def do_CONNECT(self): """deploy fake cert to client""" host, _, port = self.path.rpartition(b':') port = int(port) if port not in (80, 443): xlog.warn("CONNECT %s port:%d not support", host, port) return certfile = CertUtil.get_cert(host) self.wfile.write(b'HTTP/1.1 200 Connection Established\r\n\r\n') self.wfile.flush() #self.conntunnel = True leadbyte = self.connection.recv(1, socket.MSG_PEEK) if leadbyte in (b'\x80', b'\x16'): try: ssl_sock = ssl.wrap_socket(self.connection, keyfile=CertUtil.cert_keyfile, certfile=certfile, server_side=True) except ssl.SSLError as e: xlog.info('ssl error: %s, create full domain cert for host:%s', e, host) certfile = CertUtil.get_cert(host, full_name=True) return except Exception as e: if e.args[0] not in (errno.ECONNABORTED, errno.ECONNRESET): xlog.exception('ssl.wrap_socket(self.connection=%r) failed: %s path:%s, errno:%s', self.connection, e, self.path, e.args[0]) return self.__realwfile = self.wfile self.__realrfile = self.rfile self.connection = ssl_sock self.rfile = self.connection.makefile('rb', self.bufsize) self.wfile = self.connection.makefile('wb', 0) self.close_connection = 0
def wrap_ssl(sock, host, port, client_address): certfile = CertUtil.get_cert(host or b'www.google.com') ssl_sock = ssl.wrap_socket(sock, keyfile=CertUtil.cert_keyfile, certfile=certfile, server_side=True) return ssl_sock