Files @ c01402cc810c
Branch filter:

Location: C3L-NOC/tls-expiry-tracker/backend/generic_handler.py

c01402cc810c 2.4 KiB text/x-python Show Annotation Show as Raw Download as Raw
x
feat: web is now https, which is a special case of tls
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from abc import ABC, abstractmethod
import ssl
from tls_utils import TLSDetails, EXPIRED, REVOKED, SELF_SIGNED, ROOT_NOT_TRUSTED

class GenericHandler(ABC):
    def __init__(self, host: str, port: int, context: ssl.SSLContext):
        self.host = host
        self.port = port
        self.context = context

    @abstractmethod
    def connect(self, verification: bool) -> int:
        raise NotImplementedError()

    @staticmethod
    def create_handler(protocol: str):
        import sslh, mail
        if protocol == "smtp":
            return mail.SMTPHandler
        elif protocol == "imap":
            return mail.IMAPHandler
        elif protocol == "ssl" or protocol == "tls" or protocol == "https":
            return sslh.SSLHandler
        else:
            raise ValueError("Invalid protocol")

class Verificator:
    def __init__(self, context: ssl.SSLContext):
        self.context = context
    def connect(self, domain: str, port: int, protocol: str) -> TLSDetails:
        handler = GenericHandler.create_handler(protocol)(domain, port, self.context)
        try:
            notAfter = handler.connect(True)
            return TLSDetails(domain_name=domain, expiry_timestamp_utc=notAfter)
        except ssl.SSLCertVerificationError as e:
            if e.verify_code == EXPIRED:
                notAfter = handler.connect(False)
                return TLSDetails(domain_name=domain, expiry_timestamp_utc=notAfter)
            elif e.verify_code == REVOKED:
                # This never happens, as we do not have any CRLs or OCSP set up :(
                # It's a massive pain and I'm not sure it's worth the considerable extra code
                # Maybe look into MetLife/OCSPChecker but idk
                return TLSDetails(domain_name=domain, error_message="was revoked.")
            elif e.verify_code == SELF_SIGNED:
                return TLSDetails(domain_name=domain, error_message="is self-signed.")
            elif e.verify_code == ROOT_NOT_TRUSTED:
                return TLSDetails(domain_name=domain, error_message="invalid: root not trusted.")
            else:
                return TLSDetails(domain_name=domain, error_message="failed verification: " + e.verify_message)
        except ssl.SSLError as e:
            return TLSDetails(domain_name=domain, error_message="could not establish a secure connection: " + e.reason)
        except Exception as e:
            return TLSDetails(domain_name=domain, error_message="could not connect: " + str(e))
Server instance: saturn-271468 This site is powered by Kallithea, which is © 2010–2021 by various authors & licensed under GPLv3. – Support