Created
August 7, 2018 10:33
-
-
Save Ashex/256d7715ae216973e063c601294f200d to your computer and use it in GitHub Desktop.
Technically this allows you to obtain an OCSP response but pyopenssl doesn't support HTTP OCSP URIs so this is junk but it's worth keeping around.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based off this https://stackoverflow.com/a/51108279 | |
| # A LOT of SSL Voodoo is happening here | |
| # Other refs: https://github.com/pyca/pyopenssl/issues/168 | |
| def verify_ocsp(self): | |
| ocsp_uri = self.get_ocsp_uri(self.x509_certificate) | |
| # We declare we want to use SSL v2/v3 for the context | |
| # but then turn around and disable those two. This results in being able | |
| # to negotiate any protocol that is NOT SSL v2/v3 | |
| ssl_context = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD) | |
| ssl_context.set_options(OpenSSL.SSL.OP_NO_SSLv2) | |
| ssl_context.set_options(OpenSSL.SSL.OP_NO_SSLv3) | |
| ssl_context.set_timeout(10) | |
| # Declare our callback functions that are required for the Context handler | |
| # They do things that are important | |
| def verify_callback(conn, x509, errnum, errdepth, preverify_ok): | |
| self.logger.debug('Got Certificate {}'.format(x509.get_subject())) | |
| self.logger.debug(preverify_ok) | |
| return preverify_ok | |
| def ocsp_client_callback(connection, ocsp_data, data): | |
| ssl_context.ocsp_resp_der = ocsp_data | |
| self.logger.debug(ocsp_data) | |
| return True | |
| ssl_context.use_certificate(self.x509_certificate) | |
| ssl_context.use_privatekey(self.x509_private_key) | |
| ssl_context.load_verify_locations(cafile=self.root_ca_filename) | |
| ssl_context.set_verify(OpenSSL.SSL.VERIFY_PEER | OpenSSL.SSL.VERIFY_FAIL_IF_NO_PEER_CERT | OpenSSL.SSL.VERIFY_CLIENT_ONCE, | |
| callback=verify_callback) | |
| ssl_context.set_ocsp_client_callback(callback=ocsp_client_callback, data=None) | |
| raw_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| ssl_conn = OpenSSL.SSL.Connection(ssl_context, raw_sock) | |
| # OCSP verification occurs during the connection so we want to establish a full connection | |
| # Any failure will result in an exception being thrown that must be inspected | |
| ssl_conn.connect((ocsp_uri['host'], 80)) | |
| ssl_conn.settimeout(10) | |
| ssl_conn.setblocking(1) | |
| ssl_conn.set_tlsext_host_name(ocsp_uri['host'].encode()) | |
| ssl_conn.request_ocsp() | |
| ssl_conn.set_connect_state() | |
| ssl_conn.do_handshake() | |
| ssl_conn.shutdown() | |
| self.logger.info(ssl_context.ocsp_resp_der) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment