diff --git a/source/server/apistatusd.conf b/source/server/apistatusd.conf index 601204d..c99e004 100644 --- a/source/server/apistatusd.conf +++ b/source/server/apistatusd.conf @@ -12,14 +12,14 @@ timeout = 5.0 loglevel = debug [server] -host = localhost +host = 0.0.0.0 port = 10001 cert = ./certs/statusd-pub.pem key = ./certs/statusd-key.pem [client] -cert = ./certs/statusclient-pub.pem -# possible values: true, false, may +cert = ./certs/client-ca.pem +# possible values: false, may, true required = true [api] diff --git a/source/server/apistatusd.py b/source/server/apistatusd.py index 0154646..fe79acf 100755 --- a/source/server/apistatusd.py +++ b/source/server/apistatusd.py @@ -56,23 +56,25 @@ def create_ssl_context(config): return: context object or None ''' context = None - requirement = None + requirement = ssl.CERT_REQUIRED required = config['client']['required'].lower() + if required == 'false': requirement = ssl.CERT_NONE elif required == 'may': requirement = ssl.CERT_OPTIONAL - else: requirement = ssl.CERT_REQUIRED + try: context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) context.verify_mode = requirement context.load_cert_chain(certfile=config['server']['cert'], keyfile=config['server']['key']) context.load_verify_locations(cafile=config['client']['cert']) + #context.minimum_version = ssl.TLSVersion.TLSv1_2 + #context.maximum_version = ssl.TLSVersion.TLSv1_2 # ensure, compression is disabled (disabled by default anyway at the moment) context.options |= ssl.OP_NO_COMPRESSION - context.options = ssl.PROTOCOL_TLS_SERVER - context.options = ssl.OP_CIPHER_SERVER_PREFERENCE + context.options |= ssl.OP_CIPHER_SERVER_PREFERENCE logging.debug('SSL context created') except Exception as e: logging.error('Failed to create SSL context') @@ -101,7 +103,7 @@ def print_context(ctx): logging.debug('Minimum version ssl: {}'.format(ctx.minimum_version)) logging.debug('Maximum version ssl: {}'.format(ctx.maximum_version)) logging.debug('SSL options enabled: {}'.format(ctx.options)) - logging.debug('Protocol: {}'.format(ctx.protocol)) + logging.debug('Protocol: {}'.format(ssl.get_protocol_name(ctx.protocol))) logging.debug('Verify flags certificates: {}'.format(ctx.verify_flags)) logging.debug('Verify mode: {}'.format(ctx.verify_mode)) print_ciphers(ctx.get_ciphers()) @@ -415,18 +417,18 @@ def main(): # ssl context erstellen context = create_ssl_context(config) - if context is not None: - print_context(context) - else: sys.exit(2) + if context is None: + sys.exit(2) + print_context(context) try: # tcp socket öffnen => MySocket with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as MySocket: logging.debug('TCP Socket created') MySocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) - MySocket.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1) - keep = MySocket.getsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE) - logging.debug('Socket keepalive: {}'.format(keep)) + # MySocket.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1) + # keep = MySocket.getsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE) + # logging.debug('Socket keepalive: {}'.format(keep)) try: MySocket.bind((config['server']['host'], int(config['server']['port']))) MySocket.listen(5) @@ -442,6 +444,8 @@ def main(): logging.info('Client connected: {}:{}'.format(ClientAddress[0], ClientAddress[1])) # die verbindung in den ssl-context verpacken => Connection try: + ClientSocket.settimeout(float(config['general']['timeout'])) + logging.debug('set ssl handshake timeout to {}s'.format(ClientSocket.gettimeout())) Connection = context.wrap_socket(ClientSocket, server_side=True) logging.info('SSL Connection established') Connection.settimeout(float(config['general']['timeout'])) @@ -466,7 +470,8 @@ def main(): logging.error('InitException: {}'.format(e)) except Exception as ex: logging.debug('Exception: {}'.format(ex)) - else: logging.debug('Toot is set to false') + else: + logging.debug('Toot is set to false') logging.debug('Send {} back'.format(raw_data)) Connection.send(answer) Connection.close()