verify_mode ueber config setzbar, ssl context in funktion ausgelagert

2022-07-30 12:09:38 +02:00 · 2022-07-30 12:09:38 +02:00 · 991eeea9f8
parent aed3616cf8
commit 991eeea9f8
2 changed files with 42 additions and 14 deletions
--- a/source/server/apistatusd.conf
+++ b/source/server/apistatusd.conf
@ -19,13 +19,15 @@ key = ./certs/statusd-key.pem

 [client]
 cert = ./certs/statusclient-pub.pem
+# possible values: true, false, may
+required = true

 [api]
 api = ./api
 template = ./api_template

 [mastodon]
-send = true
+send = false
 host = localhost
 token = aaaaa-bbbbb-ccccc-ddddd-eeeee

--- a/source/server/apistatusd.py
+++ b/source/server/apistatusd.py
@ -50,6 +50,36 @@ def print_config(config):
            else:
                logging.debug('  {}: {}'.format(i, config[section][i]))

+def create_ssl_context(config):
+    '''
+    Creates the ssl context.
+    return: context object or None
+    '''
+    context = None
+    requirement = None
+    required = config['client']['required'].lower()
+    if required == 'false':
+        requirement = ssl.CERT_NONE
+    elif required == 'may':
+        requirement = ssl.CERT_OPTIONAL
+    else: requirement = ssl.CERT_REQUIRED
+    try:
+        context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+        context.verify_mode = requirement
+        context.load_cert_chain(certfile=config['server']['cert'],
+                                keyfile=config['server']['key'])
+        context.load_verify_locations(cafile=config['client']['cert'])
+        # ensure, compression is disabled (disabled by default anyway at the moment)
+        context.options |= ssl.OP_NO_COMPRESSION
+        context.options = ssl.PROTOCOL_TLS_SERVER
+        context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
+        logging.debug('SSL context created')
+    except Exception as e:
+        logging.error('Failed to create SSL context')
+        logging.error('Error: {}'.format(e))
+        return None
+    return context
+
 def print_ciphers(cipherlist):
    '''
    Prints the list of allowed ciphers.
@ -283,7 +313,8 @@ def main():
            'key': './certs/server.key'
        },
        'client': {
-            'cert': './certs/client.crt'
+            'cert': './certs/client.crt',
+            'required': 'true'
        },
        'api': {
            'api': './api',
@ -320,16 +351,11 @@ def main():
        logging.error('Cert check failed\nExit')
        sys.exit(1)

-    context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-    context.verify_mode = ssl.CERT_OPTIONAL
-    context.load_cert_chain(certfile=config['server']['cert'],
-                            keyfile=config['server']['key'])
-    context.load_verify_locations(cafile=config['client']['cert'])
-    context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
-    # ensure, compression is disabled (disabled by default anyway at the moment)
-    context.options |= ssl.OP_NO_COMPRESSION
-    logging.debug('SSL context created')
-    print_context(context)
+    # ssl context erstellen
+    context = create_ssl_context(config)
+    if context is not None:
+        print_context(context)
+    else: sys.exit(2)

    try:
        # tcp socket öffnen => MySocket
@ -347,7 +373,7 @@ def main():
            except Exception as e:
                logging.error('Unable to bind and listen')
                logging.error('{}'.format(e))
-                sys.exit(1)
+                sys.exit(3)
            # endlos auf verbindungen warten => ClientSocket
            while True:
                ClientSocket, ClientAddress = MySocket.accept()
@ -384,7 +410,7 @@ def main():
                        Connection.close()
    except KeyboardInterrupt:
        logging.info('Keyboard interrupt received')
-        sys.exit(1)
+        sys.exit(255)
    except Exception as e:
        logging.error('{}'.format(e))
    finally: