Module: Rex::Socket::Ssl

Included in:
SslTcpServer
Defined in:
lib/rex/socket/ssl.rb

Overview

This class provides methods for interacting with an SSL wrapped TCP server. It implements the StreamServer IO interface.

Defined Under Namespace

Modules: CertProvider

Constant Summary collapse

@@cert_provider =

This defines the global certificate provider for all consumers of the mixin Beware that altering this at runtime in one consumer will affect all others Providers must expose at least the class methods given above accepting the same calling convention.

Rex::Socket::Ssl::CertProvider

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#sslctxObject

Returns the value of attribute sslctx.



163
164
165
 
# File 'lib/rex/socket/ssl.rb', line 163

def sslctx
  @sslctx
end

Class Method Details

.cert_provider=(val) ⇒ Object 



69
70
71
 
# File 'lib/rex/socket/ssl.rb', line 69

def self.cert_provider=(val)
  @@cert_provider = val
end

.ssl_generate_certificateObject 



93
94
95
 
# File 'lib/rex/socket/ssl.rb', line 93

def self.ssl_generate_certificate
  @@cert_provider.ssl_generate_certificate
end

.ssl_generate_issuerObject 



89
90
91
 
# File 'lib/rex/socket/ssl.rb', line 89

def self.ssl_generate_issuer
  @@cert_provider.ssl_generate_issuer
end

.ssl_generate_subjectObject 



85
86
87
 
# File 'lib/rex/socket/ssl.rb', line 85

def self.ssl_generate_subject
  @@cert_provider.ssl_generate_subject
end

.ssl_parse_pem(ssl_cert) ⇒ String, Array

Parse a certificate in unified PEM format that contains a private key and one or more certificates. The first certificate is the primary, while any additional certificates are treated as intermediary certificates. This emulates the behavior of web servers like nginx.

Parameters:

  • ssl_cert (String)

Returns:

  • (String, String, Array) 


81
82
83
 
# File 'lib/rex/socket/ssl.rb', line 81

def self.ssl_parse_pem(ssl_cert)
  Rex::Socket::X509Certificate.parse_pem(ssl_cert)
end

Instance Method Details

#allow_nonblock?(sock = self.sock) ⇒ Boolean

This flag determines whether to use the non-blocking openssl API calls when they are available. This is still buggy on Linux/Mac OS X, but is required on Windows

Returns:

  • (Boolean) 


155
156
157
158
159
160
161
 
# File 'lib/rex/socket/ssl.rb', line 155

def allow_nonblock?(sock=self.sock)
  avail = sock.respond_to?(:accept_nonblock)
  if avail and Rex::Compat.is_windows
    return true
  end
  false
end

#makessl(params) ⇒ ::OpenSSL::SSL::SSLContext

Create a new ssl context. If ssl_cert is not given, generates a new key and a leaf certificate with random values.

Parameters:

Returns:

  • (::OpenSSL::SSL::SSLContext) 


117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
 
# File 'lib/rex/socket/ssl.rb', line 117

def makessl(params)

  if params.ssl_cert
    key, cert, chain = ssl_parse_pem(params.ssl_cert)
  else
    key, cert, chain = ssl_generate_certificate
  end

  ctx = OpenSSL::SSL::SSLContext.new()
  ctx.key = key
  ctx.cert = cert
  ctx.extra_chain_cert = chain
  ctx.options = 0

  if params.ssl_cipher
    ctx.ciphers = params.ssl_cipher
  end

  # Older versions of OpenSSL do not export the OP_NO_COMPRESSION symbol
  if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
    # enable/disable the SSL/TLS-level compression
    if params.ssl_compression
      ctx.options &= ~OpenSSL::SSL::OP_NO_COMPRESSION
    else
      ctx.options |= OpenSSL::SSL::OP_NO_COMPRESSION
    end
  end

  ctx.session_id_context = Rex::Text.rand_text(16)

  return ctx
end

#ssl_generate_certificateObject

Shim for the ssl_generate_certificate module method



107
108
109
 
# File 'lib/rex/socket/ssl.rb', line 107

def ssl_generate_certificate
  Rex::Socket::Ssl.ssl_generate_certificate
end

#ssl_parse_pem(ssl_cert) ⇒ Object

Shim for the ssl_parse_pem module method



100
101
102
 
# File 'lib/rex/socket/ssl.rb', line 100

def ssl_parse_pem(ssl_cert)
  Rex::Socket::Ssl.ssl_parse_pem(ssl_cert)
end