Skip to content
Permalink
Browse files

Rework SSL setup logic, make reusable

  • Loading branch information
BjarniRunar committed Sep 15, 2015
1 parent b832206 commit 99c128629012846813bda28cc91ab18cba6345d5
Showing with 33 additions and 14 deletions.
  1. +33 −14 sockschain/__init__.py
@@ -141,6 +141,7 @@ def __init__(self, method):
self.certchain_file = None
self.ca_certs = None
self.ciphers = None
self.options = 0
def use_privatekey_file(self, fn):
self.privatekey_file = fn
def use_certificate_chain_file(self, fn):
@@ -149,6 +150,11 @@ def set_cipher_list(self, ciphers):
self.ciphers = ciphers
def load_verify_locations(self, pemfile, capath=None):
self.ca_certs = pemfile
def set_options(self, options): # FIXME: this does nothing
self.options = options

if hasattr(ssl, 'PROTOCOL_SSLv23'):
SSL.SSLv23_METHOD = ssl.PROTOCOL_SSLv23

def SSL_CheckPeerName(fd, names):
cert = fd.getpeercert()
@@ -239,6 +245,31 @@ def DisableSSLCompression():
if DEBUG: DEBUG('disableSSLCompression: Failed')


def MakeBestEffortSSLContext(weak=False, legacy=False, anonymous=False,
ciphers=None):
ssl_version, ssl_options = SSL.TLSv1_METHOD, 0
if hasattr(SSL, 'SSLv23_METHOD') and (weak or legacy):
ssl_version = SSL.SSLv23_METHOD

if hasattr(SSL, 'OP_NO_SSLv2') and not weak:
ssl_version = SSL.SSLv23_METHOD
ssl_options |= SSL.OP_NO_SSLv2
if hasattr(SSL, 'OP_NO_SSLv3'):
ssl_options |= SSL.OP_NO_SSLv3

if not ciphers:
if anonymous:
# Insecure and use anon ciphers - this is just camoflage
ciphers = 'aNULL'
else:
ciphers = 'HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5'

ctx = SSL.Context(ssl_version)
ctx.set_options(ssl_options)
ctx.set_cipher_list(ciphers)
return ctx


##[ SocksiPy itself ]#########################################################

PROXY_TYPE_DEFAULT = -1
@@ -870,12 +901,6 @@ def __negotiatehttpconnect(self, destaddr, destport, proxy):
self.__proxysockname = ("0.0.0.0", 0)
self.__proxypeername = (addr, destport)

def __get_ca_ciphers(self):
return 'HIGH:MEDIUM:!MD5'

def __get_ca_anon_ciphers(self):
return 'aNULL'

def __get_ca_certs(self):
return TLS_CA_CERTS

@@ -884,21 +909,15 @@ def __negotiatessl(self, destaddr, destport, proxy,
"""__negotiatessl(self, destaddr, destport, proxy)
Negotiates an SSL session.
"""
ssl_version = SSL.TLSv1_METHOD
want_hosts = ca_certs = self_cert = None
ciphers = self.__get_ca_ciphers()
if anonymous:
# Insecure and use anon ciphers - this is just camoflage
ciphers = self.__get_ca_anon_ciphers()
elif not weak:
if not weak and not anonymous:
# This is normal, secure mode.
self_cert = proxy[P_USER] or None
ca_certs = proxy[P_CACERTS] or self.__get_ca_certs() or None
want_hosts = proxy[P_CERTS] or [proxy[P_HOST]]

try:
ctx = SSL.Context(ssl_version)
ctx.set_cipher_list(ciphers)
ctx = MakeBestEffortSSLContext(weak=weak, anonymous=anonymous)
if self_cert:
ctx.use_certificate_chain_file(self_cert)
ctx.use_privatekey_file(self_cert)

0 comments on commit 99c1286

Please sign in to comment.
You can’t perform that action at this time.