TLS tuning

- allow TLS > 1.0 with python >= 2.7.9 - tune ssl_context with python >= 2.7.9
2017-01-11 20:47:27 +01:00 · 2017-01-11 20:47:27 +01:00 · 5ceb920bd6
commit 5ceb920bd6
parent c738d93056
3 changed files with 38 additions and 15 deletions
--- a/src/class_receiveDataThread.py
+++ b/src/class_receiveDataThread.py
@ -293,9 +293,17 @@ class receiveDataThread(threading.Thread):
        if ((self.services & protocol.NODE_SSL == protocol.NODE_SSL) and
            protocol.haveSSL(not self.initiatedConnection)):
            logger.debug("Initialising TLS")
-            self.sslSock = ssl.wrap_socket(self.sock, keyfile = os.path.join(paths.codePath(), 'sslkeys', 'key.pem'), certfile = os.path.join(paths.codePath(), 'sslkeys', 'cert.pem'), server_side = not self.initiatedConnection, ssl_version=ssl.PROTOCOL_TLSv1, do_handshake_on_connect=False, ciphers='AECDH-AES256-SHA')
-            if hasattr(self.sslSock, "context"):
-                self.sslSock.context.set_ecdh_curve("secp256k1")
+            if sys.version_info >= (2,7,9):
+                context = ssl.create_default_context(purpose = ssl.Purpose.CLIENT_AUTH if self.initiatedConnection else ssl.Purpose.SERVER_AUTH)
+                context.set_ciphers("AECDH-AES256-SHA")
+                context.set_ecdh_curve("secp256k1")
+                context.check_hostname = False
+                context.verify_mode = ssl.CERT_NONE
+                # also exclude TLSv1 and TLSv1.1 in the future
+                context.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
+                self.sslSock = context.wrap_socket(self.sock, server_side = not self.initiatedConnection, do_handshake_on_connect=False)
+            else:
+                self.sslSock = ssl.wrap_socket(self.sock, keyfile = os.path.join(paths.codePath(), 'sslkeys', 'key.pem'), certfile = os.path.join(paths.codePath(), 'sslkeys', 'cert.pem'), server_side = not self.initiatedConnection, ssl_version=protocol.sslProtocolVersion, do_handshake_on_connect=False, ciphers='AECDH-AES256-SHA')
            while True:
                try:
                    self.sslSock.do_handshake()
--- a/src/network/tls.py
+++ b/src/network/tls.py
@ -6,6 +6,7 @@ import asyncore
 import socket
 import ssl

+import protocol

 class TLSHandshake(asyncore.dispatcher):
    """
@ -42,9 +43,19 @@ class TLSHandshake(asyncore.dispatcher):
    def handle_connect(self):
        # Once the connection has been established, it's safe to wrap the
        # socket.
-        self.sslSocket = ssl.wrap_socket(self.socket,
+        if sys.version_info >= (2,7,9):
+            context = ssl.create_default_context(purpose = ssl.Purpose.SERVER_AUTH if self.server_side else ssl.Purpose.CLIENT_AUTH)
+            context.set_ciphers(ciphers)
+            # context.set_ecdh_curve("secp256k1")
+            context.check_hostname = False
+            context.verify_mode = ssl.CERT_NONE
+            # also exclude TLSv1 and TLSv1.1 in the future
+            context.options |= ssl.OP_NOSSLv2 | ssl.OP_NOSSLv3
+            self.sslSock = context.wrap_socket(self.sock, server_side = self.server_side, do_handshake_on_connect=False)
+        else:
+            self.sslSocket = ssl.wrap_socket(self.socket,
                                         server_side=self.server_side,
-                                         ssl_version=ssl.PROTOCOL_TLSv1,
+                                         ssl_version=protocol.sslProtocolVersion,
                                         certfile=self.certfile,
                                         keyfile=self.keyfile,
                                         ciphers=self.ciphers,
--- a/src/protocol.py
+++ b/src/protocol.py
@ -77,16 +77,6 @@ def haveSSL(server = False):
        return True
    return False

-def sslProtocolVersion():
-    if sys.version_info >= (2,7,13):
-        # in the future once TLS is mandatory, change this to ssl.PROTOCOL_TLS1.2
-        return ssl.PROTOCOL_TLS
-    elif sys.version_info >= (2,7,9):
-        # once TLS is mandatory, add "ssl.OP_NO_TLSv1 |  ssl.OP_NO_TLSv1.1"
-        return ssl.PROTOCOL_SSLv23 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
-    else:
-        return ssl.PROTOCOL_TLS1
-
 def checkSocksIP(host):
    try:
        if state.socksIP is None or not state.socksIP:
@ -483,3 +473,17 @@ def broadcastToSendDataQueues(data):
    # logger.debug('running broadcastToSendDataQueues')
    for q in state.sendDataQueues:
        q.put(data)
+
+# sslProtocolVersion
+if sys.version_info >= (2,7,13):
+    # this means TLSv1 or higher
+    # in the future change to
+    # ssl.PROTOCOL_TLS1.2
+    sslProtocolVersion = ssl.PROTOCOL_TLS
+elif sys.version_info >= (2,7,9):
+    # this means any SSL/TLS. SSLv2 and 3 are excluded with an option after context is created
+    sslProtocolVersion = ssl.PROTOCOL_SSLv23
+else:
+    # this means TLSv1, there is no way to set "TLSv1 or higher" or
+    # "TLSv1.2" in < 2.7.9
+    sslProtocolVersion = ssl.PROTOCOL_TLSv1