TLS tuning

- allow TLS > 1.0 with python >= 2.7.9
- tune ssl_context with python >= 2.7.9
This commit is contained in:
Peter Šurda 2017-01-11 20:47:27 +01:00
parent c738d93056
commit 5ceb920bd6
Signed by: PeterSurda
GPG Key ID: 0C5F50C0B5F37D87
3 changed files with 38 additions and 15 deletions

View File

@ -293,9 +293,17 @@ class receiveDataThread(threading.Thread):
if ((self.services & protocol.NODE_SSL == protocol.NODE_SSL) and
protocol.haveSSL(not self.initiatedConnection)):
logger.debug("Initialising TLS")
self.sslSock = ssl.wrap_socket(self.sock, keyfile = os.path.join(paths.codePath(), 'sslkeys', 'key.pem'), certfile = os.path.join(paths.codePath(), 'sslkeys', 'cert.pem'), server_side = not self.initiatedConnection, ssl_version=ssl.PROTOCOL_TLSv1, do_handshake_on_connect=False, ciphers='AECDH-AES256-SHA')
if hasattr(self.sslSock, "context"):
self.sslSock.context.set_ecdh_curve("secp256k1")
if sys.version_info >= (2,7,9):
context = ssl.create_default_context(purpose = ssl.Purpose.CLIENT_AUTH if self.initiatedConnection else ssl.Purpose.SERVER_AUTH)
context.set_ciphers("AECDH-AES256-SHA")
context.set_ecdh_curve("secp256k1")
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
# also exclude TLSv1 and TLSv1.1 in the future
context.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
self.sslSock = context.wrap_socket(self.sock, server_side = not self.initiatedConnection, do_handshake_on_connect=False)
else:
self.sslSock = ssl.wrap_socket(self.sock, keyfile = os.path.join(paths.codePath(), 'sslkeys', 'key.pem'), certfile = os.path.join(paths.codePath(), 'sslkeys', 'cert.pem'), server_side = not self.initiatedConnection, ssl_version=protocol.sslProtocolVersion, do_handshake_on_connect=False, ciphers='AECDH-AES256-SHA')
while True:
try:
self.sslSock.do_handshake()

View File

@ -6,6 +6,7 @@ import asyncore
import socket
import ssl
import protocol
class TLSHandshake(asyncore.dispatcher):
"""
@ -42,9 +43,19 @@ class TLSHandshake(asyncore.dispatcher):
def handle_connect(self):
# Once the connection has been established, it's safe to wrap the
# socket.
if sys.version_info >= (2,7,9):
context = ssl.create_default_context(purpose = ssl.Purpose.SERVER_AUTH if self.server_side else ssl.Purpose.CLIENT_AUTH)
context.set_ciphers(ciphers)
# context.set_ecdh_curve("secp256k1")
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
# also exclude TLSv1 and TLSv1.1 in the future
context.options |= ssl.OP_NOSSLv2 | ssl.OP_NOSSLv3
self.sslSock = context.wrap_socket(self.sock, server_side = self.server_side, do_handshake_on_connect=False)
else:
self.sslSocket = ssl.wrap_socket(self.socket,
server_side=self.server_side,
ssl_version=ssl.PROTOCOL_TLSv1,
ssl_version=protocol.sslProtocolVersion,
certfile=self.certfile,
keyfile=self.keyfile,
ciphers=self.ciphers,

View File

@ -77,16 +77,6 @@ def haveSSL(server = False):
return True
return False
def sslProtocolVersion():
if sys.version_info >= (2,7,13):
# in the future once TLS is mandatory, change this to ssl.PROTOCOL_TLS1.2
return ssl.PROTOCOL_TLS
elif sys.version_info >= (2,7,9):
# once TLS is mandatory, add "ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1.1"
return ssl.PROTOCOL_SSLv23 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
else:
return ssl.PROTOCOL_TLS1
def checkSocksIP(host):
try:
if state.socksIP is None or not state.socksIP:
@ -483,3 +473,17 @@ def broadcastToSendDataQueues(data):
# logger.debug('running broadcastToSendDataQueues')
for q in state.sendDataQueues:
q.put(data)
# sslProtocolVersion
if sys.version_info >= (2,7,13):
# this means TLSv1 or higher
# in the future change to
# ssl.PROTOCOL_TLS1.2
sslProtocolVersion = ssl.PROTOCOL_TLS
elif sys.version_info >= (2,7,9):
# this means any SSL/TLS. SSLv2 and 3 are excluded with an option after context is created
sslProtocolVersion = ssl.PROTOCOL_SSLv23
else:
# this means TLSv1, there is no way to set "TLSv1 or higher" or
# "TLSv1.2" in < 2.7.9
sslProtocolVersion = ssl.PROTOCOL_TLSv1