Changeset 130


Ignore:
Timestamp:
07/18/17 20:40:24 (7 years ago)
Author:
tim
Message:

fixed handshake algorithm for when openssl wants you to poll poll poll...

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/lib/bletchley/ssltls.py

    r128 r130  
    22Utilities for manipulating certificates and SSL/TLS connections.
    33
    4 Copyright (C) 2014,2016 Blindspot Security LLC
     4Copyright (C) 2014,2016,2017 Blindspot Security LLC
    55Author: Timothy D. Morgan
    66
     
    2222import traceback
    2323import random
     24import time
    2425import socket
    2526try:
     
    7475    if mode == 'client':
    7576        conn.set_connect_state()
    76         conn.do_handshake()
     77        # This hokey crap is required because OpenSSL wants you to poll rather than just block
     78        # XXX: tie this sleep time into the timeout parameter
     79        for tries in range(0,10):
     80            try:
     81                conn.do_handshake()
     82                break
     83            except OpenSSL.SSL.WantReadError as e:
     84                time.sleep(0.1)
    7785    else:
    7886        conn.set_accept_state()
     
    8290
    8391def ConnectSSLTLS(host, port, cipher_list=None, timeout=None, handshake_callback=None, verbose=True):
    84     backup_cipher_list = b'DES-CBC3-SHA:RC4-MD5:RC4-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ADH-AES256-GCM-SHA384'
    85     protocols = [("SSL 2/3", SSL.SSLv23_METHOD, None),
     92    backup_cipher_list = b'DES-CBC3-SHA:RC4-MD5:RC4-SHA:AES128-SHA:AES256-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ADH-AES256-GCM-SHA384'
     93    protocols = [("SSL 2/3", SSL.SSLv23_METHOD, cipher_list),
    8694                 ("SSL 2/3", SSL.SSLv23_METHOD, backup_cipher_list),
    87                  ("TLS 1.0", SSL.TLSv1_METHOD, None),
     95                 ("TLS 1.0", SSL.TLSv1_METHOD, cipher_list),
    8896                 ("TLS 1.0", SSL.TLSv1_METHOD, backup_cipher_list),
    89                  ("TLS 1.1", SSL.TLSv1_1_METHOD, None),
     97                 ("TLS 1.1", SSL.TLSv1_1_METHOD, cipher_list),
    9098                 ("TLS 1.1", SSL.TLSv1_1_METHOD, backup_cipher_list),
    91                  ("TLS 1.2", SSL.TLSv1_2_METHOD, None),
     99                 ("TLS 1.2", SSL.TLSv1_2_METHOD, cipher_list),
    92100                 ("TLS 1.2", SSL.TLSv1_2_METHOD, backup_cipher_list),
    93                  ("SSL 3.0", SSL.SSLv3_METHOD, None),
     101                 ("SSL 3.0", SSL.SSLv3_METHOD, cipher_list),
    94102                 ("SSL 3.0", SSL.SSLv3_METHOD, backup_cipher_list),
    95                  ("SSL 2.0", SSL.SSLv2_METHOD, None),
     103                 ("SSL 2.0", SSL.SSLv2_METHOD, cipher_list),
    96104                 ("SSL 2.0", SSL.SSLv2_METHOD, backup_cipher_list)]
    97105
     
    124132        except SSL.Error as e:
    125133            if verbose:
    126                 sys.stderr.write("Exception during %s handshake with server." % pname)
     134                sys.stderr.write("Exception during %s handshake with server. (%s)" % (pname, e))
     135                #traceback.print_exc(file=sys.stderr)
    127136                sys.stderr.write("\nThis could happen because the server requires "
    128                                  "certain SSL/TLS versions or a client certificiate."
     137                                 "certain SSL/TLS versions or a client certificate."
    129138                                 "  Have no fear, we'll keep trying...\n")
    130139        except Exception as e:
Note: See TracChangeset for help on using the changeset viewer.