search

twisted / txaws

Twisted-based Asynchronous Libraries for Amazon Web Services and clouds that support the AWS APIs
MIT License
32 stars 18 forks source link

AWSServiceEndpoint defaults to not verifying server certificates #24

Closed exarkun closed 7 years ago

exarkun commented 7 years ago

Given 

$ openssl x509 -in server.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: OU=example, O=example, CN=example.com, ST=example, C=US/emailAddress=example@example.com, L=example
        Validity
            Not Before: Feb 12 00:31:39 2014 GMT
            Not After : Feb 12 00:31:39 2015 GMT
        Subject: OU=example, O=example, CN=example.com, ST=example, C=US/emailAddress=example@example.com, L=example
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a9:11:6a:12:1c:16:9d:15:e3:84:18:a4:ef:6e:
                    7b:b9:a3:64:d6:d9:60:f0:02:f1:c6:a8:40:2d:63:
                    52:02:f8:d8:24:f8:d0:f7:28:3a:26:56:2e:04:64:
                    f9:0c:3a:3f:b3:e8:27:33:bf:4f:8b:9f:2b:4a:a8:
                    3d:42:66:d6:31:2b:0d:15:b2:f5:e5:a5:18:b1:34:
                    82:b3:c4:08:cf:a3:c4:57:cb:5f:12:4b:29:d3:ed:
                    bb:03:00:f0:8a:7b:d8:93:22:ac:53:79:63:f2:53:
                    05:93:91:de:3e:5a:fe:66:d8:e6:d7:11:aa:07:df:
                    2b:19:b8:41:07:a0:9e:18:81
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
         58:03:4f:a6:9f:7c:e6:75:cc:a0:8c:07:96:c4:8c:9b:c8:a3:
         92:4e:d7:41:4d:e8:8a:80:98:0d:c3:3a:a4:b4:fe:9a:f0:43:
         7b:59:99:73:c9:94:96:b5:b2:66:8f:e5:4f:a1:c5:e3:84:87:
         21:9d:33:0a:03:d8:c1:3a:56:57:a0:b4:2b:ef:e4:2a:56:01:
         11:16:77:6a:3a:f3:19:fe:40:09:f5:13:37:29:39:3f:cd:42:
         eb:c9:9c:f5:f4:3b:96:1a:b5:8a:e3:4a:cd:58:7c:6f:be:3a:
         67:8b:9f:9f:a8:88:d5:5c:a0:9f:23:90:d6:16:7f:94:e5:f9:
         e9:30

and

$ twistd -n web --port ssl:12345:certKey=server.pem
2017-01-09T08:01:57-0500 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 16.4.1 (/usr/bin/python 2.7.12) starting up.
2017-01-09T08:01:57-0500 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2017-01-09T08:01:57-0500 [-] Site (TLS) starting on 12345
2017-01-09T08:01:57-0500 [twisted.web.server.Site#info] Starting factory <twisted.web.server.Site instance at 0x7f3476497cb0>

This txaws-based program:

$ cat testit.py 
from __future__ import print_function

from txaws.client.base import BaseQuery
from txaws.service import AWSServiceEndpoint

from twisted.internet.task import react

def main(reactor):
    endpoint = AWSServiceEndpoint(ssl_hostname_verification=True)
    q = BaseQuery(action=b"GET", endpoint=endpoint, reactor=reactor)
    d = q.get_page(b"https://localhost:12345/")
    d.addCallback(print)
    return d

react(main, [])

produces this result:

$ python testit.py 

            <html>
            <head><title>Twisted Web Demo</title><head>
            <body>
            Hello! This is a Twisted Web test page.
            </body>
            </html>

There is no way the default for txAWS HTTPS requests should be to silently allow communication with a TLS server using such a certificate (self-signed, expired, mismatching hostname).