Module: Rex::Socket::Ssl

Included in:

SslTcpServer

Defined in:

lib/rex/socket/ssl.rb

Overview

This class provides methods for interacting with an SSL wrapped TCP server. It implements the StreamServer IO interface.

Defined Under Namespace

Modules: CertProvider

Constant Summary

DEFAULT_SSL_VERSION =

Default to SSLv23 (automatically negotiate)

:SSLv23

@@cert_provider =

This defines the global certificate provider for all consumers of the mixin Beware that altering this at runtime in one consumer will affect all others Providers must expose at least the class methods given above accepting the same calling convention.

Rex::Socket::Ssl::CertProvider

Instance Attribute Summary

• #sslctx ⇒ Object

  Returns the value of attribute sslctx.

Class Method Summary

• .cert_provider=(val) ⇒ Object
• .ssl_generate_certificate(**opts) ⇒ Object
• .ssl_generate_issuer ⇒ Object
• .ssl_generate_subject ⇒ Object
• .ssl_parse_pem(ssl_cert) ⇒ String, Array

  Parse a certificate in unified PEM format that contains a private key and one or more certificates.

Instance Method Summary

• #allow_nonblock?(sock = self.sock) ⇒ Boolean

  This flag determines whether to use the non-blocking openssl API calls when they are available.

• #makessl(params) ⇒ ::OpenSSL::SSL::SSLContext

  Create a new ssl context.

• #ssl_generate_certificate(**opts) ⇒ Object

  Shim for the ssl_generate_certificate module method.

• #ssl_parse_pem(ssl_cert) ⇒ Object

  Shim for the ssl_parse_pem module method.

Instance Attribute Details

#sslctx ⇒ Object

Returns the value of attribute sslctx.

# File 'lib/rex/socket/ssl.rb', line 173

def sslctx
  @sslctx
end

Class Method Details

.cert_provider=(val) ⇒ Object

# File 'lib/rex/socket/ssl.rb', line 72

def self.cert_provider=(val)
  @@cert_provider = val
end

.ssl_generate_certificate(**opts) ⇒ Object

# File 'lib/rex/socket/ssl.rb', line 96

def self.ssl_generate_certificate(**opts)
  @@cert_provider.ssl_generate_certificate(**opts)
end

.ssl_generate_issuer ⇒ Object

# File 'lib/rex/socket/ssl.rb', line 92

def self.ssl_generate_issuer
  @@cert_provider.ssl_generate_issuer
end

.ssl_generate_subject ⇒ Object

# File 'lib/rex/socket/ssl.rb', line 88

def self.ssl_generate_subject
  @@cert_provider.ssl_generate_subject
end

.ssl_parse_pem(ssl_cert) ⇒ String, Array

Parse a certificate in unified PEM format that contains a private key and one or more certificates. The first certificate is the primary, while any additional certificates are treated as intermediary certificates. This emulates the behavior of web servers like nginx.

Parameters:

• ssl_cert (String)

Returns:

• (String, String, Array)

# File 'lib/rex/socket/ssl.rb', line 84

def self.ssl_parse_pem(ssl_cert)
  Rex::Socket::X509Certificate.parse_pem(ssl_cert)
end

Instance Method Details

#allow_nonblock?(sock = self.sock) ⇒ Boolean

This flag determines whether to use the non-blocking openssl API calls when they are available. This is still buggy on Linux/Mac OS X, but is required on Windows

Returns:

• (Boolean)

# File 'lib/rex/socket/ssl.rb', line 165

def allow_nonblock?(sock=self.sock)
  avail = sock.respond_to?(:accept_nonblock)
  if avail and Rex::Compat.is_windows
    return true
  end
  false
end

#makessl(params) ⇒ ::OpenSSL::SSL::SSLContext

Create a new ssl context. If ssl_cert is not given, generates a new key and a leaf certificate with random values.

Parameters:

• params (Rex::Socket::Parameters)

Returns:

• (::OpenSSL::SSL::SSLContext)

# File 'lib/rex/socket/ssl.rb', line 120

def makessl(params)

  if params.ssl_cert
    key, cert, chain = ssl_parse_pem(params.ssl_cert)
  else
    key, cert, chain = ssl_generate_certificate(cert_vars: {cn: params.ssl_cn})
  end

  version = params&.ssl_version || DEFAULT_SSL_VERSION
  # Raise an error if no selected versions are supported
  unless Rex::Socket::SslTcp.system_ssl_methods.include? version
    raise ArgumentError,
      "This version of Ruby does not support the requested SSL/TLS version #{version}"
  end

  ctx = OpenSSL::SSL::SSLContext.new(version)
  ctx.key = key
  ctx.cert = cert
  ctx.extra_chain_cert = chain
  ctx.options = 0

  if params.ssl_cipher
    ctx.ciphers = params.ssl_cipher
  end

  # Older versions of OpenSSL do not export the OP_NO_COMPRESSION symbol
  if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
    # enable/disable the SSL/TLS-level compression
    if params.ssl_compression
      ctx.options &= ~OpenSSL::SSL::OP_NO_COMPRESSION
    else
      ctx.options |= OpenSSL::SSL::OP_NO_COMPRESSION
    end
  end

  ctx.session_id_context = Rex::Text.rand_text(16)

  return ctx
end

#ssl_generate_certificate(**opts) ⇒ Object

Shim for the ssl_generate_certificate module method

# File 'lib/rex/socket/ssl.rb', line 110

def ssl_generate_certificate(**opts)
  Rex::Socket::Ssl.ssl_generate_certificate(**opts)
end

#ssl_parse_pem(ssl_cert) ⇒ Object

Shim for the ssl_parse_pem module method

# File 'lib/rex/socket/ssl.rb', line 103

def ssl_parse_pem(ssl_cert)
  Rex::Socket::Ssl.ssl_parse_pem(ssl_cert)
end