mirror of
https://github.com/jlu5/PyLink.git
synced 2024-11-27 13:09:23 +01:00
Support configurable SSL fingerprint hash types (Closes #157)
This commit is contained in:
parent
08fd50d3d8
commit
669e889e6f
52
classes.py
52
classes.py
@ -206,26 +206,40 @@ class Irc():
|
|||||||
# self-sign their certificates anyways.
|
# self-sign their certificates anyways.
|
||||||
if self.ssl and checks_ok:
|
if self.ssl and checks_ok:
|
||||||
peercert = self.socket.getpeercert(binary_form=True)
|
peercert = self.socket.getpeercert(binary_form=True)
|
||||||
sha1fp = hashlib.sha1(peercert).hexdigest()
|
|
||||||
expected_fp = self.serverdata.get('ssl_fingerprint')
|
# Hash type is configurable using the ssl_fingerprint_type
|
||||||
if expected_fp:
|
# value, and defaults to sha256.
|
||||||
if sha1fp != expected_fp:
|
hashtype = self.serverdata.get('ssl_fingerprint_type', 'sha256').lower()
|
||||||
# SSL Fingerprint doesn't match; break.
|
|
||||||
log.error('(%s) Uplink\'s SSL certificate '
|
try:
|
||||||
'fingerprint (SHA1) does not match the '
|
hashfunc = getattr(hashlib, hashtype)
|
||||||
'one configured: expected %r, got %r; '
|
except AttributeError:
|
||||||
'disconnecting...', self.name,
|
log.error('(%s) Unsupported SSL certificate fingerprint type %r given, disconnecting...',
|
||||||
expected_fp, sha1fp)
|
self.name, hashtype)
|
||||||
checks_ok = False
|
checks_ok = False
|
||||||
else:
|
|
||||||
log.info('(%s) Uplink SSL certificate fingerprint '
|
|
||||||
'(SHA1) verified: %r', self.name, sha1fp)
|
|
||||||
else:
|
else:
|
||||||
log.info('(%s) Uplink\'s SSL certificate fingerprint '
|
fp = hashfunc(peercert).hexdigest()
|
||||||
'is %r. You can enhance the security of your '
|
expected_fp = self.serverdata.get('ssl_fingerprint')
|
||||||
'link by specifying this in a "ssl_fingerprint"'
|
|
||||||
' option in your server block.', self.name,
|
if expected_fp and checks_ok:
|
||||||
sha1fp)
|
if fp != expected_fp:
|
||||||
|
# SSL Fingerprint doesn't match; break.
|
||||||
|
log.error('(%s) Uplink\'s SSL certificate '
|
||||||
|
'fingerprint (%s) does not match the '
|
||||||
|
'one configured: expected %r, got %r; '
|
||||||
|
'disconnecting...', self.name, hashtype,
|
||||||
|
expected_fp, fp)
|
||||||
|
checks_ok = False
|
||||||
|
else:
|
||||||
|
log.info('(%s) Uplink SSL certificate fingerprint '
|
||||||
|
'(%s) verified: %r', self.name, hashtype,
|
||||||
|
fp)
|
||||||
|
else:
|
||||||
|
log.info('(%s) Uplink\'s SSL certificate fingerprint (%s)'
|
||||||
|
'is %r. You can enhance the security of your '
|
||||||
|
'link by specifying this in a "ssl_fingerprint"'
|
||||||
|
' option in your server block.', self.name,
|
||||||
|
hashtype, fp)
|
||||||
|
|
||||||
if checks_ok:
|
if checks_ok:
|
||||||
# All our checks passed, get the protocol module to connect
|
# All our checks passed, get the protocol module to connect
|
||||||
|
@ -127,8 +127,15 @@ servers:
|
|||||||
# ssl_keyfile: pylink-key.pem
|
# ssl_keyfile: pylink-key.pem
|
||||||
|
|
||||||
# Optionally, you can set this option to verify the SSL certificate
|
# Optionally, you can set this option to verify the SSL certificate
|
||||||
# fingerprint (SHA1) of your uplink.
|
# fingerprint of your uplink.
|
||||||
# ssl_fingerprint: "e0fee1adf795c84eec4735f039503eb18d9c35cc"
|
#ssl_fingerprint: "e0fee1adf795c84eec4735f039503eb18d9c35cc"
|
||||||
|
|
||||||
|
# This sets the hash type for the fingerprint (md5, sha1, sha256, etc.)
|
||||||
|
# Valid values include md5 and sha1-sha512, though others may be
|
||||||
|
# supported depending on your system: see
|
||||||
|
# https://docs.python.org/3/library/hashlib.html
|
||||||
|
# This setting defaults to sha256.
|
||||||
|
#ssl_fingerprint_type: sha256
|
||||||
|
|
||||||
ts6net:
|
ts6net:
|
||||||
ip: ::1
|
ip: ::1
|
||||||
|
Loading…
Reference in New Issue
Block a user