Fix: apistatusd.py
- Changed apistatusd.conf: set server.host default value to 0.0.0.0 to improve error messages; needs checking if this disabled ipv6 - Changed apistatusd.conf: renamed default client.cert filename to improve meaning - Fix create_ssl_context: context.options was reset by misuse of `=` instead of binary or assignment `|=` - Changed main/socket-creation: disabled keepalive - Fix main/connection/pre-ssl-handshake: set missing tls handshake timeout; code went into infinite waiting block - Some cleanup
This commit is contained in:
parent
26e6ae6374
commit
d9cf4695b8
2 changed files with 20 additions and 15 deletions
|
@ -12,14 +12,14 @@ timeout = 5.0
|
|||
loglevel = debug
|
||||
|
||||
[server]
|
||||
host = localhost
|
||||
host = 0.0.0.0
|
||||
port = 10001
|
||||
cert = ./certs/statusd-pub.pem
|
||||
key = ./certs/statusd-key.pem
|
||||
|
||||
[client]
|
||||
cert = ./certs/statusclient-pub.pem
|
||||
# possible values: true, false, may
|
||||
cert = ./certs/client-ca.pem
|
||||
# possible values: false, may, true
|
||||
required = true
|
||||
|
||||
[api]
|
||||
|
|
|
@ -56,23 +56,25 @@ def create_ssl_context(config):
|
|||
return: context object or None
|
||||
'''
|
||||
context = None
|
||||
requirement = None
|
||||
requirement = ssl.CERT_REQUIRED
|
||||
required = config['client']['required'].lower()
|
||||
|
||||
if required == 'false':
|
||||
requirement = ssl.CERT_NONE
|
||||
elif required == 'may':
|
||||
requirement = ssl.CERT_OPTIONAL
|
||||
else: requirement = ssl.CERT_REQUIRED
|
||||
|
||||
try:
|
||||
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
||||
context.verify_mode = requirement
|
||||
context.load_cert_chain(certfile=config['server']['cert'],
|
||||
keyfile=config['server']['key'])
|
||||
context.load_verify_locations(cafile=config['client']['cert'])
|
||||
#context.minimum_version = ssl.TLSVersion.TLSv1_2
|
||||
#context.maximum_version = ssl.TLSVersion.TLSv1_2
|
||||
# ensure, compression is disabled (disabled by default anyway at the moment)
|
||||
context.options |= ssl.OP_NO_COMPRESSION
|
||||
context.options = ssl.PROTOCOL_TLS_SERVER
|
||||
context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
|
||||
context.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
|
||||
logging.debug('SSL context created')
|
||||
except Exception as e:
|
||||
logging.error('Failed to create SSL context')
|
||||
|
@ -101,7 +103,7 @@ def print_context(ctx):
|
|||
logging.debug('Minimum version ssl: {}'.format(ctx.minimum_version))
|
||||
logging.debug('Maximum version ssl: {}'.format(ctx.maximum_version))
|
||||
logging.debug('SSL options enabled: {}'.format(ctx.options))
|
||||
logging.debug('Protocol: {}'.format(ctx.protocol))
|
||||
logging.debug('Protocol: {}'.format(ssl.get_protocol_name(ctx.protocol)))
|
||||
logging.debug('Verify flags certificates: {}'.format(ctx.verify_flags))
|
||||
logging.debug('Verify mode: {}'.format(ctx.verify_mode))
|
||||
print_ciphers(ctx.get_ciphers())
|
||||
|
@ -415,18 +417,18 @@ def main():
|
|||
|
||||
# ssl context erstellen
|
||||
context = create_ssl_context(config)
|
||||
if context is not None:
|
||||
print_context(context)
|
||||
else: sys.exit(2)
|
||||
if context is None:
|
||||
sys.exit(2)
|
||||
print_context(context)
|
||||
|
||||
try:
|
||||
# tcp socket öffnen => MySocket
|
||||
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as MySocket:
|
||||
logging.debug('TCP Socket created')
|
||||
MySocket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
||||
MySocket.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1)
|
||||
keep = MySocket.getsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE)
|
||||
logging.debug('Socket keepalive: {}'.format(keep))
|
||||
# MySocket.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1)
|
||||
# keep = MySocket.getsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE)
|
||||
# logging.debug('Socket keepalive: {}'.format(keep))
|
||||
try:
|
||||
MySocket.bind((config['server']['host'], int(config['server']['port'])))
|
||||
MySocket.listen(5)
|
||||
|
@ -442,6 +444,8 @@ def main():
|
|||
logging.info('Client connected: {}:{}'.format(ClientAddress[0], ClientAddress[1]))
|
||||
# die verbindung in den ssl-context verpacken => Connection
|
||||
try:
|
||||
ClientSocket.settimeout(float(config['general']['timeout']))
|
||||
logging.debug('set ssl handshake timeout to {}s'.format(ClientSocket.gettimeout()))
|
||||
Connection = context.wrap_socket(ClientSocket, server_side=True)
|
||||
logging.info('SSL Connection established')
|
||||
Connection.settimeout(float(config['general']['timeout']))
|
||||
|
@ -466,7 +470,8 @@ def main():
|
|||
logging.error('InitException: {}'.format(e))
|
||||
except Exception as ex:
|
||||
logging.debug('Exception: {}'.format(ex))
|
||||
else: logging.debug('Toot is set to false')
|
||||
else:
|
||||
logging.debug('Toot is set to false')
|
||||
logging.debug('Send {} back'.format(raw_data))
|
||||
Connection.send(answer)
|
||||
Connection.close()
|
||||
|
|
Loading…
Reference in a new issue