class SslHandshakeHandler:
"""Handles Server Name Indication (SNI) using dummy certs."""
def setup(self):
"""Sets up connection providing the certificate to the client."""
# One of: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or TLSv1_METHOD
context = certutils.get_ssl_context()
def handle_servername(connection):
"""A SNI callback that happens during do_handshake()."""
try:
host = connection.get_servername()
if host:
cert_str = (self.server.http_archive_fetch.http_archive.
get_certificate(host))
new_context = certutils.get_ssl_context()
cert = certutils.load_cert(cert_str)
new_context.use_certificate(cert)
new_context.use_privatekey_file(self.server.ca_cert_path)
connection.set_context(new_context)
return new_context
# else: fail with 'no shared cipher'
except Exception, e:
# Do not leak any exceptions or else openssl crashes.
logging.error('Exception in SNI handler %s', e)
context.set_tlsext_servername_callback(handle_servername)
self.connection = certutils.get_ssl_connection(context,
self.connection)
self.connection.set_accept_state()
try:
self.connection.do_handshake()
except certutils.SysCallError, e:
if e.args[1] == 'Unexpected EOF':
return ''
raise
def run_request(self):
context = certutils.get_ssl_context()
context.set_verify(certutils.VERIFY_PEER, self.verify_cb) # Demand a cert
context.use_certificate_file(self.ca_cert_path)
context.load_verify_locations(self.ca_cert_path)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.connection = certutils.get_ssl_connection(context, s)
self.connection.connect((self.host, self.port))
self.connection.set_tlsext_host_name(self.host_name)
try:
self.connection.send('\r\n\r\n')
finally:
self.connection.shutdown()
self.connection.close()
def run_request(self):
context = certutils.get_ssl_context()
context.set_verify(certutils.VERIFY_PEER, self.verify_cb) # Demand a cert
context.use_certificate_file(self.ca_cert_path)
context.load_verify_locations(self.ca_cert_path)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.connection = certutils.get_ssl_connection(context, s)
self.connection.connect((self.host, self.port))
self.connection.set_tlsext_host_name(self.host_name)
try:
self.connection.send('\r\n\r\n')
finally:
self.connection.shutdown()
self.connection.close()
host = connection.get_servername()
if host:
cert_str = (handler.server.get_certificate(host))
new_context = certutils.get_ssl_context()
cert = certutils.load_cert(cert_str)
new_context.use_certificate(cert)
new_context.use_privatekey_file(handler.server.ca_cert_path)
connection.set_context(new_context)
return new_context
# else: fail with 'no domain.shared cipher'
except Exception, e:
# Do not leak any exceptions or else openssl crashes.
logging.error('Exception in SNI handler: %s', e)
context.set_tlsext_servername_callback(handle_servername)
handler.connection = certutils.get_ssl_connection(context,
handler.connection)
handler.connection.set_accept_state()
try:
handler.connection.do_handshake()
except certutils.Error, v:
host = handler.connection.get_servername()
if not host:
logging.error('Dropping request without SNI')
return ''
raise certutils.Error('SSL handshake error %s: %s' % (host, str(v)))
# Re-wrap the read/write streams with our new connection.
handler.rfile = socket._fileobject(handler.connection,
'rb',
handler.rbufsize,
close=False)
if host:
cert_str = (
handler.server.get_certificate(host))
new_context = certutils.get_ssl_context()
cert = certutils.load_cert(cert_str)
new_context.use_certificate(cert)
new_context.use_privatekey_file(handler.server.ca_cert_path)
connection.set_context(new_context)
return new_context
# else: fail with 'no shared cipher'
except Exception, e:
# Do not leak any exceptions or else openssl crashes.
logging.error('Exception in SNI handler: %s', e)
context.set_tlsext_servername_callback(handle_servername)
handler.connection = certutils.get_ssl_connection(context, handler.connection)
handler.connection.set_accept_state()
try:
handler.connection.do_handshake()
except certutils.Error, v:
host = handler.connection.get_servername()
if not host:
logging.error('Dropping request without SNI')
return ''
raise certutils.Error('SSL handshake error %s: %s' % (host, str(v)))
# Re-wrap the read/write streams with our new connection.
handler.rfile = socket._fileobject(handler.connection, 'rb', handler.rbufsize,
close=False)
handler.wfile = socket._fileobject(handler.connection, 'wb', handler.wbufsize,
close=False)
