Add certificate validation capability.
This commit is contained in:
parent
f19ae805fc
commit
06a52879a8
|
@ -8,6 +8,12 @@ import ssl
|
||||||
import tempfile
|
import tempfile
|
||||||
import textwrap
|
import textwrap
|
||||||
import urllib.parse
|
import urllib.parse
|
||||||
|
import socks
|
||||||
|
|
||||||
|
timeout = 5
|
||||||
|
|
||||||
|
tor_validation = True
|
||||||
|
accepted_certs = {}
|
||||||
|
|
||||||
caps = mailcap.getcaps()
|
caps = mailcap.getcaps()
|
||||||
menu = []
|
menu = []
|
||||||
|
@ -47,11 +53,72 @@ while True:
|
||||||
# Do the Gemini transaction
|
# Do the Gemini transaction
|
||||||
try:
|
try:
|
||||||
while True:
|
while True:
|
||||||
s = socket.create_connection((parsed_url.netloc, 1965))
|
|
||||||
context = ssl.SSLContext()
|
context = ssl.SSLContext()
|
||||||
context.check_hostname = False
|
context.check_hostname = False
|
||||||
context.verify_mode = ssl.CERT_NONE
|
context.verify_mode = ssl.CERT_NONE
|
||||||
s = context.wrap_socket(s, server_hostname = parsed_url.netloc)
|
|
||||||
|
host = parsed_url.hostname
|
||||||
|
port = parsed_url.port or 1965
|
||||||
|
|
||||||
|
s = socket.create_connection((host, port), timeout)
|
||||||
|
s = context.wrap_socket(s, server_hostname = host)
|
||||||
|
cert = s.getpeercert(True)
|
||||||
|
|
||||||
|
if tor_validation \
|
||||||
|
and (host not in accepted_certs \
|
||||||
|
or accepted_certs[host] != cert):
|
||||||
|
|
||||||
|
# Verify TLS certificate from the vantage point
|
||||||
|
# of a random Tor exit node.
|
||||||
|
print("Validating certificate...")
|
||||||
|
|
||||||
|
# Get certificate via Tor (SOCKS5 @ localhost:9050).
|
||||||
|
# DNS lookup is done over Tor.
|
||||||
|
tor_socket = socks.socksocket()
|
||||||
|
tor_socket.set_proxy(socks.SOCKS5, "127.0.0.1", 9050, rdns=True)
|
||||||
|
tor_socket.settimeout(timeout)
|
||||||
|
tor_connection_successful = True
|
||||||
|
validation_problem_encountered = False
|
||||||
|
try:
|
||||||
|
tor_socket.connect((host, port))
|
||||||
|
except socks.ProxyConnectionError:
|
||||||
|
validation_problem_encountered = True
|
||||||
|
tor_connection_successful = False
|
||||||
|
print("Tor proxy not available on localhost:9050.")
|
||||||
|
print("Certificate validation can't be performed.")
|
||||||
|
print("Continue browsing with validation disabled? [y/N]")
|
||||||
|
if input(">> ").strip().lower() == "y":
|
||||||
|
tor_validation = False
|
||||||
|
else:
|
||||||
|
raise Exception("Connection cancelled.")
|
||||||
|
except socks.GeneralProxyError:
|
||||||
|
validation_problem_encountered = True
|
||||||
|
tor_connection_successful = False
|
||||||
|
print("Tor connection timed out.")
|
||||||
|
print("Certificate validation can't be performed.")
|
||||||
|
print("Continue connection? [y/N]")
|
||||||
|
if input(">> ").strip().lower() != "y":
|
||||||
|
raise Exception("Connection cancelled.")
|
||||||
|
if tor_connection_successful:
|
||||||
|
tor_socket = context.wrap_socket(tor_socket, server_hostname = host)
|
||||||
|
cert_via_tor = tor_socket.getpeercert(True)
|
||||||
|
tor_socket.shutdown(socket.SHUT_RDWR)
|
||||||
|
tor_socket.close()
|
||||||
|
# Compare certs.
|
||||||
|
if cert != cert_via_tor:
|
||||||
|
validation_problem_encountered = True
|
||||||
|
print("[SECURITY WARNING] Certificate validation failed!")
|
||||||
|
print("This MIGHT be a Man-in-the-Middle attack.")
|
||||||
|
print("Continue connection? [y/N]")
|
||||||
|
if input(">> ").strip().lower() != "y":
|
||||||
|
raise Exception("Connection cancelled.")
|
||||||
|
|
||||||
|
accepted_certs[host] = cert
|
||||||
|
|
||||||
|
if not validation_problem_encountered:
|
||||||
|
print("OK")
|
||||||
|
print()
|
||||||
|
|
||||||
s.sendall((url + '\r\n').encode("UTF-8"))
|
s.sendall((url + '\r\n').encode("UTF-8"))
|
||||||
# Get header and check for redirects
|
# Get header and check for redirects
|
||||||
fp = s.makefile("rb")
|
fp = s.makefile("rb")
|
||||||
|
|
Loading…
Reference in New Issue