print("Test failed")
#!/usr/bin/env python from __future__ import print_function from tlslite import HTTPTLSConnection, HandshakeSettings settings = HandshakeSettings() settings.useExperimentalTackExtension = True h = HTTPTLSConnection("localhost", 4443, settings=settings) h.request("GET", "/index.html") r = h.getresponse() print(r.read())
def clientTestCmd(argv): address = argv[0] dir = argv[1] #Split address into hostname/port tuple address = address.split(":") address = ( address[0], int(address[1]) ) def connect(): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if hasattr(sock, 'settimeout'): #It's a python 2.3 feature sock.settimeout(5) sock.connect(address) c = TLSConnection(sock) return c test = 0 badFault = False print("Test 0 - anonymous handshake") connection = connect() connection.handshakeClientAnonymous() testConnClient(connection) connection.close() print("Test 1 - good X509 (plus SNI)") connection = connect() connection.handshakeClientCert(serverName=address[0]) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) connection.close() print("Test 1.a - good X509, SSLv3") connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeClientCert(settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() if tackpyLoaded: settings = HandshakeSettings() settings.useExperimentalTackExtension = True print("Test 2.a - good X.509, TACK") connection = connect() connection.handshakeClientCert(settings=settings) assert(connection.session.tackExt.tacks[0].getTackId() == "rrted.ptvtl.d2uiq.ox2xe.w4ss3") assert(connection.session.tackExt.activation_flags == 1) testConnClient(connection) connection.close() print("Test 2.b - good X.509, TACK unrelated to cert chain") connection = connect() try: connection.handshakeClientCert(settings=settings) assert(False) except TLSLocalAlert as alert: if alert.description != AlertDescription.illegal_parameter: raise connection.close() print("Test 3 - good SRP") connection = connect() connection.handshakeClientSRP("test", "password") testConnClient(connection) connection.close() print("Test 4 - SRP faults") for fault in Fault.clientSrpFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientSRP("test", "password") print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 6 - good SRP: with X.509 certificate, TLSv1.0") settings = HandshakeSettings() settings.minVersion = (3,1) settings.maxVersion = (3,1) connection = connect() connection.handshakeClientSRP("test", "password", settings=settings) assert(isinstance(connection.session.serverCertChain, X509CertChain)) testConnClient(connection) connection.close() print("Test 7 - X.509 with SRP faults") for fault in Fault.clientSrpFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientSRP("test", "password") print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 11 - X.509 faults") for fault in Fault.clientNoAuthFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientCert() print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 14 - good mutual X509") x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read()) x509Chain = X509CertChain([x509Cert]) s = open(os.path.join(dir, "clientX509Key.pem")).read() x509Key = parsePEMKey(s, private=True) connection = connect() connection.handshakeClientCert(x509Chain, x509Key) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 14.a - good mutual X509, SSLv3") connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeClientCert(x509Chain, x509Key, settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() print("Test 15 - mutual X.509 faults") for fault in Fault.clientCertFaults + Fault.genericFaults: connection = connect() connection.fault = fault try: connection.handshakeClientCert(x509Chain, x509Key) print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True print("Test 18 - good SRP, prepare to resume... (plus SNI)") connection = connect() connection.handshakeClientSRP("test", "password", serverName=address[0]) testConnClient(connection) connection.close() session = connection.session print("Test 19 - resumption (plus SNI)") connection = connect() connection.handshakeClientSRP("test", "garbage", serverName=address[0], session=session) testConnClient(connection) #Don't close! -- see below print("Test 20 - invalidated resumption (plus SNI)") connection.sock.close() #Close the socket without a close_notify! connection = connect() try: connection.handshakeClientSRP("test", "garbage", serverName=address[0], session=session) assert(False) except TLSRemoteAlert as alert: if alert.description != AlertDescription.bad_record_mac: raise connection.close() print("Test 21 - HTTPS test X.509") address = address[0], address[1]+1 if hasattr(socket, "timeout"): timeoutEx = socket.timeout else: timeoutEx = socket.error while 1: try: time.sleep(2) htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8") fingerprint = None for y in range(2): # don't check cert unless we provide a fingerprint --dmb checker = Checker(x509Fingerprints=[fingerprint]) if fingerprint else None h = HTTPTLSConnection(\ address[0], address[1], checker=checker) for x in range(3): h.request("GET", "/index.html") r = h.getresponse() assert(r.status == 200) b = bytearray(r.read()) assert(b == htmlBody) fingerprint = h.tlsSession.serverCertChain.getFingerprint() assert(fingerprint) time.sleep(2) break except timeoutEx: print("timeout, retrying...") pass address = address[0], address[1]+1 implementations = [] if m2cryptoLoaded: implementations.append("openssl") if tlscryptoLoaded: implementations.append("tlscrypto") if pycryptoLoaded: implementations.append("pycrypto") implementations.append("python") print("Test 22 - different ciphers, TLSv1.0") for implementation in implementations: for cipher in ["aes128", "aes256", "rc4"]: print("Test 22:", end=' ') connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] settings.minVersion = (3,1) settings.maxVersion = (3,1) connection.handshakeClientCert(settings=settings) testConnClient(connection) print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation())) connection.close() print("Test 23 - throughput test") for implementation in implementations: for cipher in ["aes128", "aes256", "3des", "rc4"]: if cipher == "3des" and implementation not in ("openssl", "pycrypto"): continue print("Test 23:", end=' ') connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] connection.handshakeClientCert(settings=settings) print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ') startTime = time.clock() connection.write(b"hello"*10000) h = connection.read(min=50000, max=50000) stopTime = time.clock() if stopTime-startTime: print("100K exchanged at rate of %d bytes/sec" % int(100000/(stopTime-startTime))) else: print("100K exchanged very fast") assert(h == b"hello"*10000) connection.close() print("Test 24.a - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'http/1.1') connection.close() print("Test 24.b - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 24.c - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 24.d - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print("Test 24.e - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/3') connection.close() print("Test 24.f - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'http/1.1') connection.close() print("Test 24.g - Next-Protocol Client Negotiation") connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() print('Test 25 - good standard XMLRPC https client') time.sleep(2) # Hack for lack of ability to set timeout here address = address[0], address[1]+1 server = xmlrpclib.Server('https://%s:%s' % address) assert server.add(1,2) == 3 assert server.pow(2,4) == 16 print('Test 26 - good tlslite XMLRPC client') transport = XMLRPCTransport(ignoreAbruptClose=True) server = xmlrpclib.Server('https://%s:%s' % address, transport) assert server.add(1,2) == 3 assert server.pow(2,4) == 16 print('Test 27 - good XMLRPC ignored protocol') server = xmlrpclib.Server('http://%s:%s' % address, transport) assert server.add(1,2) == 3 assert server.pow(2,4) == 16 print("Test 28 - Internet servers test") try: i = IMAP4_TLS("cyrus.andrew.cmu.edu") i.login("anonymous", "*****@*****.**") i.logout() print("Test 28: IMAP4 good") p = POP3_TLS("pop.gmail.com") p.quit() print("Test 29: POP3 good") except socket.error as e: print("Non-critical error: socket error trying to reach internet server: ", e) if not badFault: print("Test succeeded") else: print("Test failed")
connection.close() print "Test 21 - HTTPS test X.509" address = address[0], address[1] + 1 if hasattr(socket, "timeout"): timeoutEx = socket.timeout else: timeoutEx = socket.error while 1: try: time.sleep(2) htmlBody = open(os.path.join(dir, "index.html")).read() fingerprint = None for y in range(2): checker = Checker(x509Fingerprint=fingerprint) h = HTTPTLSConnection(\ address[0], address[1], checker=checker) for x in range(3): h.request("GET", "/index.html") r = h.getresponse() assert (r.status == 200) s = r.read() assert (s == htmlBody) fingerprint = h.tlsSession.serverCertChain.getFingerprint() assert (fingerprint) time.sleep(2) break except timeoutEx: print "timeout, retrying..." pass address = address[0], address[1] + 1
def clientTestCmd(argv): address = argv[0] dir = argv[1] #Split address into hostname/port tuple address = address.split(":") address = ( address[0], int(address[1]) ) #open synchronisation FIFO synchro = socket.socket(socket.AF_INET, socket.SOCK_STREAM) synchro.settimeout(15) synchro.connect((address[0], address[1]-1)) def connect(): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if hasattr(sock, 'settimeout'): #It's a python 2.3 feature sock.settimeout(15) sock.connect(address) c = TLSConnection(sock) return c test_no = 0 badFault = False print("Test {0} - anonymous handshake".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientAnonymous() testConnClient(connection) connection.close() test_no += 1 print("Test {0} - good X509 (plus SNI)".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(serverName=address[0]) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites) assert(connection.encryptThenMAC == False) connection.close() test_no += 1 print("Test {0} - good X.509/w RSA-PSS cert".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(serverName=address[0]) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites) assert(connection.encryptThenMAC == False) connection.close() test_no += 1 print("Test {0} - good X.509/w RSA-PSS sig".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(serverName=address[0]) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(connection.session.cipherSuite in constants.CipherSuite.aeadSuites) assert(connection.encryptThenMAC == False) connection.close() test_no += 1 print("Test {0} - good X509, SSLv3".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeClientCert(settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() test_no += 1 print("Test {0} - good X509, RC4-MD5".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.macNames = ["md5"] settings.cipherNames = ["rc4"] connection.handshakeClientCert(settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5) assert(connection.encryptThenMAC == False) connection.close() if tackpyLoaded: settings = HandshakeSettings() settings.useExperimentalTackExtension = True test_no += 1 print("Test {0} - good X.509, TACK".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(settings=settings) assert(connection.session.tackExt.tacks[0].getTackId() == "5lcbe.eyweo.yxuan.rw6xd.jtoz7") assert(connection.session.tackExt.activation_flags == 1) testConnClient(connection) connection.close() test_no += 1 print("Test {0} - good X.509, TACK unrelated to cert chain".\ format(test_no)) synchro.recv(1) connection = connect() try: connection.handshakeClientCert(settings=settings) assert(False) except TLSLocalAlert as alert: if alert.description != AlertDescription.illegal_parameter: raise connection.close() else: test_no += 1 print("Test {0} - good X.509, TACK...skipped (no tackpy)".\ format(test_no)) test_no += 1 print("Test {0} - good X.509, TACK unrelated to cert chain...skipped" " (no tackpy)".\ format(test_no)) test_no += 1 print("Test {0} - good SRP (db)".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "password") testConnClient(connection) connection.close() test_no += 1 print("Test {0} - good SRP".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "password") testConnClient(connection) connection.close() test_no += 1 print("Test {0} - SRP faults".format(test_no)) for fault in Fault.clientSrpFaults + Fault.genericFaults: synchro.recv(1) connection = connect() connection.fault = fault try: connection.handshakeClientSRP("test", "password") print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True test_no += 1 print("Test {0} - good SRP: with X.509 certificate, TLSv1.0".format(test_no)) settings = HandshakeSettings() settings.minVersion = (3,1) settings.maxVersion = (3,1) synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "password", settings=settings) assert(isinstance(connection.session.serverCertChain, X509CertChain)) testConnClient(connection) connection.close() test_no += 1 print("Test {0} - X.509 with SRP faults".format(test_no)) for fault in Fault.clientSrpFaults + Fault.genericFaults: synchro.recv(1) connection = connect() connection.fault = fault try: connection.handshakeClientSRP("test", "password") print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True test_no += 1 print("Test {0} - X.509 faults".format(test_no)) for fault in Fault.clientNoAuthFaults + Fault.genericFaults: synchro.recv(1) connection = connect() connection.fault = fault try: connection.handshakeClientCert() print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True test_no += 1 print("Test {0} - good mutual X509".format(test_no)) x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read()) x509Chain = X509CertChain([x509Cert]) s = open(os.path.join(dir, "clientX509Key.pem")).read() x509Key = parsePEMKey(s, private=True) synchro.recv(1) connection = connect() connection.handshakeClientCert(x509Chain, x509Key) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() test_no += 1 print("Test {0} - good mutual X509, TLSv1.1".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.minVersion = (3,2) settings.maxVersion = (3,2) connection.handshakeClientCert(x509Chain, x509Key, settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() test_no += 1 print("Test {0} - good mutual X509, SSLv3".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.minVersion = (3,0) settings.maxVersion = (3,0) connection.handshakeClientCert(x509Chain, x509Key, settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) connection.close() test_no += 1 print("Test {0} - mutual X.509 faults".format(test_no)) for fault in Fault.clientCertFaults + Fault.genericFaults: synchro.recv(1) connection = connect() connection.fault = fault try: connection.handshakeClientCert(x509Chain, x509Key) print(" Good Fault %s" % (Fault.faultNames[fault])) except TLSFaultError as e: print(" BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e))) badFault = True test_no += 1 print("Test {0} - good SRP, prepare to resume... (plus SNI)".\ format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "password", serverName=address[0]) testConnClient(connection) connection.close() session = connection.session test_no += 1 print("Test {0} - resumption (plus SNI)".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientSRP("test", "garbage", serverName=address[0], session=session) testConnClient(connection) #Don't close! -- see below test_no += 1 print("Test {0} - invalidated resumption (plus SNI)".format(test_no)) synchro.recv(1) connection.sock.close() #Close the socket without a close_notify! synchro.recv(1) connection = connect() try: connection.handshakeClientSRP("test", "garbage", serverName=address[0], session=session) assert(False) except TLSRemoteAlert as alert: if alert.description != AlertDescription.bad_record_mac: raise connection.close() test_no += 1 print("Test {0} - HTTPS test X.509".format(test_no)) address = address[0], address[1]+1 if hasattr(socket, "timeout"): timeoutEx = socket.timeout else: timeoutEx = socket.error while 1: try: htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8") fingerprint = None for y in range(2): checker =Checker(x509Fingerprint=fingerprint) h = HTTPTLSConnection(\ address[0], address[1], checker=checker) for x in range(3): synchro.recv(1) h.request("GET", "/index.html") r = h.getresponse() assert(r.status == 200) b = bytearray(r.read()) assert(b == htmlBody) fingerprint = h.tlsSession.serverCertChain.getFingerprint() assert(fingerprint) break except timeoutEx: print("timeout, retrying...") pass address = address[0], address[1]+1 implementations = [] if m2cryptoLoaded: implementations.append("openssl") if pycryptoLoaded: implementations.append("pycrypto") implementations.append("python") test_no += 1 print("Test {0} - different ciphers, TLSv1.0".format(test_no)) for implementation in implementations: for cipher in ["aes128", "aes256", "rc4"]: test_no += 1 print("Test {0}:".format(test_no), end=' ') synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] settings.minVersion = (3,1) settings.maxVersion = (3,1) connection.handshakeClientCert(settings=settings) testConnClient(connection) print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation())) connection.close() test_no += 1 print("Test {0} - throughput test".format(test_no)) for implementation in implementations: for cipher in ["aes128gcm", "aes256gcm", "aes128", "aes256", "3des", "rc4", "chacha20-poly1305_draft00", "chacha20-poly1305"]: # skip tests with implementations that don't support them if cipher == "3des" and implementation not in ("openssl", "pycrypto"): continue if cipher in ("aes128gcm", "aes256gcm") and \ implementation not in ("pycrypto", "python"): continue if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \ and implementation not in ("python", ): continue test_no += 1 print("Test {0}:".format(test_no), end=' ') synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.cipherNames = [cipher] settings.cipherImplementations = [implementation, "python"] connection.handshakeClientCert(settings=settings) print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ') startTime = timeit.default_timer() connection.write(b"hello"*10000) h = connection.read(min=50000, max=50000) stopTime = timeit.default_timer() sizeofdata = len(h)*2 if stopTime-startTime: print("100K exchanged at rate of %d bytes/sec" % int(sizeofdata/(stopTime-startTime))) else: print("100K exchanged very fast") assert(h == b"hello"*10000) connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'http/1.1') connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/3') connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'http/1.1') connection.close() test_no += 1 print("Test {0} - Next-Protocol Client Negotiation".format(test_no)) synchro.recv(1) connection = connect() connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"]) #print(" Next-Protocol Negotiated: %s" % connection.next_proto) assert(connection.next_proto == b'spdy/2') connection.close() test_no += 1 print("Test {0} - FALLBACK_SCSV".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.sendFallbackSCSV = True connection.handshakeClientCert(settings=settings) testConnClient(connection) connection.close() test_no += 1 print("Test {0} - FALLBACK_SCSV".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.sendFallbackSCSV = True settings.maxVersion = (3, 2) try: connection.handshakeClientCert(settings=settings) assert() except TLSRemoteAlert as alert: if alert.description != AlertDescription.inappropriate_fallback: raise connection.close() test_no += 1 print("Test {0} - no EtM server side".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.macNames.remove("aead") assert(settings.useEncryptThenMAC) connection.handshakeClientCert(serverName=address[0], settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(not connection.encryptThenMAC) connection.close() test_no += 1 print("Test {0} - no EtM client side".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.macNames.remove("aead") settings.useEncryptThenMAC = False connection.handshakeClientCert(serverName=address[0], settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(not connection.encryptThenMAC) connection.close() test_no += 1 print("Test {0} - resumption with EtM".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.macNames.remove("aead") connection.handshakeClientCert(serverName=address[0], settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(not connection.resumed) assert(connection.encryptThenMAC) connection.close() session = connection.session # resume synchro.recv(1) connection = connect() connection.handshakeClientCert(serverName=address[0], session=session) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(connection.resumed) assert(connection.encryptThenMAC) connection.close() test_no += 1 print("Test {0} - resumption with no EtM in 2nd handshake".format(test_no)) synchro.recv(1) connection = connect() settings = HandshakeSettings() settings.macNames.remove("aead") connection.handshakeClientCert(serverName=address[0], settings=settings) testConnClient(connection) assert(isinstance(connection.session.serverCertChain, X509CertChain)) assert(connection.session.serverName == address[0]) assert(not connection.resumed) assert(connection.encryptThenMAC) connection.close() session = connection.session # resume synchro.recv(1) settings = HandshakeSettings() settings.useEncryptThenMAC = False settings.macNames.remove("aead") connection = connect() try: connection.handshakeClientCert(serverName=address[0], session=session, settings=settings) except TLSRemoteAlert as e: assert(str(e) == "handshake_failure") else: raise AssertionError("No exception raised") connection.close() test_no += 1 print('Test {0} - good standard XMLRPC https client'.format(test_no)) address = address[0], address[1]+1 synchro.recv(1) try: # python 2.7.9 introduced certificate verification (context option) # python 3.4.2 doesn't have it though context = ssl.create_default_context(\ cafile=os.path.join(dir, "serverX509Cert.pem")) server = xmlrpclib.Server('https://%s:%s' % address, context=context) except (TypeError, AttributeError): server = xmlrpclib.Server('https://%s:%s' % address) synchro.recv(1) assert server.add(1,2) == 3 synchro.recv(1) assert server.pow(2,4) == 16 test_no += 1 print('Test {0} - good tlslite XMLRPC client'.format(test_no)) transport = XMLRPCTransport(ignoreAbruptClose=True) server = xmlrpclib.Server('https://%s:%s' % address, transport) synchro.recv(1) assert server.add(1,2) == 3 synchro.recv(1) assert server.pow(2,4) == 16 test_no += 1 print('Test {0} - good XMLRPC ignored protocol'.format(test_no)) server = xmlrpclib.Server('http://%s:%s' % address, transport) synchro.recv(1) assert server.add(1,2) == 3 synchro.recv(1) assert server.pow(2,4) == 16 test_no += 1 print("Test {0} - Internet servers test".format(test_no)) try: i = IMAP4_TLS("cyrus.andrew.cmu.edu") i.login("anonymous", "*****@*****.**") i.logout() test_no += 1 print("Test {0}: IMAP4 good".format(test_no)) p = POP3_TLS("pop.gmail.com") p.quit() test_no += 1 print("Test {0}: POP3 good".format(test_no)) except (socket.error, socket.timeout) as e: print("Non-critical error: socket error trying to reach internet server: ", e) synchro.close() if not badFault: print("Test succeeded, {0} good".format(test_no)) else: print("Test failed")
#!/usr/bin/env python from __future__ import print_function from tlslite import HTTPTLSConnection, HandshakeSettings import os settings = HandshakeSettings() settings.useExperimentalTackExtension = True h = HTTPTLSConnection(os.environ["HOST_IP"], 4443, settings=settings) h.request("GET", "/index.html") r = h.getresponse() print(r.read())
def cert_validation_callback(info): print("cert failed validation: %s" % info) #Example of how to force a failing cert to pass: #info['success'] = True # pass the cert anyway! return info # Read the cacert.pem file to get trusted root certs cacerts_list = X509.certListFromPEM(args.root_certs_file, data_is_pathname=True) # Specify allowed common names. common_names = [ args.server ] if not args.server.startswith('www.'): common_names.append('www.' + args.server) # Create a cert validation checker checker = Checker( x509Fingerprints=set(args.server_fingerprints), x509RootCerts=cacerts_list, x509CommonNames=common_names, skipCommonNameCheck=args.nocheck_common_name, callback=cert_validation_callback, callbackInfo=None) settings = HandshakeSettings() settings.useExperimentalTackExtension = True h = HTTPTLSConnection(args.server, args.port, checker=checker, settings=settings) h.request("GET", args.url) r = h.getresponse() print(r.read())