我们从Python开源项目中,提取了以下36个代码示例,用于说明如何使用OpenSSL.SSL.OP_NO_SSLv2()。
def _server(self, sock): """ Create a new server-side SSL L{Connection} object wrapped around C{sock}. """ # Create the server side Connection. This is mostly setup boilerplate # - use TLSv1, use a particular certificate, etc. server_ctx = Context(TLSv1_METHOD) server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE ) server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb) server_store = server_ctx.get_cert_store() server_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) server_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) server_ctx.check_privatekey() server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem)) # Here the Connection is actually created. If None is passed as the 2nd # parameter, it indicates a memory BIO should be created. server_conn = Connection(server_ctx, sock) server_conn.set_accept_state() return server_conn
def _client(self, sock): """ Create a new client-side SSL L{Connection} object wrapped around C{sock}. """ # Now create the client side Connection. Similar boilerplate to the # above. client_ctx = Context(TLSv1_METHOD) client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE ) client_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb) client_store = client_ctx.get_cert_store() client_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, client_key_pem)) client_ctx.use_certificate(load_certificate(FILETYPE_PEM, client_cert_pem)) client_ctx.check_privatekey() client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem)) client_conn = Connection(client_ctx, sock) client_conn.set_connect_state() return client_conn
def __init__(self, server_address, RequestHandlerClass): SocketServer.BaseServer.__init__( self, server_address, RequestHandlerClass ) # Same as normal, but make it secure: ctx = SSL.Context(SSL.SSLv23_METHOD) ctx.set_options(SSL.OP_NO_SSLv2) dir = os.curdir ctx.use_privatekey_file(os.path.join(dir, 'server.pkey')) ctx.use_certificate_file(os.path.join(dir, 'server.cert')) self.socket = SSLWrapper( SSL.Connection( ctx, socket.socket(self.address_family, self.socket_type) ) ) self.server_bind() self.server_activate()
def _server(self, sock): """ Create a new server-side SSL `Connection` object wrapped around `sock`. """ # Create the server side Connection. This is mostly setup boilerplate # - use TLSv1, use a particular certificate, etc. server_ctx = Context(TLSv1_METHOD) server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE) server_ctx.set_verify( VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE, verify_cb ) server_store = server_ctx.get_cert_store() server_ctx.use_privatekey( load_privatekey(FILETYPE_PEM, server_key_pem)) server_ctx.use_certificate( load_certificate(FILETYPE_PEM, server_cert_pem)) server_ctx.check_privatekey() server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem)) # Here the Connection is actually created. If None is passed as the # 2nd parameter, it indicates a memory BIO should be created. server_conn = Connection(server_ctx, sock) server_conn.set_accept_state() return server_conn
def _client(self, sock): """ Create a new client-side SSL `Connection` object wrapped around `sock`. """ # Now create the client side Connection. Similar boilerplate to the # above. client_ctx = Context(TLSv1_METHOD) client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE) client_ctx.set_verify( VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE, verify_cb ) client_store = client_ctx.get_cert_store() client_ctx.use_privatekey( load_privatekey(FILETYPE_PEM, client_key_pem)) client_ctx.use_certificate( load_certificate(FILETYPE_PEM, client_cert_pem)) client_ctx.check_privatekey() client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem)) client_conn = Connection(client_ctx, sock) client_conn.set_connect_state() return client_conn
def _server(self, sock): """ Create a new server-side SSL :py:obj:`Connection` object wrapped around :py:obj:`sock`. """ # Create the server side Connection. This is mostly setup boilerplate # - use TLSv1, use a particular certificate, etc. server_ctx = Context(TLSv1_METHOD) server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE ) server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb) server_store = server_ctx.get_cert_store() server_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) server_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) server_ctx.check_privatekey() server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem)) # Here the Connection is actually created. If None is passed as the 2nd # parameter, it indicates a memory BIO should be created. server_conn = Connection(server_ctx, sock) server_conn.set_accept_state() return server_conn
def _client(self, sock): """ Create a new client-side SSL :py:obj:`Connection` object wrapped around :py:obj:`sock`. """ # Now create the client side Connection. Similar boilerplate to the # above. client_ctx = Context(TLSv1_METHOD) client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE ) client_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb) client_store = client_ctx.get_cert_store() client_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, client_key_pem)) client_ctx.use_certificate(load_certificate(FILETYPE_PEM, client_cert_pem)) client_ctx.check_privatekey() client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem)) client_conn = Connection(client_ctx, sock) client_conn.set_connect_state() return client_conn
def test_tlsProtocolsreduceToMaxWithoutMin(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{lowerMaximumSecurityTo} but no C{raiseMinimumTo} or C{insecurelyLowerMinimumTo} set, and C{lowerMaximumSecurityTo} is below the minimum default, the minimum will be made the new maximum. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, lowerMaximumSecurityTo=sslverify.TLSVersion.SSLv3, ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1_2 | opts._OP_NO_TLSv1_3) self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsSSLv3Only(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to SSLv3, it will exclude all others. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, insecurelyLowerMinimumTo=sslverify.TLSVersion.SSLv3, lowerMaximumSecurityTo=sslverify.TLSVersion.SSLv3, ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1_2 | opts._OP_NO_TLSv1_3) self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsTLSv1Point0Only(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.0, it will exclude all others. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, insecurelyLowerMinimumTo=sslverify.TLSVersion.TLSv1_0, lowerMaximumSecurityTo=sslverify.TLSVersion.TLSv1_0, ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1_2 | opts._OP_NO_TLSv1_3) self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsTLSv1Point1Only(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.1, it will exclude all others. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, insecurelyLowerMinimumTo=sslverify.TLSVersion.TLSv1_1, lowerMaximumSecurityTo=sslverify.TLSVersion.TLSv1_1, ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_2 | opts._OP_NO_TLSv1_3) self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsAllModernTLS(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{insecurelyLowerMinimumTo} set to TLSv1.0 and C{lowerMaximumSecurityTo} to TLSv1.2, it will exclude both SSLs and the (unreleased) TLSv1.3. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, insecurelyLowerMinimumTo=sslverify.TLSVersion.TLSv1_0, lowerMaximumSecurityTo=sslverify.TLSVersion.TLSv1_2, ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 | opts._OP_NO_TLSv1_3) self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsAtLeastAllSecureTLS(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{raiseMinimumTo} set to TLSv1.2, it will ignore all TLSs below 1.2 and SSL. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, raiseMinimumTo=sslverify.TLSVersion.TLSv1_2 ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1) self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsAtLeastWillAcceptHigherDefault(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{raiseMinimumTo} set to a value lower than Twisted's default will cause it to use the more secure default. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, raiseMinimumTo=sslverify.TLSVersion.SSLv3 ) opts._contextFactory = FakeContext ctx = opts.getContext() # Future maintainer warning: this will break if we change our default # up, so you should change it to add the relevant OP_NO flags when we # do make that change and this test fails. options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3) self.assertEqual(options, ctx._options & options) self.assertEqual(opts._defaultMinimumTLSVersion, sslverify.TLSVersion.TLSv1_0)
def test_tlsProtocolsAllSecureTLS(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{insecurelyLowerMinimumTo} set to TLSv1.2, it will ignore all TLSs below 1.2 and SSL. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, insecurelyLowerMinimumTo=sslverify.TLSVersion.TLSv1_2 ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1) self.assertEqual(options, ctx._options & options)
def get_context(self): c = super(SecuredSSLServer, self).get_context() c.set_options(SSL.OP_NO_SSLv2) c.set_options(SSL.OP_NO_SSLv3) c.set_options(SSL.OP_NO_TLSv1) c.set_options(SSL.OP_NO_TLSv1_1) return c # Create our own sub-class of Bottle's ServerAdapter # so that we can specify SSL. Using just server='cherrypy' # uses the default cherrypy server, which doesn't use SSL
def test_set_options(self): """ `Context.set_options` returns the new options value. """ context = Context(TLSv1_METHOD) options = context.set_options(OP_NO_SSLv2) assert options & OP_NO_SSLv2 == OP_NO_SSLv2
def test_set_options_long(self): """ On Python 2 `Context.set_options` accepts values of type `long` as well as `int`. """ context = Context(TLSv1_METHOD) options = context.set_options(long(OP_NO_SSLv2)) assert options & OP_NO_SSLv2 == OP_NO_SSLv2
def create_basic_sslcontext(): ssl_ctx = SSL.Context(SSL.SSLv23_METHOD) ssl_ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_CIPHER_SERVER_PREFERENCE) ssl_ctx.set_cipher_list(":".join(_SUPPROT_CIPHERS_SUITES)) # NOTE: cipher suite related to ECDHE will need this ssl_ctx.set_tmp_ecdh(crypto.get_elliptic_curve('prime256v1')) return ssl_ctx
def test_set_options(self): """ :py:obj:`Context.set_options` returns the new options value. """ context = Context(TLSv1_METHOD) options = context.set_options(OP_NO_SSLv2) self.assertTrue(OP_NO_SSLv2 & options)
def test_set_options_long(self): """ On Python 2 :py:obj:`Context.set_options` accepts values of type :py:obj:`long` as well as :py:obj:`int`. """ context = Context(TLSv1_METHOD) options = context.set_options(long(OP_NO_SSLv2)) self.assertTrue(OP_NO_SSLv2 & options)
def test_ssl_options(self): from OpenSSL import SSL from OpenSSL._util import lib from pyftpdlib.handlers import TLS_FTPHandler try: TLS_FTPHandler.ssl_context = None ctx = TLS_FTPHandler.get_ssl_context() # Verify default opts. with contextlib.closing(socket.socket()) as s: s = SSL.Connection(ctx, s) opts = lib.SSL_CTX_get_options(ctx._context) self.assertTrue(opts & SSL.OP_NO_SSLv2) self.assertTrue(opts & SSL.OP_NO_SSLv3) self.assertTrue(opts & SSL.OP_NO_COMPRESSION) TLS_FTPHandler.ssl_context = None # reset # Make sure that if ssl_options is None no options are set # (except OP_NO_SSLv2 whch is enabled by default unless # ssl_proto is set to SSL.SSLv23_METHOD). TLS_FTPHandler.ssl_context = None TLS_FTPHandler.ssl_options = None ctx = TLS_FTPHandler.get_ssl_context() with contextlib.closing(socket.socket()) as s: s = SSL.Connection(ctx, s) opts = lib.SSL_CTX_get_options(ctx._context) self.assertTrue(opts & SSL.OP_NO_SSLv2) # self.assertFalse(opts & SSL.OP_NO_SSLv3) self.assertFalse(opts & SSL.OP_NO_COMPRESSION) finally: TLS_FTPHandler.ssl_context = None
def __init__(self, addr, port, key, cert, request_handler_class): self._addr = addr self._port = port self._key = key self._cert = cert self._handler = request_handler_class SocketServer.BaseServer.__init__(self, (addr, port), request_handler_class) ctx = SSL.Context(SSL.SSLv23_METHOD) #ctx = SSL.Context(SSL.TLSv1_2_METHOD) ctx.set_options(SSL.OP_NO_SSLv2) ctx.use_privatekey_file(key) ctx.use_certificate_file(cert) def cb_ALPN(conn, protos): print "ALPN CALLBACK" return b'h2' ctx.set_alpn_select_callback(cb_ALPN) def cb_NPN(conn, protos): print "NPN CALLBACK" return b'h2' ctx.set_npn_select_callback(cb_NPN) #Must be .socket self.socket = SSLWrapper(SSL.Connection(ctx, socket.socket(self.address_family, self.socket_type))) self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) self.server_bind() self.server_activate()
def fromOpenSSLCipherString(cls, cipherString): """ Create a new instance using an OpenSSL cipher string. @param cipherString: An OpenSSL cipher string that describes what cipher suites are acceptable. See the documentation of U{OpenSSL <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>} or U{Apache <http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite>} for details. @type cipherString: L{unicode} @return: Instance representing C{cipherString}. @rtype: L{twisted.internet.ssl.AcceptableCiphers} """ return cls(_expandCipherString( nativeString(cipherString), SSL.SSLv23_METHOD, SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) ) # A secure default. # Sources for more information on TLS ciphers: # # - https://wiki.mozilla.org/Security/Server_Side_TLS # - https://www.ssllabs.com/projects/best-practices/index.html # - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # # The general intent is: # - Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE), # - prefer ECDHE over DHE for better performance, # - prefer any AES-GCM and ChaCha20 over any AES-CBC for better performance and # security, # - prefer AES-GCM to ChaCha20 because AES hardware support is common, # - disable NULL authentication, MD5 MACs and DSS for security reasons. #
def cacheContext(self): if self._context is None: ctx = self._contextFactory(self.sslmethod) # Disallow SSLv2! It's insecure! SSLv3 has been around since # 1996. It's time to move on. ctx.set_options(SSL.OP_NO_SSLv2) ctx.use_certificate_file(self.certificateFileName) ctx.use_privatekey_file(self.privateKeyFileName) self._context = ctx
def getContext(self): ctx = self._contextFactory(self.method) # See comment in DefaultOpenSSLContextFactory about SSLv2. ctx.set_options(SSL.OP_NO_SSLv2) return ctx
def test_method(self): """ L{ssl.DefaultOpenSSLContextFactory.getContext} returns an SSL context which can use SSLv3 or TLSv1 but not SSLv2. """ # SSLv23_METHOD allows SSLv2, SSLv3, or TLSv1 self.assertEqual(self.context._method, SSL.SSLv23_METHOD) # And OP_NO_SSLv2 disables the SSLv2 support. self.assertTrue(self.context._options & SSL.OP_NO_SSLv2) # Make sure SSLv3 and TLSv1 aren't disabled though. self.assertFalse(self.context._options & SSL.OP_NO_SSLv3) self.assertFalse(self.context._options & SSL.OP_NO_TLSv1)
def test_method(self): """ L{ssl.ClientContextFactory.getContext} returns a context which can use SSLv3 or TLSv1 but not SSLv2. """ self.assertEqual(self.context._method, SSL.SSLv23_METHOD) self.assertTrue(self.context._options & SSL.OP_NO_SSLv2) self.assertFalse(self.context._options & SSL.OP_NO_SSLv3) self.assertFalse(self.context._options & SSL.OP_NO_TLSv1)
def test_tlsv1ByDefault(self): """ L{sslverify.OpenSSLCertificateOptions} will make the default minimum TLS version v1.0, if no C{method}, or C{insecurelyLowerMinimumTo} is given. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3) self.assertEqual(options, ctx._options & options)
