Permalink
Browse files

Rework SSL setup logic, make reusable

  • Loading branch information...
BjarniRunar committed Sep 15, 2015
1 parent b832206 commit 99c128629012846813bda28cc91ab18cba6345d5
Showing with 33 additions and 14 deletions.
  1. +33 −14 sockschain/__init__.py
View
@@ -141,6 +141,7 @@ def __init__(self, method):
self.certchain_file = None
self.ca_certs = None
self.ciphers = None
+ self.options = 0
def use_privatekey_file(self, fn):
self.privatekey_file = fn
def use_certificate_chain_file(self, fn):
@@ -149,6 +150,11 @@ def set_cipher_list(self, ciphers):
self.ciphers = ciphers
def load_verify_locations(self, pemfile, capath=None):
self.ca_certs = pemfile
+ def set_options(self, options): # FIXME: this does nothing
+ self.options = options
+
+ if hasattr(ssl, 'PROTOCOL_SSLv23'):
+ SSL.SSLv23_METHOD = ssl.PROTOCOL_SSLv23
def SSL_CheckPeerName(fd, names):
cert = fd.getpeercert()
@@ -239,6 +245,31 @@ def DisableSSLCompression():
if DEBUG: DEBUG('disableSSLCompression: Failed')
+def MakeBestEffortSSLContext(weak=False, legacy=False, anonymous=False,
+ ciphers=None):
+ ssl_version, ssl_options = SSL.TLSv1_METHOD, 0
+ if hasattr(SSL, 'SSLv23_METHOD') and (weak or legacy):
+ ssl_version = SSL.SSLv23_METHOD
+
+ if hasattr(SSL, 'OP_NO_SSLv2') and not weak:
+ ssl_version = SSL.SSLv23_METHOD
+ ssl_options |= SSL.OP_NO_SSLv2
+ if hasattr(SSL, 'OP_NO_SSLv3'):
+ ssl_options |= SSL.OP_NO_SSLv3
+
+ if not ciphers:
+ if anonymous:
+ # Insecure and use anon ciphers - this is just camoflage
+ ciphers = 'aNULL'
+ else:
+ ciphers = 'HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5'
+
+ ctx = SSL.Context(ssl_version)
+ ctx.set_options(ssl_options)
+ ctx.set_cipher_list(ciphers)
+ return ctx
+
+
##[ SocksiPy itself ]#########################################################
PROXY_TYPE_DEFAULT = -1
@@ -870,12 +901,6 @@ def __negotiatehttpconnect(self, destaddr, destport, proxy):
self.__proxysockname = ("0.0.0.0", 0)
self.__proxypeername = (addr, destport)
- def __get_ca_ciphers(self):
- return 'HIGH:MEDIUM:!MD5'
-
- def __get_ca_anon_ciphers(self):
- return 'aNULL'
-
def __get_ca_certs(self):
return TLS_CA_CERTS
@@ -884,21 +909,15 @@ def __negotiatessl(self, destaddr, destport, proxy,
"""__negotiatessl(self, destaddr, destport, proxy)
Negotiates an SSL session.
"""
- ssl_version = SSL.TLSv1_METHOD
want_hosts = ca_certs = self_cert = None
- ciphers = self.__get_ca_ciphers()
- if anonymous:
- # Insecure and use anon ciphers - this is just camoflage
- ciphers = self.__get_ca_anon_ciphers()
- elif not weak:
+ if not weak and not anonymous:
# This is normal, secure mode.
self_cert = proxy[P_USER] or None
ca_certs = proxy[P_CACERTS] or self.__get_ca_certs() or None
want_hosts = proxy[P_CERTS] or [proxy[P_HOST]]
try:
- ctx = SSL.Context(ssl_version)
- ctx.set_cipher_list(ciphers)
+ ctx = MakeBestEffortSSLContext(weak=weak, anonymous=anonymous)
if self_cert:
ctx.use_certificate_chain_file(self_cert)
ctx.use_privatekey_file(self_cert)

0 comments on commit 99c1286

Please sign in to comment.