diff --git a/copyparty/__main__.py b/copyparty/__main__.py index 2f3d7cf2..277576cc 100755 --- a/copyparty/__main__.py +++ b/copyparty/__main__.py @@ -729,11 +729,12 @@ def add_cert(ap, cert_path): ap2.add_argument("--crt-ns", metavar="N,N", type=u, default="", help="comma-separated list of FQDNs (domains) to add into the certificate") ap2.add_argument("--crt-exact", action="store_true", help="do not add wildcard entries for each --crt-ns") ap2.add_argument("--crt-noip", action="store_true", help="do not add autodetected IP addresses into cert") + ap2.add_argument("--crt-nolo", action="store_true", help="do not add 127.0.0.1 / localhost into cert") ap2.add_argument("--crt-dir", metavar="PATH", default=cert_dir, help="where to save the CA cert") ap2.add_argument("--crt-cdays", metavar="D", type=float, default=3650, help="ca-certificate expiration time in days") ap2.add_argument("--crt-sdays", metavar="D", type=float, default=365, help="server-cert expiration time in days") ap2.add_argument("--crt-cn", metavar="TXT", type=u, default="partyco", help="CA/server-cert common-name") - ap2.add_argument("--crt-cnc", metavar="TXT", type=u, default="--crt-cn ca", help="override CA name") + ap2.add_argument("--crt-cnc", metavar="TXT", type=u, default="--crt-cn", help="override CA name") ap2.add_argument("--crt-cns", metavar="TXT", type=u, default="--crt-cn cpp", help="override server-cert name") ap2.add_argument("--crt-back", metavar="HRS", type=float, default=72, help="backdate in hours") ap2.add_argument("--crt-alg", metavar="S-N", type=u, default="ecdsa-256", help="algorithm and keysize; one of these: ecdsa-256 rsa-4096 rsa-2048") @@ -1282,6 +1283,7 @@ def main(argv: Optional[list[str]] = None) -> None: configure_ssl_ciphers(al) else: warn("ssl module does not exist; cannot enable https") + al.http_only = True if PY2 and WINDOWS and al.e2d: warn( diff --git a/copyparty/cert.py b/copyparty/cert.py index cb0f2b9b..6232734a 100644 --- a/copyparty/cert.py +++ b/copyparty/cert.py @@ -9,13 +9,6 @@ import calendar from .util import runcmd, Netdev -try: - HAVE_SSL = True - import ssl -except: - HAVE_SSL = False - - HAVE_CFSSL = True @@ -124,8 +117,12 @@ def _gen_srv(log: "RootLogger", args, netdevs: dict[str, Netdev]): if not args.crt_noip: for ip in netdevs.keys(): names.append(ip.split("/")[0]) + if args.crt_nolo: + names = [x for x in names if x not in ("localhost", "127.0.0.1", "::1")] if not names: names = ["127.0.0.1"] + if "127.0.0.1" in names or "::1" in names: + names.append("localhost") names = list({x: 1 for x in names}.keys()) try: @@ -158,7 +155,7 @@ def _gen_srv(log: "RootLogger", args, netdevs: dict[str, Netdev]): with open(os.path.join(args.crt_dir, "cfssl.json"), "wb") as f: f.write(json.dumps(cfg).encode("utf-8")) - cn = args.crt_cnc.replace("--crt-cn", args.crt_cn) + cn = args.crt_cns.replace("--crt-cn", args.crt_cn) algo, ksz = args.crt_alg.split("-") req = { "key": {"algo": algo, "size": int(ksz)}, @@ -200,7 +197,7 @@ def _gen_srv(log: "RootLogger", args, netdevs: dict[str, Netdev]): def gencert(log: "RootLogger", args, netdevs: dict[str, Netdev]): global HAVE_CFSSL - if not HAVE_SSL or args.http_only: + if args.http_only: return if args.no_crt or not HAVE_CFSSL: diff --git a/copyparty/httpconn.py b/copyparty/httpconn.py index 708029ea..a3b49cf9 100644 --- a/copyparty/httpconn.py +++ b/copyparty/httpconn.py @@ -8,12 +8,6 @@ import socket import threading # typechk import time -try: - HAVE_SSL = True - import ssl -except: - HAVE_SSL = False - from . import util as Util from .__init__ import TYPE_CHECKING, EnvParams from .authsrv import AuthSrv # typechk @@ -54,7 +48,6 @@ class HttpConn(object): self.args: argparse.Namespace = hsrv.args # mypy404 self.E: EnvParams = self.args.E self.asrv: AuthSrv = hsrv.asrv # mypy404 - self.cert_path = hsrv.cert_path self.u2fh: Util.FHC = hsrv.u2fh # mypy404 self.iphash: HMaccas = hsrv.broker.iphash self.bans: dict[str, int] = hsrv.bans @@ -114,7 +107,7 @@ class HttpConn(object): def _detect_https(self) -> bool: method = None - if self.cert_path: + if True: try: method = self.s.recv(4, socket.MSG_PEEK) except socket.timeout: @@ -148,7 +141,7 @@ class HttpConn(object): self.sr = None if self.args.https_only: is_https = True - elif self.args.http_only or not HAVE_SSL: + elif self.args.http_only: is_https = False else: # raise Exception("asdf") @@ -162,7 +155,7 @@ class HttpConn(object): self.log_src = self.log_src.replace("[36m", "[35m") try: ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) - ctx.load_cert_chain(self.cert_path) + ctx.load_cert_chain(self.args.cert) if self.args.ssl_ver: ctx.options &= ~self.args.ssl_flags_en ctx.options |= self.args.ssl_flags_de diff --git a/copyparty/httpsrv.py b/copyparty/httpsrv.py index c3585391..f980a690 100644 --- a/copyparty/httpsrv.py +++ b/copyparty/httpsrv.py @@ -148,12 +148,6 @@ class HttpSrv(object): self.ssdp = SSDPr(broker) - cert_path = self.args.cert - if bos.path.exists(cert_path): - self.cert_path = cert_path - else: - self.cert_path = "" - if self.tp_q: self.start_threads(4)