本文整理汇总了Python中utils.SSLyzeSSLConnection.create_sslyze_connection函数的典型用法代码示例。如果您正苦于以下问题:Python create_sslyze_connection函数的具体用法?Python create_sslyze_connection怎么用?Python create_sslyze_connection使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了create_sslyze_connection函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: _get_cert
def _get_cert(self, target, storePath):
"""
Connects to the target server and uses the supplied trust store to
validate the server's certificate. Returns the server's certificate and
OCSP response.
"""
(_, _, _, sslVersion) = target
sslConn = create_sslyze_connection(target, self._shared_settings, sslVersion, sslVerifyLocations=storePath)
# Enable OCSP stapling
sslConn.set_tlsext_status_ocsp()
try: # Perform the SSL handshake
sslConn.connect()
ocspResp = sslConn.get_tlsext_status_ocsp_resp()
x509Cert = sslConn.get_peer_certificate()
(_, verifyStr) = sslConn.get_certificate_chain_verify_result()
except ClientCertificateRequested: # The server asked for a client cert
# We can get the server cert anyway
ocspResp = sslConn.get_tlsext_status_ocsp_resp()
x509Cert = sslConn.get_peer_certificate()
(_, verifyStr) = sslConn.get_certificate_chain_verify_result()
finally:
sslConn.close()
return (x509Cert, verifyStr, ocspResp)示例2: _get_hsts_header
def _get_hsts_header(self, target):
hstsHeader = None
MAX_REDIRECT = 5
nb_redirect = 0
httpGetFormat = "GET {0} HTTP/1.0\r\nHost: {1}\r\n{2}Connection: close\r\n\r\n".format
httpPath = "/"
httpAppend = ""
while nb_redirect < MAX_REDIRECT:
sslConn = create_sslyze_connection(target, self._shared_settings)
# Perform the SSL handshake
sslConn.connect()
sslConn.write(httpGetFormat(httpPath, target[0], httpAppend))
httpResp = parse_http_response(sslConn.read(2048))
sslConn.close()
if httpResp.version == 9:
# HTTP 0.9 => Probably not an HTTP response
raise Exception("Server did not return an HTTP response")
elif 300 <= httpResp.status < 400:
redirectHeader = httpResp.getheader("Location", None)
cookieHeader = httpResp.getheader("Set-Cookie", None)
if redirectHeader is None:
break
o = urlparse(redirectHeader)
httpPath = o.path
# Handle absolute redirection URL
if o.hostname:
if o.port:
port = o.port
else:
if o.scheme == "https":
port = 443
elif o.scheme == "http":
# We would have to use urllib for http: URLs
raise Exception("Error: server sent a redirection to HTTP.")
else:
port = target[2]
target = (o.hostname, o.hostname, port, target[3])
# Handle cookies
if cookieHeader:
cookie = Cookie.SimpleCookie(cookieHeader)
if cookie:
httpAppend = "Cookie:" + cookie.output(attrs=[], header="", sep=";") + "\r\n"
nb_redirect += 1
else:
hstsHeader = httpResp.getheader("strict-transport-security", None)
break
return hstsHeader示例3: process_task
def process_task(self, target, command, args):
OUT_FORMAT = ' {0:<25} {1}'.format
sslConn = create_sslyze_connection(target, self._shared_settings)
try: # Perform the SSL handshake
sslConn.connect()
compName = sslConn.get_current_compression_name()
except ClientAuthenticationError: # The server asked for a client cert
compName = sslConn.get_current_compression_name()
finally:
sslConn.close()
# Text output
if compName:
compTxt = 'Enabled ' + compName
compXml = {'isSupported':'True','type':compName.strip('()')}
else:
compTxt = 'Disabled'
compXml = {'isSupported':'False'}
cmdTitle = 'Compression'
txtOutput = [self.PLUGIN_TITLE_FORMAT(cmdTitle)]
txtOutput.append(OUT_FORMAT("Compression Support:", compTxt))
# XML output
xmlNode = Element('compression', compXml)
xmlOutput = Element(command, title = cmdTitle)
xmlOutput.append(xmlNode)
return PluginBase.PluginResult(txtOutput, xmlOutput)示例4: _get_cert
def _get_cert(self, target):
"""
Connects to the target server and returns the server's certificate and
OCSP response.
"""
(host, ip, port, sslVersion) = target
sslConn = create_sslyze_connection(target, self._shared_settings, sslVersion,
sslVerifyLocations=MOZILLA_CA_STORE)
# Enable OCSP stapling
sslConn.set_tlsext_status_ocsp()
try: # Perform the SSL handshake
sslConn.connect()
ocspResp = sslConn.get_tlsext_status_ocsp_resp()
x509Cert = sslConn.get_peer_certificate()
(verifyCode, verifyStr) = sslConn.get_certificate_chain_verify_result()
except ClientAuthenticationError: # The server asked for a client cert
# We can get the server cert anyway
ocspResp = sslConn.get_tlsext_status_ocsp_resp()
x509Cert = sslConn.get_peer_certificate()
(verifyCode, verifyStr) = sslConn.get_certificate_chain_verify_result()
finally:
sslConn.close()
return (x509Cert, verifyStr, ocspResp)示例5: _test_ciphersuite
def _test_ciphersuite(self, target, ssl_version, ssl_cipher):
"""
Initiates a SSL handshake with the server, using the SSL version and
cipher suite specified.
"""
sslConn = create_sslyze_connection(target, self._shared_settings, ssl_version)
sslConn.set_cipher_list(ssl_cipher)
try: # Perform the SSL handshake
sslConn.connect()
except SSLHandshakeRejected as e:
return 'rejectedCipherSuites', ssl_cipher, None, str(e)
except:
raise
else:
ssl_cipher = sslConn.get_current_cipher_name()
if 'ADH' in ssl_cipher or 'AECDH' in ssl_cipher:
keysize = 'Anon' # Anonymous, let s not care about the key size
else:
keysize = str(sslConn.get_current_cipher_bits()) + ' bits'
status_msg = sslConn.post_handshake_check()
return 'acceptedCipherSuites', ssl_cipher, keysize, status_msg
finally:
sslConn.close()示例6: _get_cert
def _get_cert(self, target, trustStoreList):
"""
Connects to the target server and returns the server's certificate
Also performs verification against multiple trust stores.
"""
verifyResults = {}
for trustStorePath in trustStoreList:
(host, ip, port, sslVersion) = target
sslConn = create_sslyze_connection(target, self._shared_settings,
sslVersion,
sslVerifyLocations=trustStorePath)
try:
# Perform the SSL handshake
sslConn.connect()
x509Cert = sslConn.get_peer_certificate()
(verifyCode, verifyStr) = sslConn.get_certificate_chain_verify_result()
except ClientCertificateError:
# The server asked for a client cert
# We can get the server cert anyway
x509Cert = sslConn.get_peer_certificate()
(verifyCode, verifyStr) = sslConn.get_certificate_chain_verify_result()
finally:
sslConn.close()
verifyResults[trustStorePath] = verifyStr
return (x509Cert, verifyResults)示例7: process_task
def process_task(self, target, command):
"""
Connects to the target server and tries to get acceptable CAs for client cert
"""
(_, _, _, ssl_version) = target
ssl_conn = create_sslyze_connection(target, self._shared_settings, ssl_version)
res = []
try: # Perform the SSL handshake
ssl_conn.connect()
except ClientCertificateRequested: # The server asked for a client cert
res = ssl_conn.get_client_CA_list()
finally:
ssl_conn.close()
text_output = [self.PLUGIN_TITLE_FORMAT(self.CMD_TITLE)]
if res:
xml_output = Element(command, title=self.CMD_TITLE, isProvided="True")
for ca in res:
text_output.append(self.FIELD_FORMAT('', str(ca)))
ca_xml = Element('ca')
ca_xml.text = ca
xml_output.append(ca_xml)
else:
xml_output = Element(command, title=self.CMD_TITLE, isProvided="False")
return PluginBase.PluginResult(text_output, xml_output)示例8: process_task
def process_task(self, target, command, args):
OUT_FORMAT = ' {0:<35}{1}'.format
sslConn = create_sslyze_connection(target, self._shared_settings)
# Make sure OpenSSL was built with support for compression to avoid false negatives
if 'zlib compression' not in sslConn.get_available_compression_methods():
raise RuntimeError('OpenSSL was not built with support for zlib / compression. Did you build nassl yourself ?')
try: # Perform the SSL handshake
sslConn.connect()
compName = sslConn.get_current_compression_method()
except ClientAuthenticationError: # The server asked for a client cert
compName = sslConn.get_current_compression_method()
finally:
sslConn.close()
# Text output
if compName:
compTxt = 'Supported'
else:
compTxt = 'Disabled'
cmdTitle = 'Compression'
txtOutput = [self.PLUGIN_TITLE_FORMAT(cmdTitle)]
txtOutput.append(OUT_FORMAT("DEFLATE Compression:", compTxt))
# XML output
xmlOutput = Element(command, title=cmdTitle)
if compName:
xmlNode = Element('compressionMethod', type="DEFLATE")
xmlOutput.append(xmlNode)
return PluginBase.PluginResult(txtOutput, xmlOutput)示例9: _pref_ciphersuite
def _pref_ciphersuite(self, target, ssl_version):
"""
Initiates a SSL handshake with the server, using the SSL version and cipher
suite specified.
"""
sslConn = create_sslyze_connection(target, self._shared_settings, ssl_version)
try: # Perform the SSL handshake
sslConn.connect()
ssl_cipher = sslConn.get_current_cipher_name()
keysize = sslConn.get_current_cipher_bits()
if 'ECDH' in ssl_cipher :
dh_infos = sslConn.get_ecdh_param()
elif 'DH' in ssl_cipher :
dh_infos = sslConn.get_dh_param()
else :
dh_infos = None
status_msg = sslConn.post_handshake_check()
return 'preferredCipherSuite', ssl_cipher, keysize, dh_infos, status_msg
except:
return None
finally:
sslConn.close()示例10: _test_ciphersuite
def _test_ciphersuite(self, target, ssl_version, ssl_cipher):
"""
Initiates a SSL handshake with the server, using the SSL version and
cipher suite specified.
"""
sslConn = create_sslyze_connection(target, self._shared_settings, ssl_version)
sslConn.set_cipher_list(ssl_cipher)
try: # Perform the SSL handshake
sslConn.connect()
except SSLHandshakeRejected as e:
return 'rejectedCipherSuites', ssl_cipher, None, None, str(e)
except:
raise
else:
ssl_cipher = sslConn.get_current_cipher_name()
keysize = sslConn.get_current_cipher_bits()
if 'ECDH' in ssl_cipher :
dh_infos = sslConn.get_ecdh_param()
elif 'DH' in ssl_cipher :
dh_infos = sslConn.get_dh_param()
else :
dh_infos = None
status_msg = sslConn.post_handshake_check()
return 'acceptedCipherSuites', ssl_cipher, keysize, dh_infos, status_msg
finally:
sslConn.close()示例11: process_task
def process_task(self, target, command, args):
OUT_FORMAT = ' {0:<35}{1}'.format
(host, ip, port, sslVersion) = target
if sslVersion == SSLV23: # Could not determine the preferred SSL version - client cert was required ?
sslVersion = TLSV1 # Default to TLS 1.0
target = (host, ip, port, sslVersion)
sslConn = create_sslyze_connection(target, self._shared_settings)
sslConn.sslVersion = sslVersion # Needed by the heartbleed payload
# Awful hack #1: replace nassl.sslClient.do_handshake() with a heartbleed
# checking SSL handshake so that all the SSLyze options
# (startTLS, proxy, etc.) still work
sslConn.do_handshake = new.instancemethod(do_handshake_with_heartbleed, sslConn, None)
heartbleed = None
try: # Perform the SSL handshake
sslConn.connect()
except HeartbleedSent:
# Awful hack #2: directly read the underlying network socket
heartbleed = sslConn._sock.recv(16381)
finally:
sslConn.close()
# Text output
if heartbleed is None:
raise Exception("Error: connection failed.")
elif '\x01\x01\x01\x01\x01\x01\x01\x01\x01' in heartbleed:
# Server replied with our hearbeat payload
heartbleedTxt = 'VULNERABLE - Server is vulnerable to Heartbleed'
heartbleedXml = 'True'
else:
heartbleedTxt = 'OK - Not vulnerable to Heartbleed'
heartbleedXml = 'False'
cmdTitle = 'OpenSSL Heartbleed'
txtOutput = [self.PLUGIN_TITLE_FORMAT(cmdTitle)]
txtOutput.append(OUT_FORMAT(heartbleedTxt, ""))
# XML output
xmlOutput = Element(command, title=cmdTitle)
if heartbleed:
xmlNode = Element('heartbleed', isVulnerable=heartbleedXml)
xmlOutput.append(xmlNode)
return PluginBase.PluginResult(txtOutput, xmlOutput)示例12: _test_renegotiation
def _test_renegotiation(self, target):
"""
Checks whether the server honors session renegotiation requests and
whether it supports secure renegotiation.
"""
sslConn = create_sslyze_connection(target, self._shared_settings)
try: # Perform the SSL handshake
sslConn.connect()
secureReneg = sslConn.get_secure_renegotiation_support()
try: # Let's try to renegotiate
sslConn.do_renegotiate()
clientReneg = True
# Errors caused by a server rejecting the renegotiation
except socket.error as e:
if 'connection was forcibly closed' in str(e.args):
clientReneg = False
elif 'reset by peer' in str(e.args):
clientReneg = False
else:
raise
#except socket.timeout as e:
# result_reneg = 'Rejected (timeout)'
except OpenSSLError as e:
if 'handshake failure' in str(e.args):
clientReneg = False
elif 'no renegotiation' in str(e.args):
clientReneg = False
elif 'tlsv1 unrecognized name' in str(e.args):
# Yahoo's very own way of rejecting a renegotiation
clientReneg = False
else:
raise
# Should be last as socket errors are also IOError
except IOError as e:
if 'Nassl SSL handshake failed' in str(e.args):
clientReneg = False
else:
raise
finally:
sslConn.close()
return (clientReneg, secureReneg)示例13: _get_hsts_header
def _get_hsts_header(self, target):
hstsHeader = None
HTTP_GET_REQ = 'GET / HTTP/1.0\r\nHost: {0}\r\nConnection: close\r\n\r\n'.format(target[0])
sslConn = create_sslyze_connection(target, self._shared_settings)
# Perform the SSL handshake
sslConn.connect()
sslConn.write(HTTP_GET_REQ)
httpResp = parse_http_response(sslConn.read(2048))
sslConn.close()
if httpResp.version == 9 :
# HTTP 0.9 => Probably not an HTTP response
raise Exception('Server did not return an HTTP response')
else:
hstsHeader = httpResp.getheader('strict-transport-security', None)
return hstsHeader示例14: _test_ciphersuite
def _test_ciphersuite(self, target, ssl_version, ssl_cipher, cipher_dict):
"""
Initiates a SSL handshake with the server, using the SSL version and
cipher suite specified.
"""
sslConn = create_sslyze_connection(target, self._shared_settings, ssl_version)
sslConn.set_cipher_list(ssl_cipher)
try: # Perform the SSL handshake
sslConn.connect()
except SSLHandshakeRejected as e:
return "rejectedCipherSuites", ssl_cipher, None, None, str(e)
except:
raise
else:
ssl_cipher = sslConn.get_current_cipher_name()
keysize = sslConn.get_current_cipher_bits()
if "ECDH" in ssl_cipher:
dh_infos = sslConn.get_ecdh_param()
elif "DH" in ssl_cipher:
dh_infos = sslConn.get_dh_param()
else:
dh_infos = None
status_msg = sslConn.post_handshake_check()
# append *WEAK* if cipher is known to be vulnerable
if ssl_cipher not in cipher_dict.get("whitelist"):
for item in cipher_dict.get("blacklist"):
if item in ssl_cipher:
ssl_cipher += " *WEAK*"
break
if "*WEAK*" not in ssl_cipher:
ssl_cipher += " (~Possibly Vulnerable~)"
return "acceptedCipherSuites", ssl_cipher, keysize, dh_infos, status_msg
finally:
sslConn.close()示例15: _resume_ssl_session
def _resume_ssl_session(self, target, sslSession=None, tlsTicket=False):
"""
Connect to the server and returns the session object that was assigned
for that connection.
If ssl_session is given, tries to resume that session.
"""
sslConn = create_sslyze_connection(target, self._shared_settings)
if not tlsTicket:
# Need to disable TLS tickets to test session IDs, according to rfc5077:
# If a ticket is presented by the client, the server MUST NOT attempt
# to use the Session ID in the ClientHello for stateful session resumption
sslConn.set_options(SSL_OP_NO_TICKET) # Turning off TLS tickets.
if sslSession:
sslConn.set_session(sslSession)
try: # Perform the SSL handshake
sslConn.connect()
newSession = sslConn.get_session() # Get session data
finally:
sslConn.close()
return newSession