122 lines
3.7 KiB
Python
122 lines
3.7 KiB
Python
# https://journal.paul.querna.org/articles/2011/04/05/openssl-memory-use/
|
|
# Disable SSL compression to save massive memory and cpu
|
|
|
|
import logging
|
|
import os
|
|
|
|
from Config import config
|
|
|
|
|
|
def openLibrary():
|
|
import ctypes
|
|
import ctypes.util
|
|
try:
|
|
if sys.platform.startswith("win"):
|
|
dll_path = "src/lib/opensslVerify/libeay32.dll"
|
|
elif sys.platform == "cygwin":
|
|
dll_path = "/bin/cygcrypto-1.0.0.dll"
|
|
else:
|
|
dll_path = "/usr/local/ssl/lib/libcrypto.so"
|
|
ssl = ctypes.CDLL(dll_path, ctypes.RTLD_GLOBAL)
|
|
assert ssl
|
|
except:
|
|
dll_path = ctypes.util.find_library('ssl') or ctypes.util.find_library('crypto') or ctypes.util.find_library('libcrypto')
|
|
ssl = ctypes.CDLL(dll_path or 'libeay32', ctypes.RTLD_GLOBAL)
|
|
return ssl
|
|
|
|
|
|
def disableSSLCompression():
|
|
import ctypes
|
|
import ctypes.util
|
|
try:
|
|
openssl = openLibrary()
|
|
openssl.SSL_COMP_get_compression_methods.restype = ctypes.c_void_p
|
|
except Exception, err:
|
|
logging.debug("Disable SSL compression failed: %s (normal on Windows)" % err)
|
|
return False
|
|
|
|
openssl.sk_zero.argtypes = [ctypes.c_void_p]
|
|
openssl.sk_zero(openssl.SSL_COMP_get_compression_methods())
|
|
logging.debug("Disabled SSL compression on %s" % openssl)
|
|
|
|
|
|
if config.disable_sslcompression:
|
|
try:
|
|
disableSSLCompression()
|
|
except Exception, err:
|
|
logging.debug("Error disabling SSL compression: %s" % err)
|
|
|
|
|
|
# https://github.com/gevent/gevent/issues/477
|
|
# Re-add sslwrap to Python 2.7.9
|
|
|
|
__ssl__ = __import__('ssl')
|
|
|
|
try:
|
|
_ssl = __ssl__._ssl
|
|
except AttributeError:
|
|
_ssl = __ssl__._ssl2
|
|
|
|
OldSSLSocket = __ssl__.SSLSocket
|
|
|
|
|
|
class NewSSLSocket(OldSSLSocket):
|
|
# Fix SSLSocket constructor
|
|
|
|
def __init__(
|
|
self, sock, keyfile=None, certfile=None, server_side=False,
|
|
cert_reqs=__ssl__.CERT_REQUIRED, ssl_version=2, ca_certs=None,
|
|
do_handshake_on_connect=True, suppress_ragged_eofs=True, ciphers=None,
|
|
server_hostname=None, _context=None
|
|
):
|
|
OldSSLSocket.__init__(
|
|
self, sock, keyfile=keyfile, certfile=certfile,
|
|
server_side=server_side, cert_reqs=cert_reqs,
|
|
ssl_version=ssl_version, ca_certs=ca_certs,
|
|
do_handshake_on_connect=do_handshake_on_connect,
|
|
suppress_ragged_eofs=suppress_ragged_eofs, ciphers=ciphers
|
|
)
|
|
|
|
|
|
def new_sslwrap(
|
|
sock, server_side=False, keyfile=None, certfile=None,
|
|
cert_reqs=__ssl__.CERT_NONE, ssl_version=__ssl__.PROTOCOL_SSLv23,
|
|
ca_certs=None, ciphers=None
|
|
):
|
|
context = __ssl__.SSLContext(ssl_version)
|
|
context.verify_mode = cert_reqs or __ssl__.CERT_NONE
|
|
if ca_certs:
|
|
context.load_verify_locations(ca_certs)
|
|
if certfile:
|
|
context.load_cert_chain(certfile, keyfile)
|
|
if ciphers:
|
|
context.set_ciphers(ciphers)
|
|
|
|
caller_self = inspect.currentframe().f_back.f_locals['self']
|
|
return context._wrap_socket(sock, server_side=server_side, ssl_sock=caller_self)
|
|
|
|
|
|
# Re-add sslwrap to Python 2.7.9+
|
|
if not hasattr(_ssl, 'sslwrap'):
|
|
import inspect
|
|
_ssl.sslwrap = new_sslwrap
|
|
__ssl__.SSLSocket = NewSSLSocket
|
|
logging.debug("Missing SSLwrap, readded.")
|
|
|
|
|
|
# Add SSLContext to gevent.ssl (Ubuntu 15 fix)
|
|
try:
|
|
import gevent
|
|
if not hasattr(gevent.ssl, "SSLContext"):
|
|
gevent.ssl.SSLContext = __ssl__.SSLContext
|
|
logging.debug("Missing SSLContext, readded.")
|
|
except Exception, err:
|
|
pass
|
|
|
|
# Fix PROTOCOL_SSLv3 not defined
|
|
if "PROTOCOL_SSLv3" not in dir(__ssl__):
|
|
__ssl__.PROTOCOL_SSLv3 = __ssl__.PROTOCOL_SSLv23
|
|
logging.debug("Redirected PROTOCOL_SSLv3 to PROTOCOL_SSLv23.")
|
|
|
|
logging.debug("Python SSL version: %s" % __ssl__.OPENSSL_VERSION)
|