Python SSLContext примеры использования

Пример #1

def _tlsstartup(cnn):
    authname = None
    cert = None
    if libssl:
        # most fully featured SSL function
        ctx = libssl.Context(libssl.SSLv23_METHOD)
        ctx.set_options(libssl.OP_NO_SSLv2 | libssl.OP_NO_SSLv3
                        | libssl.OP_NO_TLSv1 | libssl.OP_NO_TLSv1_1
                        | libssl.OP_CIPHER_SERVER_PREFERENCE)
        ctx.set_cipher_list(
            'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:'
            'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384')
        ctx.set_tmp_ecdh(crypto.get_elliptic_curve('secp384r1'))
        ctx.use_certificate_file('/etc/confluent/srvcert.pem')
        ctx.use_privatekey_file('/etc/confluent/privkey.pem')
        ctx.set_verify(libssln.VERIFY_PEER, lambda *args: True)
        libssln._lib.SSL_CTX_set_cert_verify_callback(ctx._context,
                                                      verify_stub, ffi.NULL)
        cnn = libssl.Connection(ctx, cnn)
        cnn.set_accept_state()
        cnn.do_handshake()
        cert = cnn.get_peer_certificate()
    else:
        try:
            # Try relatively newer python TLS function
            ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
            ctx.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
            ctx.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
            ctx.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
            ctx.set_ciphers(
                'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:'
                'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384')
            ctx.load_cert_chain('/etc/confluent/srvcert.pem',
                                '/etc/confluent/privkey.pem')
            cnn = ctx.wrap_socket(cnn, server_side=True)
        except AttributeError:
            # Python 2.6 era, go with best effort
            cnn = ssl.wrap_socket(cnn,
                                  keyfile="/etc/confluent/privkey.pem",
                                  certfile="/etc/confluent/srvcert.pem",
                                  ssl_version=ssl.PROTOCOL_TLSv1,
                                  server_side=True)
    sessionhdl(cnn, authname, cert=cert)

Пример #2

    def test_context_wrapped_accept(self):
        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
        context.load_cert_chain(tests.certificate_file, tests.private_key_file)
        expected = "success:{}".format(random.random()).encode()

        def client(addr):
            client_tls = ssl.wrap_socket(
                eventlet.connect(addr),
                cert_reqs=ssl.CERT_REQUIRED,
                ca_certs=tests.certificate_file,
            )
            client_tls.send(expected)

        server_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        server_sock.bind(('localhost', 0))
        server_sock.listen(1)
        eventlet.spawn(client, server_sock.getsockname())
        server_tls = context.wrap_socket(server_sock, server_side=True)
        peer, _ = server_tls.accept()
        assert peer.recv(64) == expected
        peer.close()