我们从Python开源项目中,提取了以下14个代码示例,用于说明如何使用OpenSSL.SSL.OP_NO_COMPRESSION。
def test_tlsProtocolsreduceToMaxWithoutMin(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{lowerMaximumSecurityTo} but no C{raiseMinimumTo} or C{insecurelyLowerMinimumTo} set, and C{lowerMaximumSecurityTo} is below the minimum default, the minimum will be made the new maximum. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, lowerMaximumSecurityTo=sslverify.TLSVersion.SSLv3, ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1_2 | opts._OP_NO_TLSv1_3) self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsSSLv3Only(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to SSLv3, it will exclude all others. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, insecurelyLowerMinimumTo=sslverify.TLSVersion.SSLv3, lowerMaximumSecurityTo=sslverify.TLSVersion.SSLv3, ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1_2 | opts._OP_NO_TLSv1_3) self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsTLSv1Point0Only(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.0, it will exclude all others. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, insecurelyLowerMinimumTo=sslverify.TLSVersion.TLSv1_0, lowerMaximumSecurityTo=sslverify.TLSVersion.TLSv1_0, ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1_2 | opts._OP_NO_TLSv1_3) self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsTLSv1Point2Only(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{insecurelyLowerMinimumTo} and C{lowerMaximumSecurityTo} set to v1.2, it will exclude all others. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, insecurelyLowerMinimumTo=sslverify.TLSVersion.TLSv1_2, lowerMaximumSecurityTo=sslverify.TLSVersion.TLSv1_2, ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1 | opts._OP_NO_TLSv1_3) self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsAllModernTLS(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{insecurelyLowerMinimumTo} set to TLSv1.0 and C{lowerMaximumSecurityTo} to TLSv1.2, it will exclude both SSLs and the (unreleased) TLSv1.3. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, insecurelyLowerMinimumTo=sslverify.TLSVersion.TLSv1_0, lowerMaximumSecurityTo=sslverify.TLSVersion.TLSv1_2, ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 | opts._OP_NO_TLSv1_3) self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsAtLeastAllSecureTLS(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{raiseMinimumTo} set to TLSv1.2, it will ignore all TLSs below 1.2 and SSL. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, raiseMinimumTo=sslverify.TLSVersion.TLSv1_2 ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1) self.assertEqual(options, ctx._options & options)
def test_tlsProtocolsAtLeastWillAcceptHigherDefault(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{raiseMinimumTo} set to a value lower than Twisted's default will cause it to use the more secure default. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, raiseMinimumTo=sslverify.TLSVersion.SSLv3 ) opts._contextFactory = FakeContext ctx = opts.getContext() # Future maintainer warning: this will break if we change our default # up, so you should change it to add the relevant OP_NO flags when we # do make that change and this test fails. options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3) self.assertEqual(options, ctx._options & options) self.assertEqual(opts._defaultMinimumTLSVersion, sslverify.TLSVersion.TLSv1_0)
def test_tlsProtocolsAllSecureTLS(self): """ When calling L{sslverify.OpenSSLCertificateOptions} with C{insecurelyLowerMinimumTo} set to TLSv1.2, it will ignore all TLSs below 1.2 and SSL. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, insecurelyLowerMinimumTo=sslverify.TLSVersion.TLSv1_2 ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3 | SSL.OP_NO_TLSv1 | SSL.OP_NO_TLSv1_1) self.assertEqual(options, ctx._options & options)
def test_op_no_compression(self): """ The value of :py:obj:`OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the value of :py:const:`SSL_OP_NO_COMPRESSION` defined by :file:`openssl/ssl.h`. """ self.assertEqual(OP_NO_COMPRESSION, 0x20000)
def ssl_context(cacert, srvcrt, srvkey): # general setup: TLSv1.2, no compression, paranoid ciphers sslctx = SSL.Context(SSL.TLSv1_2_METHOD) sslctx.set_verify_depth(9) sslctx.set_options(SSL.OP_NO_COMPRESSION) sslctx.set_mode(_ssl_lib.SSL_MODE_ENABLE_PARTIAL_WRITE | _ssl_lib.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER) sslctx.set_cipher_list(libmu.defs.Defs.cipher_list) sslctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, lambda _, __, ___, ____, ok: ok) # use CA cert provided during lambda invocation fmt_cert = format_ssl_cert(cacert) x509_cert = crypto.load_certificate(crypto.FILETYPE_PEM, fmt_cert) sslctx.get_cert_store().add_cert(x509_cert) # add my certificate chain has_cert = False for cert in srvcrt.split(' '): x509_cert = crypto.load_certificate(crypto.FILETYPE_PEM, format_ssl_cert(cert)) if not has_cert: sslctx.use_certificate(x509_cert) has_cert = True else: sslctx.add_extra_chain_cert(x509_cert) # private key sslctx.use_privatekey(crypto.load_privatekey(crypto.FILETYPE_PEM, format_ssl_key(srvkey))) # check that all's well sslctx.check_privatekey() return sslctx ### # SSLize a connected socket, requiring a supplied cacert ###
def test_ssl_options(self): from OpenSSL import SSL from OpenSSL._util import lib from pyftpdlib.handlers import TLS_FTPHandler try: TLS_FTPHandler.ssl_context = None ctx = TLS_FTPHandler.get_ssl_context() # Verify default opts. with contextlib.closing(socket.socket()) as s: s = SSL.Connection(ctx, s) opts = lib.SSL_CTX_get_options(ctx._context) self.assertTrue(opts & SSL.OP_NO_SSLv2) self.assertTrue(opts & SSL.OP_NO_SSLv3) self.assertTrue(opts & SSL.OP_NO_COMPRESSION) TLS_FTPHandler.ssl_context = None # reset # Make sure that if ssl_options is None no options are set # (except OP_NO_SSLv2 whch is enabled by default unless # ssl_proto is set to SSL.SSLv23_METHOD). TLS_FTPHandler.ssl_context = None TLS_FTPHandler.ssl_options = None ctx = TLS_FTPHandler.get_ssl_context() with contextlib.closing(socket.socket()) as s: s = SSL.Connection(ctx, s) opts = lib.SSL_CTX_get_options(ctx._context) self.assertTrue(opts & SSL.OP_NO_SSLv2) # self.assertFalse(opts & SSL.OP_NO_SSLv3) self.assertFalse(opts & SSL.OP_NO_COMPRESSION) finally: TLS_FTPHandler.ssl_context = None
def test_basicSecurityOptionsAreSet(self): """ Every context must have C{OP_NO_SSLv2}, C{OP_NO_COMPRESSION}, and C{OP_CIPHER_SERVER_PREFERENCE} set. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert, ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE) self.assertEqual(options, ctx._options & options)
def test_tlsv1ByDefault(self): """ L{sslverify.OpenSSLCertificateOptions} will make the default minimum TLS version v1.0, if no C{method}, or C{insecurelyLowerMinimumTo} is given. """ opts = sslverify.OpenSSLCertificateOptions( privateKey=self.sKey, certificate=self.sCert ) opts._contextFactory = FakeContext ctx = opts.getContext() options = (SSL.OP_NO_SSLv2 | SSL.OP_NO_COMPRESSION | SSL.OP_CIPHER_SERVER_PREFERENCE | SSL.OP_NO_SSLv3) self.assertEqual(options, ctx._options & options)
