Fix: apistatusd.py

- Changed apistatusd.conf: set server.host default value to 0.0.0.0 to improve error messages; needs checking if this disabled ipv6 - Changed apistatusd.conf: renamed default client.cert filename to improve meaning - Fix create_ssl_context: context.options was reset by misuse of `=` instead of binary or assignment `|=` - Changed main/socket-creation: disabled keepalive - Fix main/connection/pre-ssl-handshake: set missing tls handshake timeout; code went into infinite waiting block - Some cleanup
2023-10-23 23:50:29 +02:00 · 2023-10-23 23:50:29 +02:00 · d9cf4695b8
parent 26e6ae6374
commit d9cf4695b8
2 changed files with 20 additions and 15 deletions
--- a/source/server/apistatusd.conf
+++ b/source/server/apistatusd.conf
@ -12,14 +12,14 @@ timeout = 5.0
 loglevel = debug

 [server]
-host = localhost
+host = 0.0.0.0
 port = 10001
 cert = ./certs/statusd-pub.pem
 key = ./certs/statusd-key.pem

 [client]
-cert = ./certs/statusclient-pub.pem
-# possible values: true, false, may
+cert = ./certs/client-ca.pem
+# possible values: false, may, true
 required = true

 [api]
--- a/source/server/apistatusd.py
+++ b/source/server/apistatusd.py
@ -56,23 +56,25 @@ def create_ssl_context(config):
    return: context object or None
    '''
    context = None
-    requirement = None
+    requirement = ssl.CERT_REQUIRED
    required = config['client']['required'].lower()
+
    if required == 'false':
        requirement = ssl.CERT_NONE
    elif required == 'may':
        requirement = ssl.CERT_OPTIONAL
-    else: requirement = ssl.CERT_REQUIRED
+
    try:
        context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
        context.verify_mode = requirement
        context.load_cert_chain(certfile=config['server']['cert'],
                                keyfile=config['server']['key'])
        context.load_verify_locations(cafile=config['client']['cert'])
+        #context.minimum_version = ssl.TLSVersion.TLSv1_2
+        #context.maximum_version = ssl.TLSVersion.TLSv1_2
        # ensure, compression is disabled (disabled by default anyway at the moment)
        context.options |= ssl.OP_NO_COMPRESSION
-        context.options = ssl.PROTOCOL_TLS_SERVER
-        context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
+        context.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
        logging.debug('SSL context created')
    except Exception as e:
        logging.error('Failed to create SSL context')
@ -101,7 +103,7 @@ def print_context(ctx):
    logging.debug('Minimum version ssl: {}'.format(ctx.minimum_version))
    logging.debug('Maximum version ssl: {}'.format(ctx.maximum_version))
    logging.debug('SSL options enabled: {}'.format(ctx.options))
-    logging.debug('Protocol: {}'.format(ctx.protocol))
+    logging.debug('Protocol: {}'.format(ssl.get_protocol_name(ctx.protocol)))
    logging.debug('Verify flags certificates: {}'.format(ctx.verify_flags))
    logging.debug('Verify mode: {}'.format(ctx.verify_mode))
    print_ciphers(ctx.get_ciphers())
@ -415,18 +417,18 @@ def main():

    # ssl context erstellen
    context = create_ssl_context(config)
-    if context is not None:
-        print_context(context)
-    else: sys.exit(2)
+    if context is None:
+        sys.exit(2)
+    print_context(context)

    try:
        # tcp socket öffnen => MySocket
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as MySocket:
            logging.debug('TCP Socket created')
            MySocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-            MySocket.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1)
-            keep = MySocket.getsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE)
-            logging.debug('Socket keepalive: {}'.format(keep))
+            # MySocket.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1)
+            # keep = MySocket.getsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE)
+            # logging.debug('Socket keepalive: {}'.format(keep))
            try:
                MySocket.bind((config['server']['host'], int(config['server']['port'])))
                MySocket.listen(5)
@ -442,6 +444,8 @@ def main():
                logging.info('Client connected: {}:{}'.format(ClientAddress[0], ClientAddress[1]))
                # die verbindung in den ssl-context verpacken => Connection
                try:
+                    ClientSocket.settimeout(float(config['general']['timeout']))
+                    logging.debug('set ssl handshake timeout to {}s'.format(ClientSocket.gettimeout()))
                    Connection = context.wrap_socket(ClientSocket, server_side=True)
                    logging.info('SSL Connection established')
                    Connection.settimeout(float(config['general']['timeout']))
@ -466,7 +470,8 @@ def main():
                            logging.error('InitException: {}'.format(e))
                        except Exception as ex:
                            logging.debug('Exception: {}'.format(ex))
-                    else: logging.debug('Toot is set to false')
+                    else:
+                        logging.debug('Toot is set to false')
                    logging.debug('Send {} back'.format(raw_data))
                    Connection.send(answer)
                    Connection.close()