[zorp] missing constants and methods in pssl.py

David Yerger dyerger at stcservices.com
Sun Feb 17 22:38:30 CET 2008 

Now trying to create an https proxy for Outlook Web Access with Zorp GPL
3.1.12.

1. It looks like some of the constants are named differently than the
Zorp GPL tutorial at
http://www.balabit.hu/network-security/zorp-gateway/gpl/tutorial/, for
example it mentions PSSL_VERIFY_NONE and PSSL_VERIFY_REQUIRED_TRUSTED in
the example in section 5.6, but the code for the included Pssl.py v.
1.28 says

SSL_VERIFY_NONE               = 0
SSL_VERIFY_OPTIONAL           = 1
SSL_VERIFY_REQUIRED_UNTRUSTED = 2
SSL_VERIFY_REQUIRED_TRUSTED   = 3

(without the "P")

2.  Looks like some methods and constants mentioned in the Zorp Gateway
v3.1 SSL tutorial PDF aren't there, for example

Methods:
server_ssl_method 
server_disable_proto 
server_ssl_cipher 

Constants:

PSSL_METHOD_SSLV23 Permit the use of SSLv2 and v3.
PSSL_METHOD_SSLV2 Permit the use of SSLv2 exclusively.
PSSL_METHOD_SSLV3 Permit the use of SSLv3 exclusively.
PSSL_METHOD_TLSV1 Permit the use of TLSv1 exclusively.
PSSL_METHOD_ALL Permit the use of all the supported (SSLv2, SSLv3, and
TLSv1) protocols.

Is this because these are only defined in the Pssl module for Zorp Pro?

3.  Using a policy.py containing

from Zorp.Core import *
from Zorp.Http import *
from Zorp.Plug import *
from Zorp.Pssl import *

def Zhttps():
        Service("INhttps", INhttps,
                router=DirectedRouter(SockAddrInet("10.0.0.9", 80)))
        Listener(SockAddrInet("aaa.bbb.ccc.ddd", 50443), "INhttps")

class StrongPsslProxy(PsslProxy):
        def config(self):
                PsslProxy.config(self)
                #docs say PSSL_VERIFY_NONE
                self.client_verify_type = SSL_VERIFY_NONE
                self.server_ca_directory = "/etc/ssl/certs/"
                #PDF docs want more here -
                #self.server_ssl_method = PSSL_METHOD_TLSV1
                #self.server_disable_proto = TRUE
                #self.server_ssl_cipher = PSSL_CIPHERS_HIGH

class INhttps(StrongPsslProxy):
        def config(self):
                StrongPsslProxy.config(self)
                self.server_need_ssl=FALSE
                self.server_keypair_files = ("/etc/ssl/certs/owa.crt",
"/etc/ssl/private/owa.key")
                self.stack_proxy=(Z_STACK_PROXY, OWAHttpProxy)
                #wild guess on my part, maybe this will help
                self.client_need_ssl=TRUE

class OWAHttpProxy(HttpProxy):
        def config(self):
                HttpProxy.config(self)
                self.request_header["Front-End-Https"]=(HTTP_HDR_INSERT,
"on")


I'm seeing in my logs stuff like

Feb 17 16:09:49 localhost zorp/Zhttps[5552]: (svc/INhttps:0): Starting
proxy instance; client_fd='15',
client_address='AF_INET(aaa.bbb.ccc.def:3139)', client_zone='Zone(inter,
0.0.0.0/0)', client_local='AF_INET(aaa.bbb.ccc.ddd:443)',
client_protocol='TCP'
Feb 17 16:09:49 localhost zorp/Zhttps[5552]: (svc/INhttps:0/pssl):
Server connection established; server_fd='18',
server_address='AF_INET(10.0.0.9:80)', server_zone='Zone(intra,
10.0.0.0/24)', server_local='AF_INET(10.0.0.69:55718)',
server_protocol='TCP'
Feb 17 16:09:49 localhost zorp/Zhttps[5552]: (svc/INhttps:0/pssl): SSL
handshake failed on the client side; error='error:1408A0C1:SSL
routines:lib(20):SSL3_GET_CLIENT_HELLO:func(138):no shared
cipher:reason(193)'

Where 10.0.0.0 is the local network, aaa.bbb.ccc.ddd is my public IP,
and aaa.bbb.ccc.def is the gateway address of my Snapgear (which my
internal test client demaquerades as.)

Looks like the protocol is defaulting to TCP instead of something sane
like TLSV1, but I can't set it anywhere I can see.  Is this disabled on
purpose or is there something I can do to fix it?

Thanks in advance!

David Yerger

More information about the zorp mailing list