verify_mode ueber config setzbar, ssl context in funktion ausgelagert

This commit is contained in:
example 2022-07-30 12:09:38 +02:00
parent aed3616cf8
commit 991eeea9f8
2 changed files with 42 additions and 14 deletions

View file

@ -19,13 +19,15 @@ key = ./certs/statusd-key.pem
[client] [client]
cert = ./certs/statusclient-pub.pem cert = ./certs/statusclient-pub.pem
# possible values: true, false, may
required = true
[api] [api]
api = ./api api = ./api
template = ./api_template template = ./api_template
[mastodon] [mastodon]
send = true send = false
host = localhost host = localhost
token = aaaaa-bbbbb-ccccc-ddddd-eeeee token = aaaaa-bbbbb-ccccc-ddddd-eeeee

View file

@ -50,6 +50,36 @@ def print_config(config):
else: else:
logging.debug(' {}: {}'.format(i, config[section][i])) logging.debug(' {}: {}'.format(i, config[section][i]))
def create_ssl_context(config):
'''
Creates the ssl context.
return: context object or None
'''
context = None
requirement = None
required = config['client']['required'].lower()
if required == 'false':
requirement = ssl.CERT_NONE
elif required == 'may':
requirement = ssl.CERT_OPTIONAL
else: requirement = ssl.CERT_REQUIRED
try:
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.verify_mode = requirement
context.load_cert_chain(certfile=config['server']['cert'],
keyfile=config['server']['key'])
context.load_verify_locations(cafile=config['client']['cert'])
# ensure, compression is disabled (disabled by default anyway at the moment)
context.options |= ssl.OP_NO_COMPRESSION
context.options = ssl.PROTOCOL_TLS_SERVER
context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
logging.debug('SSL context created')
except Exception as e:
logging.error('Failed to create SSL context')
logging.error('Error: {}'.format(e))
return None
return context
def print_ciphers(cipherlist): def print_ciphers(cipherlist):
''' '''
Prints the list of allowed ciphers. Prints the list of allowed ciphers.
@ -283,7 +313,8 @@ def main():
'key': './certs/server.key' 'key': './certs/server.key'
}, },
'client': { 'client': {
'cert': './certs/client.crt' 'cert': './certs/client.crt',
'required': 'true'
}, },
'api': { 'api': {
'api': './api', 'api': './api',
@ -320,16 +351,11 @@ def main():
logging.error('Cert check failed\nExit') logging.error('Cert check failed\nExit')
sys.exit(1) sys.exit(1)
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) # ssl context erstellen
context.verify_mode = ssl.CERT_OPTIONAL context = create_ssl_context(config)
context.load_cert_chain(certfile=config['server']['cert'], if context is not None:
keyfile=config['server']['key'])
context.load_verify_locations(cafile=config['client']['cert'])
context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
# ensure, compression is disabled (disabled by default anyway at the moment)
context.options |= ssl.OP_NO_COMPRESSION
logging.debug('SSL context created')
print_context(context) print_context(context)
else: sys.exit(2)
try: try:
# tcp socket öffnen => MySocket # tcp socket öffnen => MySocket
@ -347,7 +373,7 @@ def main():
except Exception as e: except Exception as e:
logging.error('Unable to bind and listen') logging.error('Unable to bind and listen')
logging.error('{}'.format(e)) logging.error('{}'.format(e))
sys.exit(1) sys.exit(3)
# endlos auf verbindungen warten => ClientSocket # endlos auf verbindungen warten => ClientSocket
while True: while True:
ClientSocket, ClientAddress = MySocket.accept() ClientSocket, ClientAddress = MySocket.accept()
@ -384,7 +410,7 @@ def main():
Connection.close() Connection.close()
except KeyboardInterrupt: except KeyboardInterrupt:
logging.info('Keyboard interrupt received') logging.info('Keyboard interrupt received')
sys.exit(1) sys.exit(255)
except Exception as e: except Exception as e:
logging.error('{}'.format(e)) logging.error('{}'.format(e))
finally: finally: