def start(self):
interface = WebServerConfig.local_ip
port = WebServerConfig.local_port
cert_path = WebServerConfig.certificate.normalized if WebServerConfig.certificate else None
cert_chain_path = WebServerConfig.certificate_chain.normalized if WebServerConfig.certificate_chain else None
if cert_path is not None:
if not os.path.isfile(cert_path):
log.error('Certificate file %s could not be found' % cert_path)
return
try:
ssl_ctx_factory = DefaultOpenSSLContextFactory(cert_path, cert_path)
except Exception:
log.exception('Creating TLS context')
log.err()
return
if cert_chain_path is not None:
if not os.path.isfile(cert_chain_path):
log.error('Certificate chain file %s could not be found' % cert_chain_path)
return
ssl_ctx = ssl_ctx_factory.getContext()
try:
ssl_ctx.use_certificate_chain_file(cert_chain_path)
except Exception:
log.exception('Setting TLS certificate chain file')
log.err()
return
self.listener = reactor.listenSSL(port, self.site, ssl_ctx_factory, backlog=511, interface=interface)
scheme = 'https'
else:
self.listener = reactor.listenTCP(port, self.site, backlog=511, interface=interface)
scheme = 'http'
port = self.listener.getHost().port
self.__dict__['url'] = '%s://%s:%d' % (scheme, WebServerConfig.hostname or interface.normalized, port)
log.msg('Web server listening for requests on: %s' % self.url)
def start(self):
interface = WebServerConfig.local_ip
port = WebServerConfig.local_port
cert_path = WebServerConfig.certificate.normalized if WebServerConfig.certificate else None
cert_chain_path = WebServerConfig.certificate_chain.normalized if WebServerConfig.certificate_chain else None
if cert_path is not None:
if not os.path.isfile(cert_path):
log.error('Certificate file %s could not be found' % cert_path)
return
try:
ssl_ctx_factory = DefaultOpenSSLContextFactory(
cert_path, cert_path)
except Exception:
log.exception('Creating TLS context')
return
if cert_chain_path is not None:
if not os.path.isfile(cert_chain_path):
log.error('Certificate chain file %s could not be found' %
cert_chain_path)
return
ssl_ctx = ssl_ctx_factory.getContext()
try:
ssl_ctx.use_certificate_chain_file(cert_chain_path)
except Exception:
log.exception('Setting TLS certificate chain file')
return
self.listener = reactor.listenSSL(port,
self.site,
ssl_ctx_factory,
backlog=511,
interface=interface)
scheme = 'https'
else:
self.listener = reactor.listenTCP(port,
self.site,
backlog=511,
interface=interface)
scheme = 'http'
port = self.listener.getHost().port
self.__dict__['url'] = '%s://%s:%d' % (scheme, WebServerConfig.hostname
or interface.normalized, port)
log.info('Web server listening for requests on: %s' % self.url)
class StartTLS(ModuleData, Command):
implements(IPlugin, IModuleData, ICommand)
name = "StartTLS"
forRegistered = False
def actions(self):
return [ ("capabilitylist", 10, self.addCapability) ]
def userCommands(self):
return [ ("STARTTLS", 1, self) ]
def load(self):
if "unloading-tls" in self.ircd.dataCache:
del self.ircd.dataCache["unloading-tls"]
return
if "cap-add" in self.ircd.functionCache:
self.ircd.functionCache["cap-add"]("tls")
try:
self.certContext = DefaultOpenSSLContextFactory(self.ircd.config["starttls_key"], self.ircd.config["starttls_cert"])
self.certContext.getContext().set_verify(SSL.VERIFY_PEER, lambda connection, x509, errnum, errdepth, ok: True)
except SSL.Error:
raise ModuleLoadError("StartTLS", "Failed to initialize SSL context")
def rehash(self):
oldContext = self.certContext
try:
self.certContext = DefaultOpenSSLContextFactory(self.ircd.config["starttls_key"], self.ircd.config["starttls_cert"])
self.certContext.getContext().set_verify(SSL.VERIFY_PEER, lambda connection, x509, errnum, errdepth, ok: True)
except SSL.Error:
self.ircd.log.error("Failed to initialize new SSL context for StartTLS; keeping old context")
self.certContext = oldContext
def unload(self):
self.ircd.dataCache["unloading-tls"] = True
def fullUnload(self):
del self.ircd.dataCache["unloading-tls"]
if "cap-del" in self.ircd.functionCache:
self.ircd.functionCache["cap-del"]("tls")
def verifyConfig(self, config):
if "starttls_key" in config:
if not isinstance(config["starttls_key"], basestring):
raise ConfigValidationError("starttls_key", "value must be a file name")
else:
config["starttls_key"] = "server.pem" # We'll use the Twisted default for endpoints here
if "starttls_cert" in config:
if not isinstance(config["starttls_cert"], basestring):
raise ConfigValidationError("starttls_cert", "value must be a file name")
else:
config["starttls_cert"] = config["starttls_key"]
def addCapability(self, user, capList):
capList.append("tls")
def parseParams(self, user, prefix, params, tags):
return {}
def execute(self, user, data):
if user.secureConnection:
user.sendMessage(irc.ERR_STARTTLS, "The connection is already secure")
return True
try:
secureTransport = ITLSTransport(user.transport)
except TypeError:
user.sendMessage(irc.ERR_STARTTLS, "Failed to initialize transport for STARTTLS")
return True
if secureTransport is None:
user.sendMessage(irc.ERR_STARTTLS, "Failed to initialize transport for STARTTLS")
return True
user.transport = secureTransport
user.sendMessage(irc.RPL_STARTTLS, "STARTTLS successful; proceed with TLS handshake")
secureTransport.startTLS(self.certContext)
user.secureConnection = ISSLTransport(secureTransport, None) is not None
return True
def getContext(self, hostname=None, port=None):
return DefaultOpenSSLContextFactory.getContext(self)
def getContext(self, hostname=None, port=None):
return DefaultOpenSSLContextFactory.getContext(self)
def getContext(self):
ctx = DefaultOpenSSLContextFactory.getContext(self)
ctx.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, self.verifyCallback)
ctx.load_verify_locations("rootCA.pem")
return ctx
class StartTLS(ModuleData, Command):
implements(IPlugin, IModuleData, ICommand)
name = "StartTLS"
forRegistered = False
def actions(self):
return [("capabilitylist", 10, self.addCapability)]
def userCommands(self):
return [("STARTTLS", 1, self)]
def load(self):
if "unloading-tls" in self.ircd.dataCache:
del self.ircd.dataCache["unloading-tls"]
return
if "cap-add" in self.ircd.functionCache:
self.ircd.functionCache["cap-add"]("tls")
try:
self.certContext = DefaultOpenSSLContextFactory(
self.ircd.config["starttls_key"],
self.ircd.config["starttls_cert"])
self.certContext.getContext().set_verify(
SSL.VERIFY_PEER,
lambda connection, x509, errnum, errdepth, ok: True)
except SSL.Error:
raise ModuleLoadError("StartTLS",
"Failed to initialize SSL context")
def rehash(self):
oldContext = self.certContext
try:
self.certContext = DefaultOpenSSLContextFactory(
self.ircd.config["starttls_key"],
self.ircd.config["starttls_cert"])
self.certContext.getContext().set_verify(
SSL.VERIFY_PEER,
lambda connection, x509, errnum, errdepth, ok: True)
except SSL.Error:
self.ircd.log.error(
"Failed to initialize new SSL context for StartTLS; keeping old context"
)
self.certContext = oldContext
def unload(self):
self.ircd.dataCache["unloading-tls"] = True
def fullUnload(self):
del self.ircd.dataCache["unloading-tls"]
if "cap-del" in self.ircd.functionCache:
self.ircd.functionCache["cap-del"]("tls")
def verifyConfig(self, config):
if "starttls_key" in config:
if not isinstance(config["starttls_key"], basestring):
raise ConfigValidationError("starttls_key",
"value must be a file name")
else:
config[
"starttls_key"] = "server.pem" # We'll use the Twisted default for endpoints here
if "starttls_cert" in config:
if not isinstance(config["starttls_cert"], basestring):
raise ConfigValidationError("starttls_cert",
"value must be a file name")
else:
config["starttls_cert"] = config["starttls_key"]
def addCapability(self, user, capList):
capList.append("tls")
def parseParams(self, user, prefix, params, tags):
return {}
def execute(self, user, data):
if user.secureConnection:
user.sendMessage(irc.ERR_STARTTLS,
"The connection is already secure")
return True
try:
secureTransport = ITLSTransport(user.transport)
except TypeError:
user.sendMessage(irc.ERR_STARTTLS,
"Failed to initialize transport for STARTTLS")
return True
if secureTransport is None:
user.sendMessage(irc.ERR_STARTTLS,
"Failed to initialize transport for STARTTLS")
return True
user.transport = secureTransport
user.sendMessage(irc.RPL_STARTTLS,
"STARTTLS successful; proceed with TLS handshake")
secureTransport.startTLS(self.certContext)
user.secureConnection = ISSLTransport(secureTransport,
None) is not None
return True
def getContext(self, host, port):
return DefaultOpenSSLContextFactory.getContext(self)