def do_CONNECT(self):
"""deploy fake cert to client"""
host, _, port = self.path.rpartition(b':')
port = int(port)
if port not in (80, 443):
xlog.warn("CONNECT %s port:%d not support", host, port)
return
certfile = CertUtil.get_cert(host)
self.wfile.write(b'HTTP/1.1 200 Connection Established\r\n\r\n')
self.wfile.flush()
#self.conntunnel = True
leadbyte = self.connection.recv(1, socket.MSG_PEEK)
if leadbyte in (b'\x80', b'\x16'):
try:
ssl_sock = ssl.wrap_socket(self.connection, keyfile=CertUtil.cert_keyfile, certfile=certfile, server_side=True)
except ssl.SSLError as e:
xlog.info('ssl error: %s, create full domain cert for host:%s', e, host)
certfile = CertUtil.get_cert(host, full_name=True)
return
except Exception as e:
if e.args[0] not in (errno.ECONNABORTED, errno.ECONNRESET):
xlog.exception('ssl.wrap_socket(self.connection=%r) failed: %s path:%s, errno:%s', self.connection, e, self.path, e.args[0])
return
self.__realwfile = self.wfile
self.__realrfile = self.rfile
self.connection = ssl_sock
self.rfile = self.connection.makefile('rb', self.bufsize)
self.wfile = self.connection.makefile('wb', 0)
self.close_connection = 0
def wrap_ssl(sock, host, port, client_address):
certfile = CertUtil.get_cert(host or b'www.google.com')
ssl_sock = ssl.wrap_socket(sock,
keyfile=CertUtil.cert_keyfile,
certfile=certfile,
server_side=True)
return ssl_sock