forked from zilveer/ZeroNet
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSslPatch.py
122 lines (95 loc) · 3.7 KB
/
SslPatch.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# https://journal.paul.querna.org/articles/2011/04/05/openssl-memory-use/
# Disable SSL compression to save massive memory and cpu
import logging
import os
from Config import config
def openLibrary():
import ctypes
import ctypes.util
try:
if sys.platform.startswith("win"):
dll_path = "src/lib/opensslVerify/libeay32.dll"
elif sys.platform == "cygwin":
dll_path = "/bin/cygcrypto-1.0.0.dll"
else:
dll_path = "/usr/local/ssl/lib/libcrypto.so"
ssl = ctypes.CDLL(dll_path, ctypes.RTLD_GLOBAL)
assert ssl
except:
dll_path = ctypes.util.find_library('ssl') or ctypes.util.find_library('crypto') or ctypes.util.find_library('libcrypto')
ssl = ctypes.CDLL(dll_path or 'libeay32', ctypes.RTLD_GLOBAL)
return ssl
def disableSSLCompression():
import ctypes
import ctypes.util
try:
openssl = openLibrary()
openssl.SSL_COMP_get_compression_methods.restype = ctypes.c_void_p
except Exception, err:
logging.debug("Disable SSL compression failed: %s (normal on Windows)" % err)
return False
openssl.sk_zero.argtypes = [ctypes.c_void_p]
openssl.sk_zero(openssl.SSL_COMP_get_compression_methods())
logging.debug("Disabled SSL compression on %s" % openssl)
if config.disable_sslcompression:
try:
disableSSLCompression()
except Exception, err:
logging.debug("Error disabling SSL compression: %s" % err)
# https://github.com/gevent/gevent/issues/477
# Re-add sslwrap to Python 2.7.9
__ssl__ = __import__('ssl')
try:
_ssl = __ssl__._ssl
except AttributeError:
_ssl = __ssl__._ssl2
OldSSLSocket = __ssl__.SSLSocket
class NewSSLSocket(OldSSLSocket):
# Fix SSLSocket constructor
def __init__(
self, sock, keyfile=None, certfile=None, server_side=False,
cert_reqs=__ssl__.CERT_REQUIRED, ssl_version=2, ca_certs=None,
do_handshake_on_connect=True, suppress_ragged_eofs=True, ciphers=None,
server_hostname=None, _context=None
):
OldSSLSocket.__init__(
self, sock, keyfile=keyfile, certfile=certfile,
server_side=server_side, cert_reqs=cert_reqs,
ssl_version=ssl_version, ca_certs=ca_certs,
do_handshake_on_connect=do_handshake_on_connect,
suppress_ragged_eofs=suppress_ragged_eofs, ciphers=ciphers
)
def new_sslwrap(
sock, server_side=False, keyfile=None, certfile=None,
cert_reqs=__ssl__.CERT_NONE, ssl_version=__ssl__.PROTOCOL_SSLv23,
ca_certs=None, ciphers=None
):
context = __ssl__.SSLContext(ssl.PROTOCOL_SSLv23)
context.options |= ssl.OP_NO_SSLv2
context.options |= ssl.OP_NO_SSLv3
context.verify_mode = cert_reqs or __ssl__.CERT_NONE
if ca_certs:
context.load_verify_locations(ca_certs)
if certfile:
context.load_cert_chain(certfile, keyfile)
if ciphers:
context.set_ciphers(ciphers)
caller_self = inspect.currentframe().f_back.f_locals['self']
return context._wrap_socket(sock, server_side=server_side, ssl_sock=caller_self)
# Re-add sslwrap to Python 2.7.9+
if not hasattr(_ssl, 'sslwrap'):
import inspect
_ssl.sslwrap = new_sslwrap
__ssl__.SSLSocket = NewSSLSocket
logging.debug("Missing SSLwrap, readded.")
# Add SSLContext to gevent.ssl (Ubuntu 15 fix)
try:
import gevent
if not hasattr(gevent.ssl, "SSLContext"):
gevent.ssl.SSLContext = __ssl__.SSLContext
logging.debug("Missing SSLContext, readded.")
except Exception, err:
pass
# Redirect insecure SSLv2 and v3
__ssl__.PROTOCOL_SSLv2 = __ssl__.PROTOCOL_SSLv3 = __ssl__.PROTOCOL_SSLv23
logging.debug("Python SSL version: %s" % __ssl__.OPENSSL_VERSION)