TLS tuning
- allow TLS > 1.0 with python >= 2.7.9 - tune ssl_context with python >= 2.7.9
This commit is contained in:
parent
c738d93056
commit
5ceb920bd6
|
@ -293,9 +293,17 @@ class receiveDataThread(threading.Thread):
|
|||
if ((self.services & protocol.NODE_SSL == protocol.NODE_SSL) and
|
||||
protocol.haveSSL(not self.initiatedConnection)):
|
||||
logger.debug("Initialising TLS")
|
||||
self.sslSock = ssl.wrap_socket(self.sock, keyfile = os.path.join(paths.codePath(), 'sslkeys', 'key.pem'), certfile = os.path.join(paths.codePath(), 'sslkeys', 'cert.pem'), server_side = not self.initiatedConnection, ssl_version=ssl.PROTOCOL_TLSv1, do_handshake_on_connect=False, ciphers='AECDH-AES256-SHA')
|
||||
if hasattr(self.sslSock, "context"):
|
||||
self.sslSock.context.set_ecdh_curve("secp256k1")
|
||||
if sys.version_info >= (2,7,9):
|
||||
context = ssl.create_default_context(purpose = ssl.Purpose.CLIENT_AUTH if self.initiatedConnection else ssl.Purpose.SERVER_AUTH)
|
||||
context.set_ciphers("AECDH-AES256-SHA")
|
||||
context.set_ecdh_curve("secp256k1")
|
||||
context.check_hostname = False
|
||||
context.verify_mode = ssl.CERT_NONE
|
||||
# also exclude TLSv1 and TLSv1.1 in the future
|
||||
context.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
|
||||
self.sslSock = context.wrap_socket(self.sock, server_side = not self.initiatedConnection, do_handshake_on_connect=False)
|
||||
else:
|
||||
self.sslSock = ssl.wrap_socket(self.sock, keyfile = os.path.join(paths.codePath(), 'sslkeys', 'key.pem'), certfile = os.path.join(paths.codePath(), 'sslkeys', 'cert.pem'), server_side = not self.initiatedConnection, ssl_version=protocol.sslProtocolVersion, do_handshake_on_connect=False, ciphers='AECDH-AES256-SHA')
|
||||
while True:
|
||||
try:
|
||||
self.sslSock.do_handshake()
|
||||
|
|
|
@ -6,6 +6,7 @@ import asyncore
|
|||
import socket
|
||||
import ssl
|
||||
|
||||
import protocol
|
||||
|
||||
class TLSHandshake(asyncore.dispatcher):
|
||||
"""
|
||||
|
@ -42,9 +43,19 @@ class TLSHandshake(asyncore.dispatcher):
|
|||
def handle_connect(self):
|
||||
# Once the connection has been established, it's safe to wrap the
|
||||
# socket.
|
||||
if sys.version_info >= (2,7,9):
|
||||
context = ssl.create_default_context(purpose = ssl.Purpose.SERVER_AUTH if self.server_side else ssl.Purpose.CLIENT_AUTH)
|
||||
context.set_ciphers(ciphers)
|
||||
# context.set_ecdh_curve("secp256k1")
|
||||
context.check_hostname = False
|
||||
context.verify_mode = ssl.CERT_NONE
|
||||
# also exclude TLSv1 and TLSv1.1 in the future
|
||||
context.options |= ssl.OP_NOSSLv2 | ssl.OP_NOSSLv3
|
||||
self.sslSock = context.wrap_socket(self.sock, server_side = self.server_side, do_handshake_on_connect=False)
|
||||
else:
|
||||
self.sslSocket = ssl.wrap_socket(self.socket,
|
||||
server_side=self.server_side,
|
||||
ssl_version=ssl.PROTOCOL_TLSv1,
|
||||
ssl_version=protocol.sslProtocolVersion,
|
||||
certfile=self.certfile,
|
||||
keyfile=self.keyfile,
|
||||
ciphers=self.ciphers,
|
||||
|
|
|
@ -77,16 +77,6 @@ def haveSSL(server = False):
|
|||
return True
|
||||
return False
|
||||
|
||||
def sslProtocolVersion():
|
||||
if sys.version_info >= (2,7,13):
|
||||
# in the future once TLS is mandatory, change this to ssl.PROTOCOL_TLS1.2
|
||||
return ssl.PROTOCOL_TLS
|
||||
elif sys.version_info >= (2,7,9):
|
||||
# once TLS is mandatory, add "ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1.1"
|
||||
return ssl.PROTOCOL_SSLv23 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
|
||||
else:
|
||||
return ssl.PROTOCOL_TLS1
|
||||
|
||||
def checkSocksIP(host):
|
||||
try:
|
||||
if state.socksIP is None or not state.socksIP:
|
||||
|
@ -483,3 +473,17 @@ def broadcastToSendDataQueues(data):
|
|||
# logger.debug('running broadcastToSendDataQueues')
|
||||
for q in state.sendDataQueues:
|
||||
q.put(data)
|
||||
|
||||
# sslProtocolVersion
|
||||
if sys.version_info >= (2,7,13):
|
||||
# this means TLSv1 or higher
|
||||
# in the future change to
|
||||
# ssl.PROTOCOL_TLS1.2
|
||||
sslProtocolVersion = ssl.PROTOCOL_TLS
|
||||
elif sys.version_info >= (2,7,9):
|
||||
# this means any SSL/TLS. SSLv2 and 3 are excluded with an option after context is created
|
||||
sslProtocolVersion = ssl.PROTOCOL_SSLv23
|
||||
else:
|
||||
# this means TLSv1, there is no way to set "TLSv1 or higher" or
|
||||
# "TLSv1.2" in < 2.7.9
|
||||
sslProtocolVersion = ssl.PROTOCOL_TLSv1
|
||||
|
|
Reference in New Issue
Block a user