forked from pymodbus-dev/pymodbus
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add server requiring client's cert in TLS handshake feature
This patch adds server requiring client's certificate feature which is mentioned in the 6th step CertificateRequest to 9th step VerifyClientCertSig in Table 5 TLS Full Handshake Protocol of MODBUS/TCP Security Protocol Specification [1]. This patch implements the feature within both sync and async_io version. * Server side: Add an optional argument "reqclicert" of StartTlsServer(). So, users can force server require client's certificate for TLS full handshake, or according to the SSL Context's original behavior [2]. * Client side: Add optional arguments "certfile" and "keyfile" for replying, if the server requires client's certificate for TLS full handshake. Besides, also add an optional argument "password" on both server and client side for decrypting the private keyfile. This fixes part of pymodbus-dev#606 [1]: http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
- Loading branch information
Showing
14 changed files
with
222 additions
and
107 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
""" | ||
TLS helper for Modbus TLS Client | ||
------------------------------------------ | ||
""" | ||
import ssl | ||
|
||
def sslctx_provider(sslctx=None, certfile=None, keyfile=None, password=None): | ||
""" Provide the SSLContext for ModbusTlsClient | ||
If the user defined SSLContext is not passed in, sslctx_provider will | ||
produce a default one. | ||
:param sslctx: The user defined SSLContext to use for TLS (default None and | ||
auto create) | ||
:param certfile: The optional client's cert file path for TLS server request | ||
:param keyfile: The optional client's key file path for TLS server request | ||
:param password: The password for for decrypting client's private key file | ||
""" | ||
if sslctx is None: | ||
sslctx = ssl.SSLContext(ssl.PROTOCOL_TLS) | ||
# According to MODBUS/TCP Security Protocol Specification, it is | ||
# TLSv2 at least | ||
sslctx.options |= ssl.OP_NO_TLSv1_1 | ||
sslctx.options |= ssl.OP_NO_TLSv1 | ||
sslctx.options |= ssl.OP_NO_SSLv3 | ||
sslctx.options |= ssl.OP_NO_SSLv2 | ||
sslctx.verify_mode = ssl.CERT_REQUIRED | ||
sslctx.check_hostname = True | ||
|
||
if certfile and keyfile: | ||
sslctx.load_cert_chain(certfile=certfile, keyfile=keyfile, | ||
password=password) | ||
|
||
return sslctx |
Oops, something went wrong.