Python Forum

Hello,


I tried to déterminate if a website is vulnerable to ssl client renegociation.
I've got two constraint for that
1) Create a script with python 2.7
2) Only use modules from the standard librairie

So what i've done is create a first ssl/tls connection with a website. For that, i used ssl librairie. It works.
But there is no function renegociation(). So, to perform the renegociation, i just try to change the cipher that i want to use and try to do an handshake with the do_handshake() function but thath doesn't work. I tried it on amazon.fr (which refuse ssl client renegociation) but my script doesn't got an error during the execution.

Here is my code :

#encoding=utf-8

import socket
import ssl

hostname = 'amazon.fr'
port = 443


context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
context.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1                     # ssl version. Here TLSv1_2
try:
        context.set_ciphers('ECDHE-RSA-AES128-SHA')                                                            # the cipher suite that we want to use
except Exception as excep:
        print "Exception : ", excepe

s_ = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s = context.wrap_socket(s_, server_hostname = hostname)

try:
    s.connect((hostname, port))                                                 # try to connect
    print "accepted", s.cipher()                                                # connection accepted with the cipher s.cipher

    context.set_ciphers('ECDHE-RSA-AES128-GCM-SHA256')                          # we now put an other cipher suite
    s.do_handshake()                                                            # and try to perform handshake


except Exception as excep:
    print "Error : ", excep

Do you have any idea of how can i do to realise an ssl renegociation ?


Thank's :)