Open TheTechromancer opened 2 months ago
Per Claude, example of using custom-compiled openssl version with python:
Install build dependencies:
sudo apt-get update
sudo apt-get install build-essential checkinstall zlib1g-dev
Download and compile custom OpenSSL:
wget https://www.openssl.org/source/openssl-1.1.1u.tar.gz
tar xvf openssl-1.1.1u.tar.gz
cd openssl-1.1.1u
./config --prefix=/opt/custom-openssl enable-ssl2 enable-ssl3 enable-weak-ssl-ciphers
make
sudo make install
Set up a virtual environment:
pip install virtualenv
virtualenv --python=$(which python3) venv
source venv/bin/activate
Install required packages:
pip install requests[security] pyopenssl
Create your Python script (e.g., security_scanner.py
):
import os
# Set environment variables for custom OpenSSL
os.environ['LD_LIBRARY_PATH'] = '/opt/custom-openssl/lib:' + os.environ.get('LD_LIBRARY_PATH', '')
os.environ['PYTHONPATH'] = '/opt/custom-openssl/lib:' + os.environ.get('PYTHONPATH', '')
os.environ['OPENSSL_CONF'] = '/opt/custom-openssl/ssl/openssl.cnf'
import requests
from OpenSSL import SSL
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.ssl_ import create_urllib3_context
class CustomSSLContextAdapter(HTTPAdapter):
def init_poolmanager(self, *args, **kwargs):
context = create_urllib3_context()
context.set_ciphers('ALL:@SECLEVEL=0') # Use all available ciphers
context.options |= 0x4 # SSL.OP_LEGACY_SERVER_CONNECT
kwargs['ssl_context'] = context
return super(CustomSSLContextAdapter, self).init_poolmanager(*args, **kwargs)
def make_request(url):
session = requests.Session()
adapter = CustomSSLContextAdapter()
session.mount('https://', adapter)
try:
response = session.get(url, verify=False)
print(f"Status Code: {response.status_code}")
print(f"Content: {response.text[:100]}...")
except requests.exceptions.RequestException as e:
print(f"An error occurred: {e}")
if __name__ == "__main__":
make_request('https://example.com')
python security_scanner.py
These steps will:
Currently, httpx works on older SSL versions, but our builtin request helper doesn't:
Supporting older, insecure protocols and ciphers is really important, since this is where the worst vulns are likely to be.