[zorp] missing constants and methods in pssl.py
David Yerger
dyerger at stcservices.com
Sun Feb 17 22:38:30 CET 2008
Now trying to create an https proxy for Outlook Web Access with Zorp GPL
3.1.12.
1. It looks like some of the constants are named differently than the
Zorp GPL tutorial at
http://www.balabit.hu/network-security/zorp-gateway/gpl/tutorial/, for
example it mentions PSSL_VERIFY_NONE and PSSL_VERIFY_REQUIRED_TRUSTED in
the example in section 5.6, but the code for the included Pssl.py v.
1.28 says
SSL_VERIFY_NONE = 0
SSL_VERIFY_OPTIONAL = 1
SSL_VERIFY_REQUIRED_UNTRUSTED = 2
SSL_VERIFY_REQUIRED_TRUSTED = 3
(without the "P")
2. Looks like some methods and constants mentioned in the Zorp Gateway
v3.1 SSL tutorial PDF aren't there, for example
Methods:
server_ssl_method
server_disable_proto
server_ssl_cipher
Constants:
PSSL_METHOD_SSLV23 Permit the use of SSLv2 and v3.
PSSL_METHOD_SSLV2 Permit the use of SSLv2 exclusively.
PSSL_METHOD_SSLV3 Permit the use of SSLv3 exclusively.
PSSL_METHOD_TLSV1 Permit the use of TLSv1 exclusively.
PSSL_METHOD_ALL Permit the use of all the supported (SSLv2, SSLv3, and
TLSv1) protocols.
Is this because these are only defined in the Pssl module for Zorp Pro?
3. Using a policy.py containing
from Zorp.Core import *
from Zorp.Http import *
from Zorp.Plug import *
from Zorp.Pssl import *
def Zhttps():
Service("INhttps", INhttps,
router=DirectedRouter(SockAddrInet("10.0.0.9", 80)))
Listener(SockAddrInet("aaa.bbb.ccc.ddd", 50443), "INhttps")
class StrongPsslProxy(PsslProxy):
def config(self):
PsslProxy.config(self)
#docs say PSSL_VERIFY_NONE
self.client_verify_type = SSL_VERIFY_NONE
self.server_ca_directory = "/etc/ssl/certs/"
#PDF docs want more here -
#self.server_ssl_method = PSSL_METHOD_TLSV1
#self.server_disable_proto = TRUE
#self.server_ssl_cipher = PSSL_CIPHERS_HIGH
class INhttps(StrongPsslProxy):
def config(self):
StrongPsslProxy.config(self)
self.server_need_ssl=FALSE
self.server_keypair_files = ("/etc/ssl/certs/owa.crt",
"/etc/ssl/private/owa.key")
self.stack_proxy=(Z_STACK_PROXY, OWAHttpProxy)
#wild guess on my part, maybe this will help
self.client_need_ssl=TRUE
class OWAHttpProxy(HttpProxy):
def config(self):
HttpProxy.config(self)
self.request_header["Front-End-Https"]=(HTTP_HDR_INSERT,
"on")
I'm seeing in my logs stuff like
Feb 17 16:09:49 localhost zorp/Zhttps[5552]: (svc/INhttps:0): Starting
proxy instance; client_fd='15',
client_address='AF_INET(aaa.bbb.ccc.def:3139)', client_zone='Zone(inter,
0.0.0.0/0)', client_local='AF_INET(aaa.bbb.ccc.ddd:443)',
client_protocol='TCP'
Feb 17 16:09:49 localhost zorp/Zhttps[5552]: (svc/INhttps:0/pssl):
Server connection established; server_fd='18',
server_address='AF_INET(10.0.0.9:80)', server_zone='Zone(intra,
10.0.0.0/24)', server_local='AF_INET(10.0.0.69:55718)',
server_protocol='TCP'
Feb 17 16:09:49 localhost zorp/Zhttps[5552]: (svc/INhttps:0/pssl): SSL
handshake failed on the client side; error='error:1408A0C1:SSL
routines:lib(20):SSL3_GET_CLIENT_HELLO:func(138):no shared
cipher:reason(193)'
Where 10.0.0.0 is the local network, aaa.bbb.ccc.ddd is my public IP,
and aaa.bbb.ccc.def is the gateway address of my Snapgear (which my
internal test client demaquerades as.)
Looks like the protocol is defaulting to TCP instead of something sane
like TLSV1, but I can't set it anywhere I can see. Is this disabled on
purpose or is there something I can do to fix it?
Thanks in advance!
David Yerger
More information about the zorp
mailing list