verify_mode ueber config setzbar, ssl context in funktion ausgelagert
This commit is contained in:
parent
aed3616cf8
commit
991eeea9f8
2 changed files with 42 additions and 14 deletions
|
@ -19,13 +19,15 @@ key = ./certs/statusd-key.pem
|
|||
|
||||
[client]
|
||||
cert = ./certs/statusclient-pub.pem
|
||||
# possible values: true, false, may
|
||||
required = true
|
||||
|
||||
[api]
|
||||
api = ./api
|
||||
template = ./api_template
|
||||
|
||||
[mastodon]
|
||||
send = true
|
||||
send = false
|
||||
host = localhost
|
||||
token = aaaaa-bbbbb-ccccc-ddddd-eeeee
|
||||
|
||||
|
|
|
@ -50,6 +50,36 @@ def print_config(config):
|
|||
else:
|
||||
logging.debug(' {}: {}'.format(i, config[section][i]))
|
||||
|
||||
def create_ssl_context(config):
|
||||
'''
|
||||
Creates the ssl context.
|
||||
return: context object or None
|
||||
'''
|
||||
context = None
|
||||
requirement = None
|
||||
required = config['client']['required'].lower()
|
||||
if required == 'false':
|
||||
requirement = ssl.CERT_NONE
|
||||
elif required == 'may':
|
||||
requirement = ssl.CERT_OPTIONAL
|
||||
else: requirement = ssl.CERT_REQUIRED
|
||||
try:
|
||||
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
||||
context.verify_mode = requirement
|
||||
context.load_cert_chain(certfile=config['server']['cert'],
|
||||
keyfile=config['server']['key'])
|
||||
context.load_verify_locations(cafile=config['client']['cert'])
|
||||
# ensure, compression is disabled (disabled by default anyway at the moment)
|
||||
context.options |= ssl.OP_NO_COMPRESSION
|
||||
context.options = ssl.PROTOCOL_TLS_SERVER
|
||||
context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
|
||||
logging.debug('SSL context created')
|
||||
except Exception as e:
|
||||
logging.error('Failed to create SSL context')
|
||||
logging.error('Error: {}'.format(e))
|
||||
return None
|
||||
return context
|
||||
|
||||
def print_ciphers(cipherlist):
|
||||
'''
|
||||
Prints the list of allowed ciphers.
|
||||
|
@ -283,7 +313,8 @@ def main():
|
|||
'key': './certs/server.key'
|
||||
},
|
||||
'client': {
|
||||
'cert': './certs/client.crt'
|
||||
'cert': './certs/client.crt',
|
||||
'required': 'true'
|
||||
},
|
||||
'api': {
|
||||
'api': './api',
|
||||
|
@ -320,16 +351,11 @@ def main():
|
|||
logging.error('Cert check failed\nExit')
|
||||
sys.exit(1)
|
||||
|
||||
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
||||
context.verify_mode = ssl.CERT_OPTIONAL
|
||||
context.load_cert_chain(certfile=config['server']['cert'],
|
||||
keyfile=config['server']['key'])
|
||||
context.load_verify_locations(cafile=config['client']['cert'])
|
||||
context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
|
||||
# ensure, compression is disabled (disabled by default anyway at the moment)
|
||||
context.options |= ssl.OP_NO_COMPRESSION
|
||||
logging.debug('SSL context created')
|
||||
print_context(context)
|
||||
# ssl context erstellen
|
||||
context = create_ssl_context(config)
|
||||
if context is not None:
|
||||
print_context(context)
|
||||
else: sys.exit(2)
|
||||
|
||||
try:
|
||||
# tcp socket öffnen => MySocket
|
||||
|
@ -347,7 +373,7 @@ def main():
|
|||
except Exception as e:
|
||||
logging.error('Unable to bind and listen')
|
||||
logging.error('{}'.format(e))
|
||||
sys.exit(1)
|
||||
sys.exit(3)
|
||||
# endlos auf verbindungen warten => ClientSocket
|
||||
while True:
|
||||
ClientSocket, ClientAddress = MySocket.accept()
|
||||
|
@ -384,7 +410,7 @@ def main():
|
|||
Connection.close()
|
||||
except KeyboardInterrupt:
|
||||
logging.info('Keyboard interrupt received')
|
||||
sys.exit(1)
|
||||
sys.exit(255)
|
||||
except Exception as e:
|
||||
logging.error('{}'.format(e))
|
||||
finally:
|
||||
|
|
Loading…
Reference in a new issue