class SslHandshakeHandler: """Handles Server Name Indication (SNI) using dummy certs.""" def setup(self): """Sets up connection providing the certificate to the client.""" # One of: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or TLSv1_METHOD context = certutils.get_ssl_context() def handle_servername(connection): """A SNI callback that happens during do_handshake().""" try: host = connection.get_servername() if host: cert_str = (self.server.http_archive_fetch.http_archive. get_certificate(host)) new_context = certutils.get_ssl_context() cert = certutils.load_cert(cert_str) new_context.use_certificate(cert) new_context.use_privatekey_file(self.server.ca_cert_path) connection.set_context(new_context) return new_context # else: fail with 'no shared cipher' except Exception, e: # Do not leak any exceptions or else openssl crashes. logging.error('Exception in SNI handler %s', e) context.set_tlsext_servername_callback(handle_servername) self.connection = certutils.get_ssl_connection(context, self.connection) self.connection.set_accept_state() try: self.connection.do_handshake() except certutils.SysCallError, e: if e.args[1] == 'Unexpected EOF': return '' raise
def run_request(self): context = certutils.get_ssl_context() context.set_verify(certutils.VERIFY_PEER, self.verify_cb) # Demand a cert context.use_certificate_file(self.ca_cert_path) context.load_verify_locations(self.ca_cert_path) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.connection = certutils.get_ssl_connection(context, s) self.connection.connect((self.host, self.port)) self.connection.set_tlsext_host_name(self.host_name) try: self.connection.send('\r\n\r\n') finally: self.connection.shutdown() self.connection.close()
host = connection.get_servername() if host: cert_str = (handler.server.get_certificate(host)) new_context = certutils.get_ssl_context() cert = certutils.load_cert(cert_str) new_context.use_certificate(cert) new_context.use_privatekey_file(handler.server.ca_cert_path) connection.set_context(new_context) return new_context # else: fail with 'no domain.shared cipher' except Exception, e: # Do not leak any exceptions or else openssl crashes. logging.error('Exception in SNI handler: %s', e) context.set_tlsext_servername_callback(handle_servername) handler.connection = certutils.get_ssl_connection(context, handler.connection) handler.connection.set_accept_state() try: handler.connection.do_handshake() except certutils.Error, v: host = handler.connection.get_servername() if not host: logging.error('Dropping request without SNI') return '' raise certutils.Error('SSL handshake error %s: %s' % (host, str(v))) # Re-wrap the read/write streams with our new connection. handler.rfile = socket._fileobject(handler.connection, 'rb', handler.rbufsize, close=False)
if host: cert_str = ( handler.server.get_certificate(host)) new_context = certutils.get_ssl_context() cert = certutils.load_cert(cert_str) new_context.use_certificate(cert) new_context.use_privatekey_file(handler.server.ca_cert_path) connection.set_context(new_context) return new_context # else: fail with 'no shared cipher' except Exception, e: # Do not leak any exceptions or else openssl crashes. logging.error('Exception in SNI handler: %s', e) context.set_tlsext_servername_callback(handle_servername) handler.connection = certutils.get_ssl_connection(context, handler.connection) handler.connection.set_accept_state() try: handler.connection.do_handshake() except certutils.Error, v: host = handler.connection.get_servername() if not host: logging.error('Dropping request without SNI') return '' raise certutils.Error('SSL handshake error %s: %s' % (host, str(v))) # Re-wrap the read/write streams with our new connection. handler.rfile = socket._fileobject(handler.connection, 'rb', handler.rbufsize, close=False) handler.wfile = socket._fileobject(handler.connection, 'wb', handler.wbufsize, close=False)