verify_mode ueber config setzbar, ssl context in funktion ausgelagert
This commit is contained in:
parent
aed3616cf8
commit
991eeea9f8
2 changed files with 42 additions and 14 deletions
|
@ -19,13 +19,15 @@ key = ./certs/statusd-key.pem
|
||||||
|
|
||||||
[client]
|
[client]
|
||||||
cert = ./certs/statusclient-pub.pem
|
cert = ./certs/statusclient-pub.pem
|
||||||
|
# possible values: true, false, may
|
||||||
|
required = true
|
||||||
|
|
||||||
[api]
|
[api]
|
||||||
api = ./api
|
api = ./api
|
||||||
template = ./api_template
|
template = ./api_template
|
||||||
|
|
||||||
[mastodon]
|
[mastodon]
|
||||||
send = true
|
send = false
|
||||||
host = localhost
|
host = localhost
|
||||||
token = aaaaa-bbbbb-ccccc-ddddd-eeeee
|
token = aaaaa-bbbbb-ccccc-ddddd-eeeee
|
||||||
|
|
||||||
|
|
|
@ -50,6 +50,36 @@ def print_config(config):
|
||||||
else:
|
else:
|
||||||
logging.debug(' {}: {}'.format(i, config[section][i]))
|
logging.debug(' {}: {}'.format(i, config[section][i]))
|
||||||
|
|
||||||
|
def create_ssl_context(config):
|
||||||
|
'''
|
||||||
|
Creates the ssl context.
|
||||||
|
return: context object or None
|
||||||
|
'''
|
||||||
|
context = None
|
||||||
|
requirement = None
|
||||||
|
required = config['client']['required'].lower()
|
||||||
|
if required == 'false':
|
||||||
|
requirement = ssl.CERT_NONE
|
||||||
|
elif required == 'may':
|
||||||
|
requirement = ssl.CERT_OPTIONAL
|
||||||
|
else: requirement = ssl.CERT_REQUIRED
|
||||||
|
try:
|
||||||
|
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
||||||
|
context.verify_mode = requirement
|
||||||
|
context.load_cert_chain(certfile=config['server']['cert'],
|
||||||
|
keyfile=config['server']['key'])
|
||||||
|
context.load_verify_locations(cafile=config['client']['cert'])
|
||||||
|
# ensure, compression is disabled (disabled by default anyway at the moment)
|
||||||
|
context.options |= ssl.OP_NO_COMPRESSION
|
||||||
|
context.options = ssl.PROTOCOL_TLS_SERVER
|
||||||
|
context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
|
||||||
|
logging.debug('SSL context created')
|
||||||
|
except Exception as e:
|
||||||
|
logging.error('Failed to create SSL context')
|
||||||
|
logging.error('Error: {}'.format(e))
|
||||||
|
return None
|
||||||
|
return context
|
||||||
|
|
||||||
def print_ciphers(cipherlist):
|
def print_ciphers(cipherlist):
|
||||||
'''
|
'''
|
||||||
Prints the list of allowed ciphers.
|
Prints the list of allowed ciphers.
|
||||||
|
@ -283,7 +313,8 @@ def main():
|
||||||
'key': './certs/server.key'
|
'key': './certs/server.key'
|
||||||
},
|
},
|
||||||
'client': {
|
'client': {
|
||||||
'cert': './certs/client.crt'
|
'cert': './certs/client.crt',
|
||||||
|
'required': 'true'
|
||||||
},
|
},
|
||||||
'api': {
|
'api': {
|
||||||
'api': './api',
|
'api': './api',
|
||||||
|
@ -320,16 +351,11 @@ def main():
|
||||||
logging.error('Cert check failed\nExit')
|
logging.error('Cert check failed\nExit')
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
# ssl context erstellen
|
||||||
context.verify_mode = ssl.CERT_OPTIONAL
|
context = create_ssl_context(config)
|
||||||
context.load_cert_chain(certfile=config['server']['cert'],
|
if context is not None:
|
||||||
keyfile=config['server']['key'])
|
|
||||||
context.load_verify_locations(cafile=config['client']['cert'])
|
|
||||||
context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
|
|
||||||
# ensure, compression is disabled (disabled by default anyway at the moment)
|
|
||||||
context.options |= ssl.OP_NO_COMPRESSION
|
|
||||||
logging.debug('SSL context created')
|
|
||||||
print_context(context)
|
print_context(context)
|
||||||
|
else: sys.exit(2)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
# tcp socket öffnen => MySocket
|
# tcp socket öffnen => MySocket
|
||||||
|
@ -347,7 +373,7 @@ def main():
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
logging.error('Unable to bind and listen')
|
logging.error('Unable to bind and listen')
|
||||||
logging.error('{}'.format(e))
|
logging.error('{}'.format(e))
|
||||||
sys.exit(1)
|
sys.exit(3)
|
||||||
# endlos auf verbindungen warten => ClientSocket
|
# endlos auf verbindungen warten => ClientSocket
|
||||||
while True:
|
while True:
|
||||||
ClientSocket, ClientAddress = MySocket.accept()
|
ClientSocket, ClientAddress = MySocket.accept()
|
||||||
|
@ -384,7 +410,7 @@ def main():
|
||||||
Connection.close()
|
Connection.close()
|
||||||
except KeyboardInterrupt:
|
except KeyboardInterrupt:
|
||||||
logging.info('Keyboard interrupt received')
|
logging.info('Keyboard interrupt received')
|
||||||
sys.exit(1)
|
sys.exit(255)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
logging.error('{}'.format(e))
|
logging.error('{}'.format(e))
|
||||||
finally:
|
finally:
|
||||||
|
|
Loading…
Reference in a new issue