3
0
mirror of https://github.com/jlu5/PyLink.git synced 2024-11-27 13:09:23 +01:00

Support configurable SSL fingerprint hash types (Closes #157)

This commit is contained in:
James Lu 2016-01-30 23:04:13 -08:00
parent 08fd50d3d8
commit 669e889e6f
2 changed files with 42 additions and 21 deletions

View File

@ -206,26 +206,40 @@ class Irc():
# self-sign their certificates anyways. # self-sign their certificates anyways.
if self.ssl and checks_ok: if self.ssl and checks_ok:
peercert = self.socket.getpeercert(binary_form=True) peercert = self.socket.getpeercert(binary_form=True)
sha1fp = hashlib.sha1(peercert).hexdigest()
expected_fp = self.serverdata.get('ssl_fingerprint') # Hash type is configurable using the ssl_fingerprint_type
if expected_fp: # value, and defaults to sha256.
if sha1fp != expected_fp: hashtype = self.serverdata.get('ssl_fingerprint_type', 'sha256').lower()
# SSL Fingerprint doesn't match; break.
log.error('(%s) Uplink\'s SSL certificate ' try:
'fingerprint (SHA1) does not match the ' hashfunc = getattr(hashlib, hashtype)
'one configured: expected %r, got %r; ' except AttributeError:
'disconnecting...', self.name, log.error('(%s) Unsupported SSL certificate fingerprint type %r given, disconnecting...',
expected_fp, sha1fp) self.name, hashtype)
checks_ok = False checks_ok = False
else:
log.info('(%s) Uplink SSL certificate fingerprint '
'(SHA1) verified: %r', self.name, sha1fp)
else: else:
log.info('(%s) Uplink\'s SSL certificate fingerprint ' fp = hashfunc(peercert).hexdigest()
'is %r. You can enhance the security of your ' expected_fp = self.serverdata.get('ssl_fingerprint')
'link by specifying this in a "ssl_fingerprint"'
' option in your server block.', self.name, if expected_fp and checks_ok:
sha1fp) if fp != expected_fp:
# SSL Fingerprint doesn't match; break.
log.error('(%s) Uplink\'s SSL certificate '
'fingerprint (%s) does not match the '
'one configured: expected %r, got %r; '
'disconnecting...', self.name, hashtype,
expected_fp, fp)
checks_ok = False
else:
log.info('(%s) Uplink SSL certificate fingerprint '
'(%s) verified: %r', self.name, hashtype,
fp)
else:
log.info('(%s) Uplink\'s SSL certificate fingerprint (%s)'
'is %r. You can enhance the security of your '
'link by specifying this in a "ssl_fingerprint"'
' option in your server block.', self.name,
hashtype, fp)
if checks_ok: if checks_ok:
# All our checks passed, get the protocol module to connect # All our checks passed, get the protocol module to connect

View File

@ -127,8 +127,15 @@ servers:
# ssl_keyfile: pylink-key.pem # ssl_keyfile: pylink-key.pem
# Optionally, you can set this option to verify the SSL certificate # Optionally, you can set this option to verify the SSL certificate
# fingerprint (SHA1) of your uplink. # fingerprint of your uplink.
# ssl_fingerprint: "e0fee1adf795c84eec4735f039503eb18d9c35cc" #ssl_fingerprint: "e0fee1adf795c84eec4735f039503eb18d9c35cc"
# This sets the hash type for the fingerprint (md5, sha1, sha256, etc.)
# Valid values include md5 and sha1-sha512, though others may be
# supported depending on your system: see
# https://docs.python.org/3/library/hashlib.html
# This setting defaults to sha256.
#ssl_fingerprint_type: sha256
ts6net: ts6net:
ip: ::1 ip: ::1