Python ssl.html() Examples
The following are 13
code examples of ssl.html().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
ssl
, or try the search function
.
.
Example #1
| Source File: httpserver.py From viewfinder with Apache License 2.0 | 6 votes |
|
def get_ssl_certificate(self, binary_form=False):
"""Returns the client's SSL certificate, if any.
To use client certificates, the HTTPServer must have been constructed
with cert_reqs set in ssl_options, e.g.::
server = HTTPServer(app,
ssl_options=dict(
certfile="foo.crt",
keyfile="foo.key",
cert_reqs=ssl.CERT_REQUIRED,
ca_certs="cacert.crt"))
By default, the return value is a dictionary (or None, if no
client certificate is present). If ``binary_form`` is true, a
DER-encoded form of the certificate is returned instead. See
SSLSocket.getpeercert() in the standard library for more
details.
http://docs.python.org/library/ssl.html#sslsocket-objects
"""
try:
return self.connection.stream.socket.getpeercert(
binary_form=binary_form)
except ssl.SSLError:
return None
Example #2
| Source File: httpserver.py From viewfinder with Apache License 2.0 | 6 votes |
|
def get_ssl_certificate(self, binary_form=False):
"""Returns the client's SSL certificate, if any.
To use client certificates, the HTTPServer must have been constructed
with cert_reqs set in ssl_options, e.g.::
server = HTTPServer(app,
ssl_options=dict(
certfile="foo.crt",
keyfile="foo.key",
cert_reqs=ssl.CERT_REQUIRED,
ca_certs="cacert.crt"))
By default, the return value is a dictionary (or None, if no
client certificate is present). If ``binary_form`` is true, a
DER-encoded form of the certificate is returned instead. See
SSLSocket.getpeercert() in the standard library for more
details.
http://docs.python.org/library/ssl.html#sslsocket-objects
"""
try:
return self.connection.stream.socket.getpeercert(
binary_form=binary_form)
except ssl.SSLError:
return None
Example #3
| Source File: clients.py From aws-iot-device-sdk-python with Apache License 2.0 | 6 votes |
|
def set_cert_credentials_provider(self, cert_credentials_provider):
# History issue from Yun SDK where AR9331 embedded Linux only have Python 2.7.3
# pre-installed. In this version, TLSv1_2 is not even an option.
# SSLv23 is a work-around which selects the highest TLS version between the client
# and service. If user installs opensslv1.0.1+, this option will work fine for Mutual
# Auth.
# Note that we cannot force TLSv1.2 for Mutual Auth. in Python 2.7.3 and TLS support
# in Python only starts from Python2.7.
# See also: https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_SSLv23
if self._use_wss:
ca_path = cert_credentials_provider.get_ca_path()
self._paho_client.tls_set(ca_certs=ca_path, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_SSLv23)
else:
ca_path = cert_credentials_provider.get_ca_path()
cert_path = cert_credentials_provider.get_cert_path()
key_path = cert_credentials_provider.get_key_path()
self._paho_client.tls_set(ca_certs=ca_path,certfile=cert_path, keyfile=key_path,
cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_SSLv23)
Example #4
| Source File: common.py From s3ql with GNU General Public License v3.0 | 6 votes |
|
def get_ssl_context(path):
'''Construct SSLContext object'''
# Best practice according to http://docs.python.org/3/library/ssl.html#protocol-versions
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.options |= ssl.OP_NO_SSLv2
context.verify_mode = ssl.CERT_REQUIRED
if path is None:
log.debug('Reading default CA certificates.')
context.set_default_verify_paths()
elif os.path.isfile(path):
log.debug('Reading CA certificates from file %s', path)
context.load_verify_locations(cafile=path)
else:
log.debug('Reading CA certificates from directory %s', path)
context.load_verify_locations(capath=path)
return context
Example #5
| Source File: clients.py From aws-builders-fair-projects with Apache License 2.0 | 6 votes |
|
def set_cert_credentials_provider(self, cert_credentials_provider):
# History issue from Yun SDK where AR9331 embedded Linux only have Python 2.7.3
# pre-installed. In this version, TLSv1_2 is not even an option.
# SSLv23 is a work-around which selects the highest TLS version between the client
# and service. If user installs opensslv1.0.1+, this option will work fine for Mutual
# Auth.
# Note that we cannot force TLSv1.2 for Mutual Auth. in Python 2.7.3 and TLS support
# in Python only starts from Python2.7.
# See also: https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_SSLv23
if self._use_wss:
ca_path = cert_credentials_provider.get_ca_path()
self._paho_client.tls_set(ca_certs=ca_path, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_SSLv23)
else:
ca_path = cert_credentials_provider.get_ca_path()
cert_path = cert_credentials_provider.get_cert_path()
key_path = cert_credentials_provider.get_key_path()
self._paho_client.tls_set(ca_certs=ca_path,certfile=cert_path, keyfile=key_path,
cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_SSLv23)
Example #6
| Source File: clients.py From aws-builders-fair-projects with Apache License 2.0 | 6 votes |
|
def set_cert_credentials_provider(self, cert_credentials_provider):
# History issue from Yun SDK where AR9331 embedded Linux only have Python 2.7.3
# pre-installed. In this version, TLSv1_2 is not even an option.
# SSLv23 is a work-around which selects the highest TLS version between the client
# and service. If user installs opensslv1.0.1+, this option will work fine for Mutual
# Auth.
# Note that we cannot force TLSv1.2 for Mutual Auth. in Python 2.7.3 and TLS support
# in Python only starts from Python2.7.
# See also: https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_SSLv23
if self._use_wss:
ca_path = cert_credentials_provider.get_ca_path()
self._paho_client.tls_set(ca_certs=ca_path, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_SSLv23)
else:
ca_path = cert_credentials_provider.get_ca_path()
cert_path = cert_credentials_provider.get_cert_path()
key_path = cert_credentials_provider.get_key_path()
self._paho_client.tls_set(ca_certs=ca_path,certfile=cert_path, keyfile=key_path,
cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_SSLv23)
Example #7
| Source File: clients.py From aws-builders-fair-projects with Apache License 2.0 | 6 votes |
|
def set_cert_credentials_provider(self, cert_credentials_provider):
# History issue from Yun SDK where AR9331 embedded Linux only have Python 2.7.3
# pre-installed. In this version, TLSv1_2 is not even an option.
# SSLv23 is a work-around which selects the highest TLS version between the client
# and service. If user installs opensslv1.0.1+, this option will work fine for Mutual
# Auth.
# Note that we cannot force TLSv1.2 for Mutual Auth. in Python 2.7.3 and TLS support
# in Python only starts from Python2.7.
# See also: https://docs.python.org/2/library/ssl.html#ssl.PROTOCOL_SSLv23
if self._use_wss:
ca_path = cert_credentials_provider.get_ca_path()
self._paho_client.tls_set(ca_certs=ca_path, cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_SSLv23)
else:
ca_path = cert_credentials_provider.get_ca_path()
cert_path = cert_credentials_provider.get_cert_path()
key_path = cert_credentials_provider.get_key_path()
self._paho_client.tls_set(ca_certs=ca_path,certfile=cert_path, keyfile=key_path,
cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_SSLv23)
Example #8
| Source File: __init__.py From misp42splunk with GNU Lesser General Public License v3.0 | 5 votes |
|
def _build_ssl_context(
disable_ssl_certificate_validation, ca_certs, cert_file=None, key_file=None,
maximum_version=None, minimum_version=None,
):
if not hasattr(ssl, "SSLContext"):
raise RuntimeError("httplib2 requires Python 3.2+ for ssl.SSLContext")
context = ssl.SSLContext(DEFAULT_TLS_VERSION)
context.verify_mode = (
ssl.CERT_NONE if disable_ssl_certificate_validation else ssl.CERT_REQUIRED
)
# SSLContext.maximum_version and SSLContext.minimum_version are python 3.7+.
# source: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.maximum_version
if maximum_version is not None:
if hasattr(context, "maximum_version"):
context.maximum_version = getattr(ssl.TLSVersion, maximum_version)
else:
raise RuntimeError("setting tls_maximum_version requires Python 3.7 and OpenSSL 1.1 or newer")
if minimum_version is not None:
if hasattr(context, "minimum_version"):
context.minimum_version = getattr(ssl.TLSVersion, minimum_version)
else:
raise RuntimeError("setting tls_minimum_version requires Python 3.7 and OpenSSL 1.1 or newer")
# check_hostname requires python 3.4+
# we will perform the equivalent in HTTPSConnectionWithTimeout.connect() by calling ssl.match_hostname
# if check_hostname is not supported.
if hasattr(context, "check_hostname"):
context.check_hostname = not disable_ssl_certificate_validation
context.load_verify_locations(ca_certs)
if cert_file:
context.load_cert_chain(cert_file, key_file)
return context
Example #9
| Source File: http_urllib3.py From Mastering-Elasticsearch-7.0 with MIT License | 5 votes |
|
def create_ssl_context(**kwargs):
"""
A helper function around creating an SSL context
https://docs.python.org/3/library/ssl.html#context-creation
Accepts kwargs in the same manner as `create_default_context`.
"""
ctx = ssl.create_default_context(**kwargs)
return ctx
Example #10
| Source File: tls.py From integrations-core with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def tls_context(self):
if self._tls_context is None:
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext
# https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS
self._tls_context = ssl.SSLContext(protocol=PROTOCOL_TLS_CLIENT)
# Run our own validation later on if need be
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname
#
# IMPORTANT: This must be set before verify_mode in Python 3.7+, see:
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname
self._tls_context.check_hostname = False
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
self._tls_context.verify_mode = ssl.CERT_REQUIRED if self._validate_cert else ssl.CERT_NONE
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations
if self._cafile or self._capath: # no cov
self._tls_context.load_verify_locations(self._cafile, self._capath, None)
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_default_certs
else:
self._tls_context.load_default_certs(ssl.Purpose.SERVER_AUTH)
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain
if self._cert: # no cov
self._tls_context.load_cert_chain(self._cert, keyfile=self._private_key)
# https://docs.python.org/3/library/ssl.html#ssl.create_default_context
if 'SSLv3' in self._allowed_versions: # no cov
self._tls_context.options &= ~ssl.OP_NO_SSLv3
return self._tls_context
Example #11
| Source File: tls.py From integrations-core with BSD 3-Clause "New" or "Revised" License | 4 votes |
|
def check_remote(self, instance):
if not self._server:
raise ConfigurationError('You must specify `server` in your configuration file.')
try:
sock = self.create_connection()
except Exception as e:
self.service_check(self.SERVICE_CHECK_CAN_CONNECT, self.CRITICAL, tags=self._tags, message=str(e))
return
else:
self.service_check(self.SERVICE_CHECK_CAN_CONNECT, self.OK, tags=self._tags)
# Get the cert & TLS version from the connection
with closing(sock):
try:
with closing(self.tls_context.wrap_socket(sock, server_hostname=self._server_hostname)) as secure_sock:
der_cert = secure_sock.getpeercert(binary_form=True)
protocol_version = secure_sock.version()
except Exception as e:
# https://docs.python.org/3/library/ssl.html#ssl.SSLCertVerificationError
err_code = getattr(e, 'verify_code', None)
message = getattr(e, 'verify_message', str(e))
self.service_check(self.SERVICE_CHECK_VALIDATION, self.CRITICAL, tags=self._tags, message=message)
# There's no sane way to tell it to not validate just the expiration
# This only works on Python 3.7+, see: https://bugs.python.org/issue28182
# https://github.com/openssl/openssl/blob/0b45d8eec051fd9816b6bf46a975fa461ffc983d/include/openssl/x509_vfy.h#L109
if err_code == 10:
self.service_check(
self.SERVICE_CHECK_EXPIRATION, self.CRITICAL, tags=self._tags, message='Certificate has expired'
)
return
# Load https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Certificate
try:
cert = load_der_x509_certificate(der_cert, default_backend())
except Exception as e:
self.service_check(
self.SERVICE_CHECK_VALIDATION,
self.CRITICAL,
tags=self._tags,
message='Unable to parse the certificate: {}'.format(e),
)
return
self.check_protocol_version(protocol_version)
self.validate_certificate(cert)
self.check_age(cert)
Example #12
| Source File: vertica.py From integrations-core with BSD 3-Clause "New" or "Revised" License | 4 votes |
|
def get_connection(self):
connection_options = {
'database': self._db,
'host': self._server,
'port': self._port,
'user': self._username,
'password': self._password,
'backup_server_node': self._backup_servers,
'connection_load_balance': self._connection_load_balance,
'connection_timeout': self._timeout,
}
if self._client_lib_log_level:
connection_options['log_level'] = self._client_lib_log_level
# log_path is required by vertica client for using logging
# when log_path is set to '', vertica won't log to a file
# but we still get logs via parent root logger
connection_options['log_path'] = ''
if self._tls_verify: # no cov
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext
# https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS
tls_context = ssl.SSLContext(protocol=PROTOCOL_TLS_CLIENT)
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
tls_context.verify_mode = ssl.CERT_REQUIRED
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname
tls_context.check_hostname = self._validate_hostname
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations
if self._cafile or self._capath:
tls_context.load_verify_locations(self._cafile, self._capath, None)
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_default_certs
else:
tls_context.load_default_certs(ssl.Purpose.SERVER_AUTH)
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain
if self._cert:
tls_context.load_cert_chain(self._cert, keyfile=self._private_key)
connection_options['ssl'] = tls_context
try:
connection = vertica.connect(**connection_options)
except Exception as e:
self.log.error('Unable to connect to database `%s` as user `%s`: %s', self._db, self._username, e)
self.service_check(self.SERVICE_CHECK_CONNECT, self.CRITICAL, tags=self._tags)
else:
self.service_check(self.SERVICE_CHECK_CONNECT, self.OK, tags=self._tags)
return connection
Example #13
| Source File: ssl_utils.py From integrations-core with BSD 3-Clause "New" or "Revised" License | 4 votes |
|
def make_secure_ssl_client_context(
ca_cert=None, client_cert=None, client_key=None, check_hostname=True, protocol=ssl.PROTOCOL_TLS,
):
"""Creates a secure ssl context for integration that requires one.
:param str ca_cert: Path to a file of concatenated CA certificates in PEM format or to a directory containing
several CA certificates in PEM format
:param str client_cert: Path to a single file in PEM format containing the certificate as well as any number of
CA certificates needed to establish the certificate's authenticity.
:param str client_key: Must point to a file containing the private key. Otherwise the private key will be taken
from certfile as well.
:param bool check_hostname: Whether to match the peer cert's hostname
:param int protocol: Client side protocol (should be one of the `ssl.PROTOCOL_*` constants)
By default selects the highest protocol version possible.
:rtype ssl.Context
"""
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext
# https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS
context = ssl.SSLContext(protocol=protocol)
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
context.verify_mode = ssl.CERT_REQUIRED
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.check_hostname
context.check_hostname = check_hostname
ca_file, ca_path = None, None
if os.path.isdir(ca_cert):
ca_path = ca_cert
elif os.path.isfile(ca_cert):
ca_file = ca_cert
else:
raise ConfigurationError("Specified tls_ca_cert: {} should be a valid file or directory.".format(ca_cert))
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations
if ca_file or ca_path:
context.load_verify_locations(ca_file, ca_path, None)
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_default_certs
else:
context.load_default_certs(ssl.Purpose.SERVER_AUTH)
# https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain
if client_cert:
# If client_key is not defined, load_cert_chain reads the key from the client_cert
context.load_cert_chain(client_cert, keyfile=client_key)
return context
