def _tlsstartup(cnn): authname = None cert = None if libssl: # most fully featured SSL function ctx = libssl.Context(libssl.SSLv23_METHOD) ctx.set_options(libssl.OP_NO_SSLv2 | libssl.OP_NO_SSLv3 | libssl.OP_NO_TLSv1 | libssl.OP_NO_TLSv1_1 | libssl.OP_CIPHER_SERVER_PREFERENCE) ctx.set_cipher_list( 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:' 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384') ctx.set_tmp_ecdh(crypto.get_elliptic_curve('secp384r1')) ctx.use_certificate_file('/etc/confluent/srvcert.pem') ctx.use_privatekey_file('/etc/confluent/privkey.pem') ctx.set_verify(libssln.VERIFY_PEER, lambda *args: True) libssln._lib.SSL_CTX_set_cert_verify_callback(ctx._context, verify_stub, ffi.NULL) cnn = libssl.Connection(ctx, cnn) cnn.set_accept_state() cnn.do_handshake() cert = cnn.get_peer_certificate() else: try: # Try relatively newer python TLS function ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 ctx.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 ctx.options |= ssl.OP_CIPHER_SERVER_PREFERENCE ctx.set_ciphers( 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:' 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384') ctx.load_cert_chain('/etc/confluent/srvcert.pem', '/etc/confluent/privkey.pem') cnn = ctx.wrap_socket(cnn, server_side=True) except AttributeError: # Python 2.6 era, go with best effort cnn = ssl.wrap_socket(cnn, keyfile="/etc/confluent/privkey.pem", certfile="/etc/confluent/srvcert.pem", ssl_version=ssl.PROTOCOL_TLSv1, server_side=True) sessionhdl(cnn, authname, cert=cert)
def test_context_wrapped_accept(self): context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) context.load_cert_chain(tests.certificate_file, tests.private_key_file) expected = "success:{}".format(random.random()).encode() def client(addr): client_tls = ssl.wrap_socket( eventlet.connect(addr), cert_reqs=ssl.CERT_REQUIRED, ca_certs=tests.certificate_file, ) client_tls.send(expected) server_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_sock.bind(('localhost', 0)) server_sock.listen(1) eventlet.spawn(client, server_sock.getsockname()) server_tls = context.wrap_socket(server_sock, server_side=True) peer, _ = server_tls.accept() assert peer.recv(64) == expected peer.close()