--- /dev/null
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC+34pfuEf4DcvvlBCR70XAf49olKbgd4iwzWPHSuCgMyFc3pVp
+lk2Q70DCLt+qaJEkuIlxjEAirptoCS6avaXQKlkoRB1jyU284UbYluU7Pb4zVuxQ
+FvOqxNgCgXolqnviHXeMbT34yqoYFtZVfW9UxhPVEmeYPWw8eQON4aqOjQIDAQAB
+AoGBAKFieKj+Mzu0zp2+31PEr4FXWXXfWkmoR9bVkmvLD6nkEW1odYRVJThKUsLc
+xxhaWX5m2S88mm24nIWWXeVQPIUTJf4vmASUMTypT0HrJia43DcLXW2UvVQShlvj
+S/LDzbXZ5BkqYegqvypWX6DXzgNeAVEkhWJfqfvC+Gclxr+BAkEA6bwzgN+851xi
+6Qn8JQ5dZMnmjbp6bDZm5bJk5sKU4fbbu3POujpEPKDW3X8Gx1gJ9hI8zn9jSciK
+eSAquyjZ9QJBANEOHrRRRs4t9gmzlB9O9TXgGh3K9BfUkHiN+mbrR+Z5HcezHkNT
+v2+2xk7cYj88CKepadExCmgPapudyGQSizkCQQC4yCujb74k3jnn6Bfpp8CX5LIb
+S9hq4ltYrj7s29neBk3SlQxS16uIjtMvCrRuNiCx49skmTsCYsNuXMrLadFdAkB2
+kV2Uw6w28BZldjaCc1PcFJh7YUqD4Yl29n+Ys8T50KO1Sb/WS7996toajCAk4TW/
+cfSUMw5F6sh6LkkjiOjxAkAjSydPd/yKoiE8t2urn6xC8duJ1lbk/ck3/Nvyqw9y
+HRc4afanRzhmVBStHFD4yc0NyOIHwC6cJ941aNMR9XCP
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICUzCCAbwCCQDvZPqGCXR4YDANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwIw
+MDERMA8GA1UECBMISW50ZXJuZXQxEDAOBgNVBAcTB0VuaWdtYTIxFTATBgNVBAoT
+DFdlYmludGVyZmFjZTEQMA4GA1UECxMHdHdpc3RlZDERMA8GA1UEAxMIRHJlYW1i
+b3gwHhcNMDgwNzAxMTgzMDMxWhcNMzUxMTE2MTgzMDMxWjBuMQswCQYDVQQGEwIw
+MDERMA8GA1UECBMISW50ZXJuZXQxEDAOBgNVBAcTB0VuaWdtYTIxFTATBgNVBAoT
+DFdlYmludGVyZmFjZTEQMA4GA1UECxMHdHdpc3RlZDERMA8GA1UEAxMIRHJlYW1i
+b3gwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL7fil+4R/gNy++UEJHvRcB/
+j2iUpuB3iLDNY8dK4KAzIVzelWmWTZDvQMIu36pokSS4iXGMQCKum2gJLpq9pdAq
+WShEHWPJTbzhRtiW5Ts9vjNW7FAW86rE2AKBeiWqe+Idd4xtPfjKqhgW1lV9b1TG
+E9USZ5g9bDx5A43hqo6NAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAhCjWqtIbJ/9c
+ITmR3fJG1zJUD83bhQqRerXMdzpb7kQ1yksXxF4IZKOwf4SRLrKZDByzBfepMEyw
+ULP7E3lkSV+5L03C+Szj6GR+1oqXd9F4y6L1skdfz2jQWcCLAFjYzH6o+DeGW7TQ
+l/l+zpWEnqbCZyZrWnMMHDV9UbkBeW4=
+-----END CERTIFICATE-----
config.plugins.Webinterface.version = ConfigText(__version__) # used to make the versioninfo accessible enigma2-wide, not confgurable in GUI.
config.plugins.Webinterface.interfacecount = ConfigInteger(0)
config.plugins.Webinterface.interfaces = ConfigSubList()
+config.plugins.Webinterface.warningsslsend = ConfigYesNo(default = False)
def addInterfaceConfig():
config.plugins.Webinterface.interfaces[i].adress = ConfigSelection(choices,default=choices[0])
config.plugins.Webinterface.interfaces[i].port = ConfigInteger(80, (0,65535))
config.plugins.Webinterface.interfaces[i].useauth = ConfigYesNo(default = False)
+ config.plugins.Webinterface.interfaces[i].usessl = ConfigYesNo(default = False)
config.plugins.Webinterface.interfacecount.value = i+1
return i
config.plugins.Webinterface.interfaces[0].adress = ConfigSelection(getCofiguredAndSpecialNetworkinterfaces(),default='0.0.0.0')
config.plugins.Webinterface.interfaces[0].port = ConfigInteger(80, (0,65535))
config.plugins.Webinterface.interfaces[0].useauth = ConfigYesNo(default = False)
+ config.plugins.Webinterface.interfaces[0].usessl = ConfigYesNo(default = False)
config.plugins.Webinterface.interfacecount.value = 1
config.plugins.Webinterface.interfacecount.save()
config.plugins.Webinterface.interfaces[0].save()
from twisted.cred import checkers, credentials, error
from zope.interface import Interface, implements
from socket import gethostname as socket_gethostname
+from OpenSSL import SSL
+from twisted.internet import reactor, defer, ssl
+
DEBUG_TO_FILE=False # PLEASE DONT ENABLE LOGGING BY DEFAULT (OR COMMIT TO PLUGIN CVS)
DEBUGFILE= "/tmp/twisted.log"
for i in range(0, config.plugins.Webinterface.interfacecount.value):
c = config.plugins.Webinterface.interfaces[i]
if c.disabled.value is False:
- startServerInstance(session,c.adress.value,c.port.value,c.useauth.value)
+ startServerInstance(session,c.adress.value,c.port.value,c.useauth.value,c.usessl.value)
else:
print "[Webinterface] not starting disabled interface on %s:%i"%(c.adress.value,c.port.value)
-def startServerInstance(session,ipadress,port,useauth=False):
+def startServerInstance(session,ipadress,port,useauth=False,usessl=False):
try:
toplevel = Toplevel(session)
if useauth:
else:
site = server.Site(toplevel)
try:
- d = reactor.listenTCP(port, channel.HTTPFactory(site),interface=ipadress)
+ #########
+ if usessl:
+ ctx = ssl.DefaultOpenSSLContextFactory('/etc/enigma2/server.pem','/etc/enigma2/cacert.pem',sslmethod=SSL.SSLv23_METHOD)
+ d = reactor.listenSSL(port, channel.HTTPFactory(site),ctx,interface=ipadress)
+ else:
+ d = reactor.listenTCP(port, channel.HTTPFactory(site),interface=ipadress)
running_defered.append(d)
- print "[Webinterface] started on %s:%i"%(ipadress,port),"auth=",useauth
+ print "[Webinterface] started on %s:%i"%(ipadress,port),"auth=",useauth,"ssl=",usessl
except CannotListenError, e:
print "[Webinterface] Could not Listen on %s:%i!"%(ipadress,port)
session.open(MessageBox,'Could not Listen on %s:%i!\n\n%s'%(ipadress,port,str(e)), MessageBox.TYPE_ERROR)
- except Exception,e:
+# except Exception,e:
+ except CannotListenError,e:
print "[Webinterface] starting FAILED on %s:%i!"%(ipadress,port),e
session.open(MessageBox,'starting FAILED on %s:%i!\n\n%s'%(ipadress,port,str(e)), MessageBox.TYPE_ERROR)
return rv
+#### stuff for SSL Support
+def makeSSLContext(myKey,trustedCA):
+ '''Returns an ssl Context Object
+ @param myKey a pem formated key and certifcate with for my current host
+ the other end of this connection must have the cert from the CA
+ that signed this key
+ @param trustedCA a pem formated certificat from a CA you trust
+ you will only allow connections from clients signed by this CA
+ and you will only allow connections to a server signed by this CA
+ '''
+
+ # our goal in here is to make a SSLContext object to pass to connectSSL
+ # or listenSSL
+
+ # Why these functioins... Not sure...
+ fd = open(myKey,'r')
+ ss = fd.read()
+ theCert = ssl.PrivateCertificate.loadPEM(ss)
+ fd.close()
+ fd = open(trustedCA,'r')
+ theCA = ssl.Certificate.loadPEM(fd.read())
+ fd.close()
+ #ctx = theCert.options(theCA)
+ ctx = theCert.options()
+
+ # Now the options you can set look like Standard OpenSSL Library options
+
+ # The SSL protocol to use, one of SSLv23_METHOD, SSLv2_METHOD,
+ # SSLv3_METHOD, TLSv1_METHOD. Defaults to TLSv1_METHOD.
+ ctx.method = ssl.SSL.TLSv1_METHOD
+
+ # If True, verify certificates received from the peer and fail
+ # the handshake if verification fails. Otherwise, allow anonymous
+ # sessions and sessions with certificates which fail validation.
+ ctx.verify = True
+
+ # Depth in certificate chain down to which to verify.
+ ctx.verifyDepth = 1
+
+ # If True, do not allow anonymous sessions.
+ ctx.requireCertification = True
+
+ # If True, do not re-verify the certificate on session resumption.
+ ctx.verifyOnce = True
+
+ # If True, generate a new key whenever ephemeral DH parameters are used
+ # to prevent small subgroup attacks.
+ ctx.enableSingleUseKeys = True
+
+ # If True, set a session ID on each context. This allows a shortened
+ # handshake to be used when a known client reconnects.
+ ctx.enableSessions = True
+
+ # If True, enable various non-spec protocol fixes for broken
+ # SSL implementations.
+ ctx.fixBrokenPeers = False
+
+ return ctx
+
+