mirror of https://github.com/Syncplay/syncplay
startTLS: enabled on server and client, TCP stays as default
This commit is contained in:
Alberto Sottile
parent
d7e577ef04
commit
3eeaeed6dd
19
server.crt
19
server.crt
|
|
@ -1,19 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDDjCCAfYCCQCi9L0SyIknmTANBgkqhkiG9w0BAQsFADBJMQswCQYDVQQGEwJQ
|
||||
TDETMBEGA1UECAwKU29tZS1TdGF0ZTERMA8GA1UECgwIU3luY3BsYXkxEjAQBgNV
|
||||
BAMMCWxvY2FsaG9zdDAeFw0xOTAyMDMxOTA0MTFaFw0yMTExMjMxOTA0MTFaMEkx
|
||||
CzAJBgNVBAYTAlBMMRMwEQYDVQQIDApTb21lLVN0YXRlMREwDwYDVQQKDAhTeW5j
|
||||
cGxheTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
|
||||
MIIBCgKCAQEAxdnxzQ2ddPWLBHzHRlc2uGCML6MtPdTW5mOzQbj+jxHqhcJszIo4
|
||||
5/ZoqCX11tgQ69cJphTmg0Pjd89xTiqQBOf/qD3kSycds6j26H4oiIsuvOCaa5LN
|
||||
lE5jAGZQWWRrnAqXJgbnQZgW+2a8bhJGCospRRIK+h48FDazOwEoNHjmPC7DHWrt
|
||||
HlU/BbuzGPLhekKzR7LTD8/32+4g1e2LMMEv22LYrN2cRpZqb8wXYgjsMRc7aqAA
|
||||
NS7x0tspBhBfCigDLd4i+SuKPGkyI118uss7eKx7MDgmQp1vUiTOkKphgT1S/a7m
|
||||
4EJ3xO+75WjIQ4bJPmLbdLWMKOXi2t7PVQIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
|
||||
AQCADrdRY64VpPeM8c9MCn7jXDR0B7xjwoQkiyFvISCRiWZwX8QE2atjZ6jGnuB3
|
||||
LBattjmjHcCNwLEvc5dZT0ioeiAvNdEbcMitYS7d2x3QIQ2n2zpSMp3speAv7mdG
|
||||
YkC/oE7bbORBksjsxLCAOPOrDYijyTwDN0oTkDcuhkdztbO5Frp/5vA/i/U29Sxv
|
||||
ebbJ0JXl8LJKzJqslyRv6sVxsNFH0foX7rwbXzciO4TscHHrFDZwNBhjWYPITJ7J
|
||||
BBgr8Cs9ZbKFQ7+o1bUob7B8n2tKtVxAHfTQfBe68ZlcdTHfFririLjhRDVXSAFw
|
||||
8ZZzQoma7VJ/1l8jcoWhdfOe
|
||||
-----END CERTIFICATE-----
|
||||
46
server.pem
46
server.pem
|
|
@ -1,46 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDDjCCAfYCCQCi9L0SyIknmTANBgkqhkiG9w0BAQsFADBJMQswCQYDVQQGEwJQ
|
||||
TDETMBEGA1UECAwKU29tZS1TdGF0ZTERMA8GA1UECgwIU3luY3BsYXkxEjAQBgNV
|
||||
BAMMCWxvY2FsaG9zdDAeFw0xOTAyMDMxOTA0MTFaFw0yMTExMjMxOTA0MTFaMEkx
|
||||
CzAJBgNVBAYTAlBMMRMwEQYDVQQIDApTb21lLVN0YXRlMREwDwYDVQQKDAhTeW5j
|
||||
cGxheTESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
|
||||
MIIBCgKCAQEAxdnxzQ2ddPWLBHzHRlc2uGCML6MtPdTW5mOzQbj+jxHqhcJszIo4
|
||||
5/ZoqCX11tgQ69cJphTmg0Pjd89xTiqQBOf/qD3kSycds6j26H4oiIsuvOCaa5LN
|
||||
lE5jAGZQWWRrnAqXJgbnQZgW+2a8bhJGCospRRIK+h48FDazOwEoNHjmPC7DHWrt
|
||||
HlU/BbuzGPLhekKzR7LTD8/32+4g1e2LMMEv22LYrN2cRpZqb8wXYgjsMRc7aqAA
|
||||
NS7x0tspBhBfCigDLd4i+SuKPGkyI118uss7eKx7MDgmQp1vUiTOkKphgT1S/a7m
|
||||
4EJ3xO+75WjIQ4bJPmLbdLWMKOXi2t7PVQIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
|
||||
AQCADrdRY64VpPeM8c9MCn7jXDR0B7xjwoQkiyFvISCRiWZwX8QE2atjZ6jGnuB3
|
||||
LBattjmjHcCNwLEvc5dZT0ioeiAvNdEbcMitYS7d2x3QIQ2n2zpSMp3speAv7mdG
|
||||
YkC/oE7bbORBksjsxLCAOPOrDYijyTwDN0oTkDcuhkdztbO5Frp/5vA/i/U29Sxv
|
||||
ebbJ0JXl8LJKzJqslyRv6sVxsNFH0foX7rwbXzciO4TscHHrFDZwNBhjWYPITJ7J
|
||||
BBgr8Cs9ZbKFQ7+o1bUob7B8n2tKtVxAHfTQfBe68ZlcdTHfFririLjhRDVXSAFw
|
||||
8ZZzQoma7VJ/1l8jcoWhdfOe
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEAxdnxzQ2ddPWLBHzHRlc2uGCML6MtPdTW5mOzQbj+jxHqhcJs
|
||||
zIo45/ZoqCX11tgQ69cJphTmg0Pjd89xTiqQBOf/qD3kSycds6j26H4oiIsuvOCa
|
||||
a5LNlE5jAGZQWWRrnAqXJgbnQZgW+2a8bhJGCospRRIK+h48FDazOwEoNHjmPC7D
|
||||
HWrtHlU/BbuzGPLhekKzR7LTD8/32+4g1e2LMMEv22LYrN2cRpZqb8wXYgjsMRc7
|
||||
aqAANS7x0tspBhBfCigDLd4i+SuKPGkyI118uss7eKx7MDgmQp1vUiTOkKphgT1S
|
||||
/a7m4EJ3xO+75WjIQ4bJPmLbdLWMKOXi2t7PVQIDAQABAoIBAFz8ZlE58eOzNyff
|
||||
wQRFHvmenqQQ68Vgj7Nt7iSYXkM9Z1yAGQQ0fjQ+scc9OAJGQAWnZeiBcCkHMhPw
|
||||
Ec9r343+v0AB/pZ3htUWNxzjlgc+arPoV4rxTt9By/O3IlIxCQYoUAtWOT+xzDNR
|
||||
gIO24OY5qybEKRaOOSxC3Q+BJrUpvIMEf93w7YQQ5SqulcmSYsIK25t+ACdXAlkX
|
||||
KpvszojDU+qfUH7Uz8/yvFcbZ8LeDdrv1Wcedx15VUIcrU+D9DBYK1NOFW2vuPJT
|
||||
DJZOQFXMTxg6kSED0O8a4Z3VhaPEBiGdN4KOIkC1tUj8i+BM441Jg4nme8OLX/Vm
|
||||
NGftpm0CgYEA93w8P6gp1wnO7R56FdRoL9nhfgoMQroqNMqHdoGlWPFZNDqtvbFW
|
||||
vjhg1v98T8mBvQMsfLruUuDDykacOdDyHRAbPQ+gICUjRXDFgu+GhHcIRn3dcZli
|
||||
cSRka/JsuqCuTFnIoa981IYEllAQTZ+3w+qR8d+BkoR7K55v5aRxNCsCgYEAzKiM
|
||||
8u1W3d6/E6EgaiSVOuCwOB85zbQH1t1s6wQoD34u+CEKyW3/WCkZuNMlE6J8luwt
|
||||
HfXilFq9ZfAdyxN/DhHIygulbIbGwtzYFI6rEmU3zL1bX27ZWStjuDUyWf3zX4T2
|
||||
9vlBf9CwJWeotaKl+Or2aeGAiNP5830WIpikyn8CgYEA8AjjNqqXyiWNOZaxurKF
|
||||
SsP8XQ7JzX5aqVE2Cc683INZjbrMAIwcIer0ohKyM4CyAO0vHNsBhAjUXUAXDkyG
|
||||
R4HzqUmaeRMMHrG+H7zJr3jz4cr6GNA4FpzBeaFrq6dk5lC+s3NNk6NYl6GX7nHW
|
||||
/oJogzvQpJcyD6Bfz0+rLHkCgYBr0uFvm1uIyTIiRWGuileVDYvKBamOlqsKqN4Z
|
||||
c7cncnOMhtwIA8vjxsOmfJesII9DdGrQvhsBzky6yCbqNvtZjkUbLceZxegyAehV
|
||||
7FR0/J7JX3okbWJVeGaxRlWg1ArE6Gi09d1sWaZ0Doj0KR0IZ8IrRoNRk1y8y8o9
|
||||
r+4iQQKBgDyuv6nz4xV3GrW6ohVcCRg8R4yZmb65A4guxZIwMh3nbf+rHWO3RTxd
|
||||
LMiCLSW3Py2xsxiMa5ICEm75Hke8+KHwRBL7SK1eqaFrdhzvTALQp0IfBu1/t7bR
|
||||
5bJVa6EL55eNA0LcOZqX36rDYzpzZjaf46XNzshZ/p0X7NryEhNl
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
@ -714,11 +714,11 @@ class SyncplayClient(object):
|
|||
if '[' in host:
|
||||
host = host.strip('[]')
|
||||
port = int(port)
|
||||
with open('server.crt') as cert_file:
|
||||
with open('cert/server.crt') as cert_file:
|
||||
trust_root = Certificate.loadPEM(cert_file.read())
|
||||
self._wrapped = HostnameEndpoint(reactor, host, port)
|
||||
self._contextFactory = optionsForClientTLS(hostname=host, trustRoot=trust_root)
|
||||
self._endpoint = wrapClientTLS(self._contextFactory, self._wrapped)
|
||||
self._endpoint = HostnameEndpoint(reactor, host, port)
|
||||
self.protocolFactory.options = optionsForClientTLS(hostname=host, trustRoot = trust_root)
|
||||
|
||||
|
||||
def retry(retries):
|
||||
self._lastGlobalUpdate = None
|
||||
|
|
|
|||
|
|
@ -77,15 +77,10 @@ class SyncClientProtocol(JSONCommandProtocol):
|
|||
|
||||
def connectionMade(self):
|
||||
self._client.initProtocol(self)
|
||||
if self._client._clientSupportsTLS:
|
||||
if self._client._serverSupportsTLS:
|
||||
self.sendTLS({"startTLS": "send"})
|
||||
self._client.ui.showMessage(getMessage("startTLS-initiated"))
|
||||
else:
|
||||
self._client.ui.showErrorMessage(getMessage("startTLS-not-supported-server"))
|
||||
self.sendHello()
|
||||
if self._client._serverSupportsTLS:
|
||||
self.sendTLS({"startTLS": "send"})
|
||||
self._client.ui.showMessage("Attempting secure connection")
|
||||
else:
|
||||
self._client.ui.showMessage(getMessage("startTLS-not-supported-client"))
|
||||
self.sendHello()
|
||||
|
||||
def connectionLost(self, reason):
|
||||
|
|
@ -320,6 +315,7 @@ class SyncClientProtocol(JSONCommandProtocol):
|
|||
|
||||
def handleError(self, error):
|
||||
if "startTLS" in error["message"] and not self.logged:
|
||||
self._client.ui.showErrorMessage("This server does not support TLS")
|
||||
self._client._serverSupportsTLS = False
|
||||
else:
|
||||
self.dropWithError(error["message"])
|
||||
|
|
@ -332,25 +328,10 @@ class SyncClientProtocol(JSONCommandProtocol):
|
|||
|
||||
def handleTLS(self, message):
|
||||
answer = message["startTLS"] if "startTLS" in message else None
|
||||
if "true" in answer and not self.logged and self._client.protocolFactory.options is not None:
|
||||
if "true" in answer and not self.logged:
|
||||
self.transport.startTLS(self._client.protocolFactory.options)
|
||||
elif "false" in answer:
|
||||
self._client.ui.showErrorMessage(getMessage("startTLS-not-supported-server"))
|
||||
self.sendHello()
|
||||
|
||||
def handshakeCompleted(self):
|
||||
self._serverCertificateTLS = self.transport.getPeerCertificate()
|
||||
self._subjectTLS = self._serverCertificateTLS.get_subject().CN
|
||||
self._issuerTLS = self._serverCertificateTLS.get_issuer().CN
|
||||
self._expiredTLS =self._serverCertificateTLS.has_expired()
|
||||
self._expireDateTLS = self._serverCertificateTLS.get_notAfter()
|
||||
|
||||
self._encryptedConnectionTLS = self.transport.protocol._tlsConnection
|
||||
self._connVersionTLS = self._encryptedConnectionTLS.get_protocol_version_name()
|
||||
self._cipherNameTLS = self._encryptedConnectionTLS.get_cipher_name()
|
||||
|
||||
self._client.ui.showMessage(getMessage("startTLS-secure-connection-ok").format(self._connVersionTLS))
|
||||
|
||||
self._client.ui.showMessage("Secure connection established")
|
||||
self.sendHello()
|
||||
|
||||
class SyncServerProtocol(JSONCommandProtocol):
|
||||
def __init__(self, factory):
|
||||
|
|
@ -657,12 +638,9 @@ class SyncServerProtocol(JSONCommandProtocol):
|
|||
|
||||
def handleTLS(self, message):
|
||||
inquiry = message["startTLS"] if "startTLS" in message else None
|
||||
if "send" in inquiry:
|
||||
if not self.isLogged() and self._factory.options is not None:
|
||||
self.sendTLS({"startTLS": "true"})
|
||||
self.transport.startTLS(self._factory.options)
|
||||
else:
|
||||
self.sendTLS({"startTLS": "false"})
|
||||
if "send" in inquiry and not self.isLogged():
|
||||
self.sendTLS({"startTLS": "true"})
|
||||
self.transport.startTLS(self._factory.options)
|
||||
|
||||
|
||||
class PingService(object):
|
||||
|
|
|
|||
|
|
@ -15,14 +15,14 @@ except AttributeError:
|
|||
|
||||
from OpenSSL import crypto
|
||||
from twisted.internet import reactor, ssl
|
||||
from twisted.internet.endpoints import SSL4ServerEndpoint
|
||||
from twisted.internet.endpoints import TCP4ServerEndpoint, TCP6ServerEndpoint
|
||||
|
||||
from syncplay.server import SyncFactory, ConfigurationGetter
|
||||
|
||||
with open('server.pem') as f:
|
||||
with open('cert/server.pem') as f:
|
||||
certData = f.read()
|
||||
|
||||
certificate = ssl.PrivateCertificate.loadPEM(certData).options()
|
||||
cert = ssl.PrivateCertificate.loadPEM(certData).options()
|
||||
|
||||
if __name__ == '__main__':
|
||||
argsGetter = ConfigurationGetter()
|
||||
|
|
@ -39,8 +39,9 @@ if __name__ == '__main__':
|
|||
args.max_username_length,
|
||||
args.stats_db_file
|
||||
)
|
||||
endpoint4 = SSL4ServerEndpoint(reactor, int(args.port), certificate, interface='0.0.0.0')
|
||||
factory.options = cert
|
||||
endpoint4 = TCP4ServerEndpoint(reactor, int(args.port))
|
||||
endpoint4.listen(factory)
|
||||
endpoint6 = SSL4ServerEndpoint(reactor, int(args.port), certificate, interface='::')
|
||||
endpoint6 = TCP6ServerEndpoint(reactor, int(args.port))
|
||||
endpoint6.listen(factory)
|
||||
reactor.run()
|
||||
|
|
|
|||
Loading…
Reference in New Issue