From de42c14e3389152fb7373bf33cabc385d1da5228 Mon Sep 17 00:00:00 2001 From: angelblue05 Date: Fri, 24 Apr 2015 20:57:04 -0500 Subject: [PATCH] HTTPS verification handling By default - no host verification. Option to verify host and add a client side certificate to pair with server certificate. --- resources/lib/DownloadUtils.py | 33 +++++++++++++++++++++------------ resources/lib/UserClient.py | 16 +++++++++++++--- resources/settings.xml | 1 + 3 files changed, 35 insertions(+), 15 deletions(-) diff --git a/resources/lib/DownloadUtils.py b/resources/lib/DownloadUtils.py index 7f6a9f4e..bc86a84a 100644 --- a/resources/lib/DownloadUtils.py +++ b/resources/lib/DownloadUtils.py @@ -58,10 +58,12 @@ class DownloadUtils(): self.token = token self.logMsg("Set token: %s" % token, 2) - def setSSL(self, ssl): + def setSSL(self, ssl, sslclient): # Reserved for UserClient only - self.ssl = ssl - self.logMsg("Set ssl path: %s" % ssl, 2) + self.sslverify = ssl + self.sslclient = sslclient + self.logMsg("Verify SSL host certificate: %s" % ssl, 2) + self.logMsg("SSL client side certificate: %s" % sslclient, 2) def postCapabilities(self, deviceId): @@ -91,20 +93,20 @@ class DownloadUtils(): # User is identified from this point # Attach authenticated header to the session - header = self.getHeader() - cert = None verify = None + cert = None + header = self.getHeader() - # If user has a custom certificate, verify the host certificate too - if (self.ssl != None): - cert = self.ssl + # If user enabled host certificate verification + if self.sslverify: verify = True - + cert = self.sslclient + # Start session self.s = requests.Session() self.s.headers = header - self.s.cert = cert self.s.verify = verify + self.s.cert = cert # Retry connections to the server self.s.mount("http://", requests.adapters.HTTPAdapter(max_retries=1)) self.s.mount("https://", requests.adapters.HTTPAdapter(max_retries=1)) @@ -173,12 +175,19 @@ class DownloadUtils(): self.logMsg("URL: %s" % url, 1) header = self.getHeader(authenticate=False) + verifyssl = False + + # If user enables ssl verification + try: + verifyssl = self.sslverify + except AttributeError: + pass # Prepare request if type == "GET": - r = requests.get(url, params=postBody, headers=header, timeout=timeout, verify=False) + r = requests.get(url, params=postBody, headers=header, timeout=timeout, verify=verifyssl) elif type == "POST": - r = requests.post(url, params=postBody, headers=header, timeout=timeout, verify=False) + r = requests.post(url, params=postBody, headers=header, timeout=timeout, verify=verifyssl) # Process the response try: diff --git a/resources/lib/UserClient.py b/resources/lib/UserClient.py index d497c34d..31a78f64 100644 --- a/resources/lib/UserClient.py +++ b/resources/lib/UserClient.py @@ -131,8 +131,17 @@ class UserClient(threading.Thread): self.logMsg("No token found.") return "" - def getSSL(self): + def getSSLverify(self): + # Verify host certificate + s_sslverify = self.addon.getSetting('sslverify') + if s_sslverify == "true": + return True + else: + return False + + def getSSL(self): + # Client side certificate s_cert = self.addon.getSetting('sslcert') if s_cert == "None": @@ -165,7 +174,8 @@ class UserClient(threading.Thread): self.currUserId = self.getUserId() self.currServer = self.getServer() self.currToken = self.getToken() - self.ssl = self.getSSL() + self.ssl = self.getSSLverify() + self.sslcert = self.getSSL() # Set to windows property WINDOW.setProperty("currUser", username) @@ -179,7 +189,7 @@ class UserClient(threading.Thread): doUtils.setUserId(self.currUserId) doUtils.setServer(self.currServer) doUtils.setToken(self.currToken) - doUtils.setSSL(self.ssl) + doUtils.setSSL(self.ssl, self.sslcert) # Start DownloadUtils session doUtils.startSession() diff --git a/resources/settings.xml b/resources/settings.xml index 2ab74697..cd5540e3 100644 --- a/resources/settings.xml +++ b/resources/settings.xml @@ -6,6 +6,7 @@ +