Fixed TLS1.3
This commit is contained in:
parent
5ff9bd0680
commit
6f73f766ac
2 changed files with 85 additions and 36 deletions
|
@ -234,7 +234,7 @@ class SyniTox(Tox):
|
||||||
else:
|
else:
|
||||||
override = False
|
override = False
|
||||||
# TLSv1_3_METHOD does not exist
|
# TLSv1_3_METHOD does not exist
|
||||||
context = SSL.Context(SSL.TLSv1_2_METHOD)
|
context = SSL.Context(SSL.TLS_CLIENT_METHOD) # TLSv1_2_METHOD
|
||||||
# SSL.OP_NO_TLSv1_1 is allowed
|
# SSL.OP_NO_TLSv1_1 is allowed
|
||||||
context.set_options(SSL.OP_NO_SSLv2|SSL.OP_NO_SSLv3|SSL.OP_NO_TLSv1)
|
context.set_options(SSL.OP_NO_SSLv2|SSL.OP_NO_SSLv3|SSL.OP_NO_TLSv1)
|
||||||
# this maybe necessary even for a 1.3 site to get the handshake
|
# this maybe necessary even for a 1.3 site to get the handshake
|
||||||
|
@ -249,12 +249,22 @@ class SyniTox(Tox):
|
||||||
val = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
|
val = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
|
||||||
LOG.info('Using keyfile: %s' % self._oArgs.irc_pem)
|
LOG.info('Using keyfile: %s' % self._oArgs.irc_pem)
|
||||||
if True:
|
if True:
|
||||||
key = self._oArgs.irc_pem.replace('.pem', '.crt')
|
# key = self._oArgs.irc_pem.replace('.pem', '.crt')
|
||||||
|
assert os.path.exists(key), key
|
||||||
context.use_certificate_file(key, filetype=SSL.FILETYPE_PEM)
|
context.use_certificate_file(key, filetype=SSL.FILETYPE_PEM)
|
||||||
if True:
|
if True:
|
||||||
key = self._oArgs.irc_pem.replace('.pem', '.key')
|
# key = self._oArgs.irc_pem.replace('.pem', '.key')
|
||||||
assert os.path.exists(key), key
|
assert os.path.exists(key), key
|
||||||
context.use_privatekey_file(key, filetype=SSL.FILETYPE_PEM)
|
context.use_privatekey_file(key, filetype=SSL.FILETYPE_PEM)
|
||||||
|
#? load_client_ca
|
||||||
|
def SSL_hands_cb(oConn,iLine,iRet):
|
||||||
|
# where in the SSL handshake the function was called, and
|
||||||
|
# the return code from a internal function call
|
||||||
|
print(f"iLine={iLine}, iRet={iRet}")
|
||||||
|
# context.set_info_callback(SSL_hands_cb)
|
||||||
|
def keylog_callback(oConn,s):
|
||||||
|
print(s)
|
||||||
|
context.set_keylog_callback(keylog_callback)
|
||||||
else:
|
else:
|
||||||
val = SSL.VERIFY_PEER
|
val = SSL.VERIFY_PEER
|
||||||
context.set_verify(val, ssl_verify_cb(HOST, override))
|
context.set_verify(val, ssl_verify_cb(HOST, override))
|
||||||
|
@ -267,10 +277,10 @@ class SyniTox(Tox):
|
||||||
if self._oArgs.irc_ssl == 'tlsv1.1':
|
if self._oArgs.irc_ssl == 'tlsv1.1':
|
||||||
context.set_min_proto_version(SSL.TLS1_1_VERSION)
|
context.set_min_proto_version(SSL.TLS1_1_VERSION)
|
||||||
elif self._oArgs.irc_ssl == 'tlsv1.2':
|
elif self._oArgs.irc_ssl == 'tlsv1.2':
|
||||||
context.set_cipher_list(bytes(' '.join(lOPENSSL_12_CIPHERS), 'UTF-8'))
|
context.set_cipher_list(bytes(':'.join(['DEFAULT@SECLEVEL=1']+lOPENSSL_12_CIPHERS), 'UTF-8'))
|
||||||
context.set_min_proto_version(SSL.TLS1_2_VERSION)
|
context.set_min_proto_version(SSL.TLS1_2_VERSION)
|
||||||
elif self._oArgs.irc_ssl == 'tlsv1.3':
|
elif self._oArgs.irc_ssl == 'tlsv1.3':
|
||||||
#? context.set_cipher_list(bytes(' '.join(lOPENSSL_13_CIPHERS), 'UTF-8'))
|
context.set_cipher_list(bytes(':'.join(['DEFAULT@SECLEVEL=1']+lOPENSSL_13_CIPHERS), 'UTF-8'))
|
||||||
context.set_min_proto_version(SSL.TLS1_3_VERSION)
|
context.set_min_proto_version(SSL.TLS1_3_VERSION)
|
||||||
self._ssl_context = context
|
self._ssl_context = context
|
||||||
|
|
||||||
|
@ -567,7 +577,7 @@ class SyniTox(Tox):
|
||||||
self.diagnose_ciphers(irc)
|
self.diagnose_ciphers(irc)
|
||||||
else:
|
else:
|
||||||
irc.connect((ip, self._oArgs.irc_port))
|
irc.connect((ip, self._oArgs.irc_port))
|
||||||
LOG.info(f"IRC {'SSL ' if self._oArgs.irc_ssl else ''} connected ")
|
LOG.info(f"IRC SSL={self._oArgs.irc_ssl} connected ")
|
||||||
|
|
||||||
except wrapper_tests.socks.Socks5Error as e:
|
except wrapper_tests.socks.Socks5Error as e:
|
||||||
iSocks5Error += 1
|
iSocks5Error += 1
|
||||||
|
@ -614,6 +624,7 @@ class SyniTox(Tox):
|
||||||
self._oArgs.irc_ident,
|
self._oArgs.irc_ident,
|
||||||
self._oArgs.irc_host,
|
self._oArgs.irc_host,
|
||||||
self._oArgs.irc_name), 'UTF-8'))
|
self._oArgs.irc_name), 'UTF-8'))
|
||||||
|
|
||||||
# OSError: [Errno 9] Bad file descriptor
|
# OSError: [Errno 9] Bad file descriptor
|
||||||
|
|
||||||
def dht_init(self):
|
def dht_init(self):
|
||||||
|
@ -732,7 +743,8 @@ class SyniTox(Tox):
|
||||||
elif l[1] not in ['372']:
|
elif l[1] not in ['372']:
|
||||||
i = line.find(' ')
|
i = line.find(' ')
|
||||||
print(line[i+1:])
|
print(line[i+1:])
|
||||||
|
else:
|
||||||
|
LOG.info('MOTD')
|
||||||
rx = re.match(r':(.*?)!.*? PRIVMSG %s :(.*?)\r' %
|
rx = re.match(r':(.*?)!.*? PRIVMSG %s :(.*?)\r' %
|
||||||
self._oArgs.irc_chan, line, re.S)
|
self._oArgs.irc_chan, line, re.S)
|
||||||
if rx:
|
if rx:
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
#export LD_LIBRARY_PATH=/usr/local/lib
|
#export LD_LIBRARY_PATH=/usr/local/lib
|
||||||
#export TOXCORE_LIBS=/mnt/linuxPen19/var/local/src/c-toxcore/_build
|
#export TOXCORE_LIBS=/mnt/linuxPen19/var/local/src/c-toxcore/_build
|
||||||
|
@ -13,12 +14,49 @@ export PYTHONPATH=/mnt/o/var/local/src/toxygen_wrapper.git/
|
||||||
ERROR() { echo ERROR $* ; }
|
ERROR() { echo ERROR $* ; }
|
||||||
}
|
}
|
||||||
|
|
||||||
TLS=2
|
HOST=irc.oftc.net
|
||||||
|
IRC_PORT=6667
|
||||||
|
IRCS_PORT=6697
|
||||||
|
ONION=oftcnet6xg6roj6d7id4y4cu6dchysacqj2ldgea73qzdagufflqxrid.onion
|
||||||
|
|
||||||
|
TLS=0
|
||||||
a=`openssl ciphers -s -v|grep -c v1.3`
|
a=`openssl ciphers -s -v|grep -c v1.3`
|
||||||
if [ "$a" -lt 3 ] ; then
|
if [ "$a" -lt 3 ] ; then
|
||||||
WARN no SSSL TLSv1.3 ciphers available to the client.
|
WARN no SSSL TLSv1.3 ciphers available to the client.
|
||||||
TLS=2
|
TLS=2
|
||||||
|
elif nmap --script ssl-enum-ciphers --proxies socks4://127.0.0.1:9050 -p $IRCS_PORT $HOST | grep -q 'TLSv1.3:' ; then
|
||||||
|
TLS=3
|
||||||
|
else
|
||||||
|
TLS=2
|
||||||
fi
|
fi
|
||||||
|
TLS=3
|
||||||
|
|
||||||
|
if [ "$TLS" -ne 0 ] ; then
|
||||||
|
SD=$HOME/.config/ssl/$HOST
|
||||||
|
[ -d $SD ] || mkdir -p $SD || exit 2
|
||||||
|
if [ ! -s $SD/$nick.key ] ; then
|
||||||
|
# ed25519
|
||||||
|
openssl req -x509 -nodes -newkey rsa:2048 \
|
||||||
|
-keyout $SD/$nick.key \
|
||||||
|
-days 3650 -out $SD/$nick.crt || exit 3
|
||||||
|
chmod 400 $SD/$nick.key
|
||||||
|
fi
|
||||||
|
if [ ! -s $SD/$nick.fp ] ; then
|
||||||
|
openssl x509 -noout -fingerprint -SHA1 -text \
|
||||||
|
< $SD/$nick.crt > $SD/$nick.fp || exit 4
|
||||||
|
fi
|
||||||
|
if [ ! -s $SD/$nick.pem ] ; then
|
||||||
|
cat $SD/$nick.crt $SD/$nick.key > $SD/$nick.pem
|
||||||
|
chmod 400 $SD/$nick.pem || exit 5
|
||||||
|
fi
|
||||||
|
ls -l -s $SD/$nick.pem
|
||||||
|
fi
|
||||||
|
|
||||||
|
curl -vvvvv --cacert /etc/ssl/cacert-testforge.pem \
|
||||||
|
--cert ~/.config/ssl/$HOST/SyniTox.pem \
|
||||||
|
https://$HOST:$IRCS_PORT \
|
||||||
|
2>&1| grep "SSL connection using TLSv1.$TLS"
|
||||||
|
[ $? -gt 0 ] && WARN curl not OK
|
||||||
|
|
||||||
declare -a RARGS
|
declare -a RARGS
|
||||||
RARGS=(
|
RARGS=(
|
||||||
|
@ -32,13 +70,12 @@ RARGS+=(
|
||||||
)
|
)
|
||||||
declare -a LARGS
|
declare -a LARGS
|
||||||
LARGS=(
|
LARGS=(
|
||||||
--irc_host irc.oftc.net
|
--irc_host $HOST
|
||||||
--irc_port 7000
|
--irc_port $IRC_PORT
|
||||||
--irc_ssl ""
|
--irc_ssl ""
|
||||||
--irc_ident SyniTox
|
--irc_ident SyniTox
|
||||||
--irc_name SyniTox
|
--irc_name SyniTox
|
||||||
--irc_nick SyniTox
|
--irc_nick SyniTox
|
||||||
--irc_pass password
|
|
||||||
)
|
)
|
||||||
DBUG $?
|
DBUG $?
|
||||||
|
|
||||||
|
@ -50,13 +87,13 @@ fi
|
||||||
|
|
||||||
CIPHER_DOWNGRADE_OVER_TOR="
|
CIPHER_DOWNGRADE_OVER_TOR="
|
||||||
|
|
||||||
Nmap scan report for irc.oftc.net (130.239.18.116)
|
Nmap scan report for $HOST (130.239.18.116)
|
||||||
Host is up (0.26s latency).
|
Host is up (0.26s latency).
|
||||||
Other addresses for irc.oftc.net (not scanned): (null)
|
Other addresses for $HOST (not scanned): (null)
|
||||||
rDNS record for 130.239.18.116: solenoid.acc.umu.se
|
rDNS record for 130.239.18.116: solenoid.acc.umu.se
|
||||||
|
|
||||||
PORT STATE SERVICE
|
PORT STATE SERVICE
|
||||||
6697/tcp open ircs-u
|
$IRCS_PORT/tcp open ircs-u
|
||||||
| ssl-enum-ciphers:
|
| ssl-enum-ciphers:
|
||||||
| TLSv1.0:
|
| TLSv1.0:
|
||||||
| ciphers:
|
| ciphers:
|
||||||
|
@ -67,44 +104,44 @@ PORT STATE SERVICE
|
||||||
|_ least strength: A
|
|_ least strength: A
|
||||||
"
|
"
|
||||||
# I know that site does v1.3 3 ciphers
|
# I know that site does v1.3 3 ciphers
|
||||||
if [ $# -eq 0 -o "$1" = 2 ] ; then
|
|
||||||
nmap --script ssl-enum-ciphers --proxies socks4://127.0.0.1:9050 -p 6697 irc.oftc.net
|
|
||||||
|
|
||||||
# oftcnet6xg6roj6d7id4y4cu6dchysacqj2ldgea73qzdagufflqxrid.onion
|
|
||||||
# irc.oftc.net
|
|
||||||
LARGS=(
|
LARGS=(
|
||||||
--irc_host irc.oftc.net
|
--irc_host $HOST
|
||||||
--irc_port 6697
|
--irc_port $IRCS_PORT
|
||||||
--irc_ssl tlsv1.$TLS
|
--irc_ssl tlsv1.$TLS
|
||||||
--irc_ident SyniTox
|
--irc_ident SyniTox
|
||||||
--irc_name SyniTox
|
--irc_name SyniTox
|
||||||
--irc_nick SyniTox
|
--irc_nick SyniTox
|
||||||
--irc_pass password
|
--irc_pass password
|
||||||
--irc_pem $HOME/.config/ssl/irc.oftc.net/SyniTox.pem
|
--irc_pem $HOME/.config/ssl/$HOST/SyniTox.pem
|
||||||
# E178E7B9BD9E540278118193AD2C84DEF9B35E85
|
# E178E7B9BD9E540278118193AD2C84DEF9B35E85
|
||||||
--irc_fp $HOME/.config/ssl/irc.oftc.net/SyniTox.fp
|
--irc_fp $HOME/.config/ssl/$HOST/SyniTox.fp
|
||||||
--irc_cadir '/etc/ssl/certs'
|
--irc_cafile /usr/local/etc/ssl/cacert-testforge.pem
|
||||||
--irc_cafile /etc/ssl/cacert.pem
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
if [ $# -eq 0 -o "$1" = 2 ] ; then
|
||||||
|
INFO SSL v1.$TLS
|
||||||
|
python3 tox-irc-sync.py "${LARGS[@]}" "${RARGS[@]}" "$@"
|
||||||
DBUG $?
|
DBUG $?
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $# -eq 0 -o "$1" = 2 ] ; then
|
ip=$ONION
|
||||||
INFO SSL
|
|
||||||
python3 tox-irc-sync.py "${LARGS[@]}" "${RARGS[@]}" "$@"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ip=oftcnet6xg6roj6d7id4y4cu6dchysacqj2ldgea73qzdagufflqxrid.onion
|
|
||||||
if [ $# -eq 0 -o "$1" = 3 ] ; then
|
if [ $# -eq 0 -o "$1" = 3 ] ; then
|
||||||
nmap --script ssl-enum-ciphers --proxies socks4://127.0.0.1:9050 -p 6697 $ip
|
nmap --script ssl-enum-ciphers --proxies socks4://127.0.0.1:9050 -p $IRCS_PORT $ip
|
||||||
INFO Onion
|
INFO Onion v1.$TLS
|
||||||
python3 tox-irc-sync.py "${LARGS[@]}" --irc_connect $ip "${RARGS[@]}" "$@"
|
python3 tox-irc-sync.py "${LARGS[@]}" --irc_connect $ip "${RARGS[@]}" "$@"
|
||||||
DBUG $?
|
DBUG $?
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ip=`tor-resolve -4 $ip`
|
ip=`tor-resolve -4 $ONION`
|
||||||
if [ $? -eq 0 -a -n "$ip" ] && [ $# -eq 0 -o "$1" = 4 ] ; then
|
if [ $? -eq 0 -a -n "$ip" ] && [ $# -eq 0 -o "$1" = 4 ] ; then
|
||||||
nmap --script ssl-enum-ciphers --proxies socks4://127.0.0.1:9050 -p 6697 $ip
|
curl -vvvvv --cacert /etc/ssl/cacert-testforge.pem \
|
||||||
|
--cert ~/.config/ssl/$HOST/SyniTox.pem \
|
||||||
|
--connect-to $ip:$IRCS_PORT \
|
||||||
|
https://$HOST:$IRCS_PORT \
|
||||||
|
2>&1| grep "SSL connection using TLSv1.$TLS"
|
||||||
|
|
||||||
|
[ $? -gt 0 ] && WARN curl not OK
|
||||||
|
nmap --script ssl-enum-ciphers --proxies socks4://127.0.0.1:9050 -p $IRCS_PORT $ip
|
||||||
INFO IP $ip
|
INFO IP $ip
|
||||||
python3 tox-irc-sync.py "${LARGS[@]}" --irc_connect $ip "${RARGS[@]}" "$@"
|
python3 tox-irc-sync.py "${LARGS[@]}" --irc_connect $ip "${RARGS[@]}" "$@"
|
||||||
DBUG $?
|
DBUG $?
|
||||||
|
|
Loading…
Reference in a new issue