TLS tuning
- allow TLS > 1.0 with python >= 2.7.9 - tune ssl_context with python >= 2.7.9
This commit is contained in:
parent
c738d93056
commit
5ceb920bd6
|
@ -293,9 +293,17 @@ class receiveDataThread(threading.Thread):
|
||||||
if ((self.services & protocol.NODE_SSL == protocol.NODE_SSL) and
|
if ((self.services & protocol.NODE_SSL == protocol.NODE_SSL) and
|
||||||
protocol.haveSSL(not self.initiatedConnection)):
|
protocol.haveSSL(not self.initiatedConnection)):
|
||||||
logger.debug("Initialising TLS")
|
logger.debug("Initialising TLS")
|
||||||
self.sslSock = ssl.wrap_socket(self.sock, keyfile = os.path.join(paths.codePath(), 'sslkeys', 'key.pem'), certfile = os.path.join(paths.codePath(), 'sslkeys', 'cert.pem'), server_side = not self.initiatedConnection, ssl_version=ssl.PROTOCOL_TLSv1, do_handshake_on_connect=False, ciphers='AECDH-AES256-SHA')
|
if sys.version_info >= (2,7,9):
|
||||||
if hasattr(self.sslSock, "context"):
|
context = ssl.create_default_context(purpose = ssl.Purpose.CLIENT_AUTH if self.initiatedConnection else ssl.Purpose.SERVER_AUTH)
|
||||||
self.sslSock.context.set_ecdh_curve("secp256k1")
|
context.set_ciphers("AECDH-AES256-SHA")
|
||||||
|
context.set_ecdh_curve("secp256k1")
|
||||||
|
context.check_hostname = False
|
||||||
|
context.verify_mode = ssl.CERT_NONE
|
||||||
|
# also exclude TLSv1 and TLSv1.1 in the future
|
||||||
|
context.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
|
||||||
|
self.sslSock = context.wrap_socket(self.sock, server_side = not self.initiatedConnection, do_handshake_on_connect=False)
|
||||||
|
else:
|
||||||
|
self.sslSock = ssl.wrap_socket(self.sock, keyfile = os.path.join(paths.codePath(), 'sslkeys', 'key.pem'), certfile = os.path.join(paths.codePath(), 'sslkeys', 'cert.pem'), server_side = not self.initiatedConnection, ssl_version=protocol.sslProtocolVersion, do_handshake_on_connect=False, ciphers='AECDH-AES256-SHA')
|
||||||
while True:
|
while True:
|
||||||
try:
|
try:
|
||||||
self.sslSock.do_handshake()
|
self.sslSock.do_handshake()
|
||||||
|
|
|
@ -6,6 +6,7 @@ import asyncore
|
||||||
import socket
|
import socket
|
||||||
import ssl
|
import ssl
|
||||||
|
|
||||||
|
import protocol
|
||||||
|
|
||||||
class TLSHandshake(asyncore.dispatcher):
|
class TLSHandshake(asyncore.dispatcher):
|
||||||
"""
|
"""
|
||||||
|
@ -42,9 +43,19 @@ class TLSHandshake(asyncore.dispatcher):
|
||||||
def handle_connect(self):
|
def handle_connect(self):
|
||||||
# Once the connection has been established, it's safe to wrap the
|
# Once the connection has been established, it's safe to wrap the
|
||||||
# socket.
|
# socket.
|
||||||
self.sslSocket = ssl.wrap_socket(self.socket,
|
if sys.version_info >= (2,7,9):
|
||||||
|
context = ssl.create_default_context(purpose = ssl.Purpose.SERVER_AUTH if self.server_side else ssl.Purpose.CLIENT_AUTH)
|
||||||
|
context.set_ciphers(ciphers)
|
||||||
|
# context.set_ecdh_curve("secp256k1")
|
||||||
|
context.check_hostname = False
|
||||||
|
context.verify_mode = ssl.CERT_NONE
|
||||||
|
# also exclude TLSv1 and TLSv1.1 in the future
|
||||||
|
context.options |= ssl.OP_NOSSLv2 | ssl.OP_NOSSLv3
|
||||||
|
self.sslSock = context.wrap_socket(self.sock, server_side = self.server_side, do_handshake_on_connect=False)
|
||||||
|
else:
|
||||||
|
self.sslSocket = ssl.wrap_socket(self.socket,
|
||||||
server_side=self.server_side,
|
server_side=self.server_side,
|
||||||
ssl_version=ssl.PROTOCOL_TLSv1,
|
ssl_version=protocol.sslProtocolVersion,
|
||||||
certfile=self.certfile,
|
certfile=self.certfile,
|
||||||
keyfile=self.keyfile,
|
keyfile=self.keyfile,
|
||||||
ciphers=self.ciphers,
|
ciphers=self.ciphers,
|
||||||
|
|
|
@ -77,16 +77,6 @@ def haveSSL(server = False):
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def sslProtocolVersion():
|
|
||||||
if sys.version_info >= (2,7,13):
|
|
||||||
# in the future once TLS is mandatory, change this to ssl.PROTOCOL_TLS1.2
|
|
||||||
return ssl.PROTOCOL_TLS
|
|
||||||
elif sys.version_info >= (2,7,9):
|
|
||||||
# once TLS is mandatory, add "ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1.1"
|
|
||||||
return ssl.PROTOCOL_SSLv23 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
|
|
||||||
else:
|
|
||||||
return ssl.PROTOCOL_TLS1
|
|
||||||
|
|
||||||
def checkSocksIP(host):
|
def checkSocksIP(host):
|
||||||
try:
|
try:
|
||||||
if state.socksIP is None or not state.socksIP:
|
if state.socksIP is None or not state.socksIP:
|
||||||
|
@ -483,3 +473,17 @@ def broadcastToSendDataQueues(data):
|
||||||
# logger.debug('running broadcastToSendDataQueues')
|
# logger.debug('running broadcastToSendDataQueues')
|
||||||
for q in state.sendDataQueues:
|
for q in state.sendDataQueues:
|
||||||
q.put(data)
|
q.put(data)
|
||||||
|
|
||||||
|
# sslProtocolVersion
|
||||||
|
if sys.version_info >= (2,7,13):
|
||||||
|
# this means TLSv1 or higher
|
||||||
|
# in the future change to
|
||||||
|
# ssl.PROTOCOL_TLS1.2
|
||||||
|
sslProtocolVersion = ssl.PROTOCOL_TLS
|
||||||
|
elif sys.version_info >= (2,7,9):
|
||||||
|
# this means any SSL/TLS. SSLv2 and 3 are excluded with an option after context is created
|
||||||
|
sslProtocolVersion = ssl.PROTOCOL_SSLv23
|
||||||
|
else:
|
||||||
|
# this means TLSv1, there is no way to set "TLSv1 or higher" or
|
||||||
|
# "TLSv1.2" in < 2.7.9
|
||||||
|
sslProtocolVersion = ssl.PROTOCOL_TLSv1
|
||||||
|
|
Reference in New Issue
Block a user