tls / gencert fixes

copyparty/__main__.py

@@ -729,11 +729,12 @@ def add_cert(ap, cert_path):
     ap2.add_argument("--crt-ns", metavar="N,N", type=u, default="", help="comma-separated list of FQDNs (domains) to add into the certificate")
     ap2.add_argument("--crt-exact", action="store_true", help="do not add wildcard entries for each --crt-ns")
     ap2.add_argument("--crt-noip", action="store_true", help="do not add autodetected IP addresses into cert")
+    ap2.add_argument("--crt-nolo", action="store_true", help="do not add 127.0.0.1 / localhost into cert")
     ap2.add_argument("--crt-dir", metavar="PATH", default=cert_dir, help="where to save the CA cert")
     ap2.add_argument("--crt-cdays", metavar="D", type=float, default=3650, help="ca-certificate expiration time in days")
     ap2.add_argument("--crt-sdays", metavar="D", type=float, default=365, help="server-cert expiration time in days")
     ap2.add_argument("--crt-cn", metavar="TXT", type=u, default="partyco", help="CA/server-cert common-name")
-    ap2.add_argument("--crt-cnc", metavar="TXT", type=u, default="--crt-cn ca", help="override CA name")
+    ap2.add_argument("--crt-cnc", metavar="TXT", type=u, default="--crt-cn", help="override CA name")
     ap2.add_argument("--crt-cns", metavar="TXT", type=u, default="--crt-cn cpp", help="override server-cert name")
     ap2.add_argument("--crt-back", metavar="HRS", type=float, default=72, help="backdate in hours")
     ap2.add_argument("--crt-alg", metavar="S-N", type=u, default="ecdsa-256", help="algorithm and keysize; one of these: ecdsa-256 rsa-4096 rsa-2048")
@@ -1282,6 +1283,7 @@ def main(argv: Optional[list[str]] = None) -> None:
             configure_ssl_ciphers(al)
     else:
         warn("ssl module does not exist; cannot enable https")
+        al.http_only = True
 
     if PY2 and WINDOWS and al.e2d:
         warn(

copyparty/cert.py

@@ -9,13 +9,6 @@ import calendar
 from .util import runcmd, Netdev
 
 
-try:
-    HAVE_SSL = True
-    import ssl
-except:
-    HAVE_SSL = False
-
-
 HAVE_CFSSL = True
 
 
@@ -124,8 +117,12 @@ def _gen_srv(log: "RootLogger", args, netdevs: dict[str, Netdev]):
     if not args.crt_noip:
         for ip in netdevs.keys():
             names.append(ip.split("/")[0])
+    if args.crt_nolo:
+        names = [x for x in names if x not in ("localhost", "127.0.0.1", "::1")]
     if not names:
         names = ["127.0.0.1"]
+    if "127.0.0.1" in names or "::1" in names:
+        names.append("localhost")
     names = list({x: 1 for x in names}.keys())
 
     try:
@@ -158,7 +155,7 @@ def _gen_srv(log: "RootLogger", args, netdevs: dict[str, Netdev]):
     with open(os.path.join(args.crt_dir, "cfssl.json"), "wb") as f:
         f.write(json.dumps(cfg).encode("utf-8"))
 
-    cn = args.crt_cnc.replace("--crt-cn", args.crt_cn)
+    cn = args.crt_cns.replace("--crt-cn", args.crt_cn)
     algo, ksz = args.crt_alg.split("-")
     req = {
         "key": {"algo": algo, "size": int(ksz)},
@@ -200,7 +197,7 @@ def _gen_srv(log: "RootLogger", args, netdevs: dict[str, Netdev]):
 def gencert(log: "RootLogger", args, netdevs: dict[str, Netdev]):
     global HAVE_CFSSL
 
-    if not HAVE_SSL or args.http_only:
+    if args.http_only:
         return
 
     if args.no_crt or not HAVE_CFSSL:

copyparty/httpconn.py

@@ -8,12 +8,6 @@ import socket
 import threading  # typechk
 import time
 
-try:
-    HAVE_SSL = True
-    import ssl
-except:
-    HAVE_SSL = False
-
 from . import util as Util
 from .__init__ import TYPE_CHECKING, EnvParams
 from .authsrv import AuthSrv  # typechk
@@ -54,7 +48,6 @@ class HttpConn(object):
         self.args: argparse.Namespace = hsrv.args  # mypy404
         self.E: EnvParams = self.args.E
         self.asrv: AuthSrv = hsrv.asrv  # mypy404
-        self.cert_path = hsrv.cert_path
         self.u2fh: Util.FHC = hsrv.u2fh  # mypy404
         self.iphash: HMaccas = hsrv.broker.iphash
         self.bans: dict[str, int] = hsrv.bans
@@ -114,7 +107,7 @@ class HttpConn(object):
 
     def _detect_https(self) -> bool:
         method = None
-        if self.cert_path:
+        if True:
             try:
                 method = self.s.recv(4, socket.MSG_PEEK)
             except socket.timeout:
@@ -148,7 +141,7 @@ class HttpConn(object):
         self.sr = None
         if self.args.https_only:
             is_https = True
-        elif self.args.http_only or not HAVE_SSL:
+        elif self.args.http_only:
             is_https = False
         else:
             # raise Exception("asdf")
@@ -162,7 +155,7 @@ class HttpConn(object):
             self.log_src = self.log_src.replace("[36m", "[35m")
             try:
                 ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-                ctx.load_cert_chain(self.cert_path)
+                ctx.load_cert_chain(self.args.cert)
                 if self.args.ssl_ver:
                     ctx.options &= ~self.args.ssl_flags_en
                     ctx.options |= self.args.ssl_flags_de

copyparty/httpsrv.py

@@ -148,12 +148,6 @@ class HttpSrv(object):
 
             self.ssdp = SSDPr(broker)
 
-        cert_path = self.args.cert
-        if bos.path.exists(cert_path):
-            self.cert_path = cert_path
-        else:
-            self.cert_path = ""
-
         if self.tp_q:
             self.start_threads(4)