add --ssl-ver (ssl/tls versions to allow)
This commit is contained in:
		
							parent
							
								
									6c957c4923
								
							
						
					
					
						commit
						3365b1c355
					
				| @ -8,6 +8,7 @@ __copyright__ = 2019 | |||||||
| __license__ = "MIT" | __license__ = "MIT" | ||||||
| __url__ = "https://github.com/9001/copyparty/" | __url__ = "https://github.com/9001/copyparty/" | ||||||
| 
 | 
 | ||||||
|  | import re | ||||||
| import os | import os | ||||||
| import time | import time | ||||||
| import shutil | import shutil | ||||||
| @ -85,6 +86,51 @@ def ensure_cert(): | |||||||
|     # printf 'NO\n.\n.\n.\n.\ncopyparty-insecure\n.\n' | faketime '2000-01-01 00:00:00' openssl req -x509 -sha256 -newkey rsa:2048 -keyout insecure.pem -out insecure.pem -days $((($(printf %d 0x7fffffff)-$(date +%s --date=2000-01-01T00:00:00Z))/(60*60*24))) -nodes && ls -al insecure.pem && openssl x509 -in insecure.pem -text -noout |     # printf 'NO\n.\n.\n.\n.\ncopyparty-insecure\n.\n' | faketime '2000-01-01 00:00:00' openssl req -x509 -sha256 -newkey rsa:2048 -keyout insecure.pem -out insecure.pem -days $((($(printf %d 0x7fffffff)-$(date +%s --date=2000-01-01T00:00:00Z))/(60*60*24))) -nodes && ls -al insecure.pem && openssl x509 -in insecure.pem -text -noout | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | def configure_ssl(al): | ||||||
|  |     import ssl | ||||||
|  | 
 | ||||||
|  |     def terse_sslver(txt): | ||||||
|  |         txt = txt.lower() | ||||||
|  |         for c in ["_", "v", "."]: | ||||||
|  |             txt = txt.replace(c, "") | ||||||
|  | 
 | ||||||
|  |         return txt.replace("tls10", "tls1") | ||||||
|  | 
 | ||||||
|  |     # oh man i love openssl | ||||||
|  |     # check this out | ||||||
|  |     # hold my beer | ||||||
|  |     ptn = re.compile(r"^OP_NO_(TLS|SSL)v") | ||||||
|  |     sslver = terse_sslver(al.ssl_ver).split(",") | ||||||
|  |     flags = [k for k in ssl.__dict__ if ptn.match(k)] | ||||||
|  |     # SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv1_2 TLSv1_3 | ||||||
|  |     if "help" in sslver: | ||||||
|  |         avail = [terse_sslver(x[6:]) for x in flags] | ||||||
|  |         avail = " ".join(sorted(avail) + ["all"]) | ||||||
|  |         print("\navailable ssl/tls versions:\n  " + avail) | ||||||
|  |         return | ||||||
|  | 
 | ||||||
|  |     al.ssl_flags_en = 0 | ||||||
|  |     al.ssl_flags_de = 0 | ||||||
|  |     for flag in sorted(flags): | ||||||
|  |         ver = terse_sslver(flag[6:]) | ||||||
|  |         num = getattr(ssl, flag) | ||||||
|  |         if ver in sslver: | ||||||
|  |             al.ssl_flags_en |= num | ||||||
|  |         else: | ||||||
|  |             al.ssl_flags_de |= num | ||||||
|  | 
 | ||||||
|  |     if sslver == ["all"]: | ||||||
|  |         x = al.ssl_flags_en | ||||||
|  |         al.ssl_flags_en = al.ssl_flags_de | ||||||
|  |         al.ssl_flags_de = x | ||||||
|  | 
 | ||||||
|  |     for k in ["ssl_flags_en", "ssl_flags_de"]: | ||||||
|  |         num = getattr(al, k) | ||||||
|  |         print("{}: {:8x} ({})".format(k, num, num)) | ||||||
|  | 
 | ||||||
|  |     # think i need that beer now | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| def main(): | def main(): | ||||||
|     time.strptime("19970815", "%Y%m%d")  # python#7980 |     time.strptime("19970815", "%Y%m%d")  # python#7980 | ||||||
|     if WINDOWS: |     if WINDOWS: | ||||||
| @ -133,6 +179,9 @@ def main(): | |||||||
|               "save,get" dumps to file and returns the page like a GET |               "save,get" dumps to file and returns the page like a GET | ||||||
|               "print,get" prints the data in the log and returns GET |               "print,get" prints the data in the log and returns GET | ||||||
|               (leave out the ",get" to return an error instead) |               (leave out the ",get" to return an error instead) | ||||||
|  | 
 | ||||||
|  |             see "--ssl-ver help" for available ssl/tls versions, | ||||||
|  |               default is what python considers safe, usually >= TLS1 | ||||||
|             """ |             """ | ||||||
|         ), |         ), | ||||||
|     ) |     ) | ||||||
| @ -155,6 +204,7 @@ def main(): | |||||||
|     ap.add_argument("-nid", action="store_true", help="no info disk-usage") |     ap.add_argument("-nid", action="store_true", help="no info disk-usage") | ||||||
|     ap.add_argument("--no-sendfile", action="store_true", help="disable sendfile") |     ap.add_argument("--no-sendfile", action="store_true", help="disable sendfile") | ||||||
|     ap.add_argument("--urlform", type=str, default="print,get", help="how to handle url-forms") |     ap.add_argument("--urlform", type=str, default="print,get", help="how to handle url-forms") | ||||||
|  |     ap.add_argument("--ssl-ver", type=str, help="ssl/tls versions to allow") | ||||||
|     al = ap.parse_args() |     al = ap.parse_args() | ||||||
|     # fmt: on |     # fmt: on | ||||||
| 
 | 
 | ||||||
| @ -168,6 +218,9 @@ def main(): | |||||||
|     except: |     except: | ||||||
|         raise Exception("invalid value for -p") |         raise Exception("invalid value for -p") | ||||||
| 
 | 
 | ||||||
|  |     if al.ssl_ver: | ||||||
|  |         configure_ssl(al) | ||||||
|  | 
 | ||||||
|     SvcHub(al).run() |     SvcHub(al).run() | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -134,6 +134,16 @@ class HttpCli(object): | |||||||
|             uparam["raw"] = True |             uparam["raw"] = True | ||||||
|             uparam["dots"] = True |             uparam["dots"] = True | ||||||
| 
 | 
 | ||||||
|  |         if hasattr(self.s, "cipher"): | ||||||
|  |             self.ssl_suf = "".join( | ||||||
|  |                 [ | ||||||
|  |                     " \033[3{}m{}".format(c, s) | ||||||
|  |                     for c, s in zip([6, 3, 6], self.s.cipher()) | ||||||
|  |                 ] | ||||||
|  |             ) | ||||||
|  |         else: | ||||||
|  |             self.ssl_suf = "" | ||||||
|  | 
 | ||||||
|         try: |         try: | ||||||
|             if self.mode in ["GET", "HEAD"]: |             if self.mode in ["GET", "HEAD"]: | ||||||
|                 return self.handle_get() and self.keepalive |                 return self.handle_get() and self.keepalive | ||||||
| @ -211,7 +221,7 @@ class HttpCli(object): | |||||||
| 
 | 
 | ||||||
|             logmsg += " [\033[36m" + rval + "\033[0m]" |             logmsg += " [\033[36m" + rval + "\033[0m]" | ||||||
| 
 | 
 | ||||||
|         self.log(logmsg) |         self.log(logmsg + self.ssl_suf) | ||||||
| 
 | 
 | ||||||
|         # "embedded" resources |         # "embedded" resources | ||||||
|         if self.vpath.startswith(".cpr"): |         if self.vpath.startswith(".cpr"): | ||||||
| @ -245,7 +255,7 @@ class HttpCli(object): | |||||||
|         return self.tx_browser() |         return self.tx_browser() | ||||||
| 
 | 
 | ||||||
|     def handle_options(self): |     def handle_options(self): | ||||||
|         self.log("OPTIONS " + self.req) |         self.log("OPTIONS " + self.req + self.ssl_suf) | ||||||
|         self.send_headers( |         self.send_headers( | ||||||
|             None, |             None, | ||||||
|             204, |             204, | ||||||
| @ -258,7 +268,7 @@ class HttpCli(object): | |||||||
|         return True |         return True | ||||||
| 
 | 
 | ||||||
|     def handle_put(self): |     def handle_put(self): | ||||||
|         self.log("PUT " + self.req) |         self.log("PUT " + self.req + self.ssl_suf) | ||||||
| 
 | 
 | ||||||
|         if self.headers.get("expect", "").lower() == "100-continue": |         if self.headers.get("expect", "").lower() == "100-continue": | ||||||
|             try: |             try: | ||||||
| @ -269,7 +279,7 @@ class HttpCli(object): | |||||||
|         return self.handle_stash() |         return self.handle_stash() | ||||||
| 
 | 
 | ||||||
|     def handle_post(self): |     def handle_post(self): | ||||||
|         self.log("POST " + self.req) |         self.log("POST " + self.req + self.ssl_suf) | ||||||
| 
 | 
 | ||||||
|         if self.headers.get("expect", "").lower() == "100-continue": |         if self.headers.get("expect", "").lower() == "100-continue": | ||||||
|             try: |             try: | ||||||
|  | |||||||
| @ -109,9 +109,13 @@ class HttpConn(object): | |||||||
| 
 | 
 | ||||||
|             self.log_src = self.log_src.replace("[36m", "[35m") |             self.log_src = self.log_src.replace("[36m", "[35m") | ||||||
|             try: |             try: | ||||||
|                 self.s = ssl.wrap_socket( |                 ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) | ||||||
|                     self.s, server_side=True, certfile=self.cert_path |                 ctx.load_cert_chain(self.cert_path) | ||||||
|                 ) |                 if self.args.ssl_ver: | ||||||
|  |                     ctx.options &= ~self.args.ssl_flags_en | ||||||
|  |                     ctx.options |= self.args.ssl_flags_de | ||||||
|  |                     # print(repr(ctx.options)) | ||||||
|  |                 self.s = ctx.wrap_socket(self.s, server_side=True) | ||||||
|             except Exception as ex: |             except Exception as ex: | ||||||
|                 em = str(ex) |                 em = str(ex) | ||||||
| 
 | 
 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 ed
						ed