def _create_stream(self, addrinfo):
af = addrinfo[0][0]
if self.parsed.scheme == "https":
ssl_options = {}
if self.request.validate_cert:
ssl_options["cert_reqs"] = ssl.CERT_REQUIRED
if self.request.ca_certs is not None:
ssl_options["ca_certs"] = self.request.ca_certs
else:
ssl_options["ca_certs"] = _default_ca_certs()
if self.request.client_key is not None:
ssl_options["keyfile"] = self.request.client_key
if self.request.client_cert is not None:
ssl_options["certfile"] = self.request.client_cert
# SSL interoperability is tricky. We want to disable
# SSLv2 for security reasons; it wasn't disabled by default
# until openssl 1.0. The best way to do this is to use
# the SSL_OP_NO_SSLv2, but that wasn't exposed to python
# until 3.2. Python 2.7 adds the ciphers argument, which
# can also be used to disable SSLv2. As a last resort
# on python 2.6, we set ssl_version to TLSv1. This is
# more narrow than we'd like since it also breaks
# compatibility with servers configured for SSLv3 only,
# but nearly all servers support both SSLv3 and TLSv1:
# http://blog.ivanristic.com/2011/09/ssl-survey-protocol-support.html
if sys.version_info >= (2, 7):
ssl_options["ciphers"] = "DEFAULT:!SSLv2"
else:
# This is really only necessary for pre-1.0 versions
# of openssl, but python 2.6 doesn't expose version
# information.
ssl_options["ssl_version"] = ssl.PROTOCOL_TLSv1
return SSLIOStream(socket.socket(af),
io_loop=self.io_loop,
ssl_options=ssl_options,
max_buffer_size=self.max_buffer_size)
else:
return IOStream(socket.socket(af),
io_loop=self.io_loop,
max_buffer_size=self.max_buffer_size)
def _get_ssl_options(cls, cert_options):
ssl_options = {}
if cert_options['validate_cert']:
ssl_options["cert_reqs"] = ssl.CERT_REQUIRED
if cert_options['ca_certs'] is not None:
ssl_options["ca_certs"] = cert_options['ca_certs']
else:
ssl_options["ca_certs"] = simple_httpclient._default_ca_certs()
if cert_options['client_key'] is not None:
ssl_options["keyfile"] = cert_options['client_key']
if cert_options['client_cert'] is not None:
ssl_options["certfile"] = cert_options['client_cert']
# according to REC 7540:
# deployments of HTTP/2 that use TLS 1.2 MUST
# support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ssl_options["ciphers"] = "ECDH+AESGCM"
ssl_options["ssl_version"] = ssl.PROTOCOL_TLSv1_2
ssl_options = netutil.ssl_options_to_context(ssl_options)
ssl_options.set_alpn_protocols(['h2'])
return ssl_options
def _get_ssl_options(cls, cert_options):
ssl_options = {}
if cert_options["validate_cert"]:
ssl_options["cert_reqs"] = ssl.CERT_REQUIRED
if cert_options["ca_certs"] is not None:
ssl_options["ca_certs"] = cert_options["ca_certs"]
else:
ssl_options["ca_certs"] = simple_httpclient._default_ca_certs()
if cert_options["client_key"] is not None:
ssl_options["keyfile"] = cert_options["client_key"]
if cert_options["client_cert"] is not None:
ssl_options["certfile"] = cert_options["client_cert"]
# according to REC 7540:
# deployments of HTTP/2 that use TLS 1.2 MUST
# support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ssl_options["ciphers"] = "ECDH+AESGCM"
ssl_options["ssl_version"] = ssl.PROTOCOL_TLSv1_2
ssl_options = netutil.ssl_options_to_context(ssl_options)
ssl_options.set_alpn_protocols(["h2"])
return ssl_options
def test_default_certificates_exist(self):
open(_default_ca_certs()).close()
def test_default_certificates_exist(self):
open(_default_ca_certs()).close()