Last active
July 5, 2016 16:35
-
-
Save daybarr/987dddde385ec5e04af3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"""An attempt to produce similar output to "openssl ciphers -v", but for | |
python's built-in ssl. | |
To answer http://stackoverflow.com/q/28332448/445073 | |
""" | |
from __future__ import print_function | |
import argparse | |
import logging | |
import multiprocessing | |
import os | |
import socket | |
import ssl | |
import sys | |
def server(log_level, queue): | |
logging.basicConfig(level=log_level) | |
logger = logging.getLogger("server") | |
logger.debug("Creating bind socket") | |
bind_sock = socket.socket() | |
bind_sock.bind(('127.0.0.1', 0)) | |
bind_sock.listen(5) | |
bind_addr = bind_sock.getsockname() | |
logger.debug("Listening on %r", bind_addr) | |
queue.put(bind_addr) | |
while True: | |
logger.debug("Waiting for connection") | |
conn_sock, fromaddr = bind_sock.accept() | |
conn_sock = ssl.wrap_socket(conn_sock, | |
ssl_version=ssl.PROTOCOL_SSLv23, | |
server_side=True, | |
certfile="server.crt", | |
keyfile="server.key", | |
ciphers="ALL:aNULL:eNULL") | |
data = conn_sock.read() | |
logger.debug("Read %r", data) | |
conn_sock.close() | |
logger.debug("Done") | |
def parse_args(argv): | |
parser = argparse.ArgumentParser( | |
formatter_class=argparse.ArgumentDefaultsHelpFormatter) | |
parser.add_argument("--verbose", "-v", action="store_true", | |
help="Turn on debug logging") | |
parser.add_argument("--ciphers", "-c", | |
default=ssl._DEFAULT_CIPHERS, | |
help="Cipher list to test. Defaults to this python's " | |
"default client list") | |
args = parser.parse_args(argv[1:]) | |
return args | |
if __name__ == "__main__": | |
args = parse_args(sys.argv) | |
log_level = logging.DEBUG if args.verbose else logging.INFO | |
logging.basicConfig(level=log_level) | |
logger = logging.getLogger("client") | |
if not os.path.isfile('server.crt') or not os.path.isfile('server.key'): | |
print("Must generate server.crt and server.key before running") | |
print("Try:") | |
print("openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -nodes -days 365 -subj '/CN=127.0.0.1'") | |
sys.exit(1) | |
queue = multiprocessing.Queue() | |
server_proc = multiprocessing.Process(target=server, args=(log_level, queue)) | |
server_proc.start() | |
logger.debug("Waiting for server address") | |
server_addr = queue.get() | |
chosen_ciphers = [] | |
try: | |
cipher_list = args.ciphers | |
while True: | |
client_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
client_sock = ssl.wrap_socket(client_sock, | |
ssl_version=ssl.PROTOCOL_SSLv23, | |
ciphers=cipher_list) | |
logger.debug("Connecting to %r", server_addr) | |
client_sock.connect(server_addr) | |
logger.debug("Connected") | |
chosen_cipher = client_sock.cipher() | |
chosen_ciphers.append(chosen_cipher) | |
client_sock.write("ping") | |
client_sock.close() | |
# Exclude the first choice cipher from the list, to see what we get | |
# next time. | |
cipher_list += ':!' + chosen_cipher[0] | |
except ssl.SSLError as err: | |
if 'handshake failure' in str(err): | |
logger.debug("Handshake failed - no more ciphers to try") | |
else: | |
logger.exception("Something bad happened") | |
except Exception: | |
logger.exception("Something bad happened") | |
else: | |
server_proc.join() | |
finally: | |
server_proc.terminate() | |
print("Python: {}".format(sys.version)) | |
print("OpenSSL: {}".format(ssl.OPENSSL_VERSION)) | |
print("Expanding cipher list: {}".format(args.ciphers)) | |
print("{} ciphers found:".format(len(chosen_ciphers))) | |
print("\n".join(repr(cipher) for cipher in chosen_ciphers)) |
This is great! Thanks.
It's missing an import os
though
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See the StackOverflow question and answer for commentary.