daybarr/ssltest.py

## ssltest.py
"""An attempt to produce similar output to "openssl ciphers -v", but for
python's built-in ssl.

To answer http://stackoverflow.com/q/28332448/445073
"""
from __future__ import print_function

import argparse
import logging
import multiprocessing
import os
import socket
import ssl
import sys

def server(log_level, queue):
    logging.basicConfig(level=log_level)
    logger = logging.getLogger("server")

    logger.debug("Creating bind socket")
    bind_sock = socket.socket()
    bind_sock.bind(('127.0.0.1', 0))
    bind_sock.listen(5)

    bind_addr = bind_sock.getsockname()
    logger.debug("Listening on %r", bind_addr)
    queue.put(bind_addr)

    while True:
        logger.debug("Waiting for connection")
        conn_sock, fromaddr = bind_sock.accept()
        conn_sock = ssl.wrap_socket(conn_sock,
                                    ssl_version=ssl.PROTOCOL_SSLv23,
                                    server_side=True,
                                    certfile="server.crt",
                                    keyfile="server.key",
                                    ciphers="ALL:aNULL:eNULL")

        data = conn_sock.read()
        logger.debug("Read %r", data)
        conn_sock.close()
    logger.debug("Done")

def parse_args(argv):
    parser = argparse.ArgumentParser(
        formatter_class=argparse.ArgumentDefaultsHelpFormatter)
    parser.add_argument("--verbose", "-v", action="store_true",
                        help="Turn on debug logging")
    parser.add_argument("--ciphers", "-c",
                        default=ssl._DEFAULT_CIPHERS,
                        help="Cipher list to test. Defaults to this python's "
                        "default client list")
    args = parser.parse_args(argv[1:])
    return args

if __name__ == "__main__":
    args = parse_args(sys.argv)

    log_level = logging.DEBUG if args.verbose else logging.INFO

    logging.basicConfig(level=log_level)
    logger = logging.getLogger("client")

    if not os.path.isfile('server.crt') or not os.path.isfile('server.key'):
        print("Must generate server.crt and server.key before running")
        print("Try:")
        print("openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -nodes -days 365  -subj '/CN=127.0.0.1'")
        sys.exit(1)

    queue = multiprocessing.Queue()
    server_proc = multiprocessing.Process(target=server, args=(log_level, queue))
    server_proc.start()
    logger.debug("Waiting for server address")
    server_addr = queue.get()

    chosen_ciphers = []
    try:
        cipher_list = args.ciphers
        while True:
            client_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            client_sock = ssl.wrap_socket(client_sock,
                                          ssl_version=ssl.PROTOCOL_SSLv23,
                                          ciphers=cipher_list)
            logger.debug("Connecting to %r", server_addr)
            client_sock.connect(server_addr)
            logger.debug("Connected")

            chosen_cipher = client_sock.cipher()
            chosen_ciphers.append(chosen_cipher)

            client_sock.write("ping")
            client_sock.close()

            # Exclude the first choice cipher from the list, to see what we get
            # next time.
            cipher_list += ':!' + chosen_cipher[0]
    except ssl.SSLError as err:
        if 'handshake failure' in str(err):
            logger.debug("Handshake failed - no more ciphers to try")
        else:
            logger.exception("Something bad happened")
    except Exception:
        logger.exception("Something bad happened")
    else:
        server_proc.join()
    finally:
        server_proc.terminate()

    print("Python: {}".format(sys.version))
    print("OpenSSL: {}".format(ssl.OPENSSL_VERSION))
    print("Expanding cipher list: {}".format(args.ciphers))
    print("{} ciphers found:".format(len(chosen_ciphers)))
    print("\n".join(repr(cipher) for cipher in chosen_ciphers))
	"""An attempt to produce similar output to "openssl ciphers -v", but for
	python's built-in ssl.

	To answer http://stackoverflow.com/q/28332448/445073
	"""
	from __future__ import print_function

	import argparse
	import logging
	import multiprocessing
	import os
	import socket
	import ssl
	import sys

	def server(log_level, queue):
	logging.basicConfig(level=log_level)
	logger = logging.getLogger("server")

	logger.debug("Creating bind socket")
	bind_sock = socket.socket()
	bind_sock.bind(('127.0.0.1', 0))
	bind_sock.listen(5)

	bind_addr = bind_sock.getsockname()
	logger.debug("Listening on %r", bind_addr)
	queue.put(bind_addr)

	while True:
	logger.debug("Waiting for connection")
	conn_sock, fromaddr = bind_sock.accept()
	conn_sock = ssl.wrap_socket(conn_sock,
	ssl_version=ssl.PROTOCOL_SSLv23,
	server_side=True,
	certfile="server.crt",
	keyfile="server.key",
	ciphers="ALL:aNULL:eNULL")

	data = conn_sock.read()
	logger.debug("Read %r", data)
	conn_sock.close()
	logger.debug("Done")

	def parse_args(argv):
	parser = argparse.ArgumentParser(
	formatter_class=argparse.ArgumentDefaultsHelpFormatter)
	parser.add_argument("--verbose", "-v", action="store_true",
	help="Turn on debug logging")
	parser.add_argument("--ciphers", "-c",
	default=ssl._DEFAULT_CIPHERS,
	help="Cipher list to test. Defaults to this python's "
	"default client list")
	args = parser.parse_args(argv[1:])
	return args

	if __name__ == "__main__":
	args = parse_args(sys.argv)

	log_level = logging.DEBUG if args.verbose else logging.INFO

	logging.basicConfig(level=log_level)
	logger = logging.getLogger("client")

	if not os.path.isfile('server.crt') or not os.path.isfile('server.key'):
	print("Must generate server.crt and server.key before running")
	print("Try:")
	print("openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -nodes -days 365 -subj '/CN=127.0.0.1'")
	sys.exit(1)

	queue = multiprocessing.Queue()
	server_proc = multiprocessing.Process(target=server, args=(log_level, queue))
	server_proc.start()
	logger.debug("Waiting for server address")
	server_addr = queue.get()

	chosen_ciphers = []
	try:
	cipher_list = args.ciphers
	while True:
	client_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	client_sock = ssl.wrap_socket(client_sock,
	ssl_version=ssl.PROTOCOL_SSLv23,
	ciphers=cipher_list)
	logger.debug("Connecting to %r", server_addr)
	client_sock.connect(server_addr)
	logger.debug("Connected")

	chosen_cipher = client_sock.cipher()
	chosen_ciphers.append(chosen_cipher)

	client_sock.write("ping")
	client_sock.close()

	# Exclude the first choice cipher from the list, to see what we get
	# next time.
	cipher_list += ':!' + chosen_cipher[0]
	except ssl.SSLError as err:
	if 'handshake failure' in str(err):
	logger.debug("Handshake failed - no more ciphers to try")
	else:
	logger.exception("Something bad happened")
	except Exception:
	logger.exception("Something bad happened")
	else:
	server_proc.join()
	finally:
	server_proc.terminate()

	print("Python: {}".format(sys.version))
	print("OpenSSL: {}".format(ssl.OPENSSL_VERSION))
	print("Expanding cipher list: {}".format(args.ciphers))
	print("{} ciphers found:".format(len(chosen_ciphers)))
	print("\n".join(repr(cipher) for cipher in chosen_ciphers))