[Twisted-Python] Aborting a connection attempt when HTTPS client detected on HTTP only server?
Hi, I have a probably small issue i need to solve: There is some kind of client that tries a HTTPS connection first and falls back to HTTP if it does not work/times out, because the server does not support SSL. (yes, i know that logic/procedure is kind of stupid from a security point of view, but sadly i cannot change it). When the server is proxied by Apache, this leads to immediate abortion of the connection, but when i connect directly to the server built with Twisted web module, it hangs until a timeout. The client in this case is some libcurl based C++ code using the Windows SChannel SSL API. I now want to have it fail immediately with Twisted too, instead of waiting for the SSL layer on the client side to time out. I found some patch that handles the inverse problem (detect HTTP to HTTPS port): http://twistedmatrix.com/trac/ticket/490 Is there some pre-made solution, or would i have to hook into the connection setup of twisted.web and check the first few bytes for the signs of an SSL Handshake signature? Michael -- Michael Schlenker Software Architect CONTACT Software GmbH Tel.: +49 (421) 20153-80 Wiener Straße 1-3 Fax: +49 (421) 20153-41 28359 Bremen http://www.contact.de/ E-Mail: msc@contact.de Sitz der Gesellschaft: Bremen Geschäftsführer: Karl Heinz Zachries, Ralf Holtgrefe Eingetragen im Handelsregister des Amtsgerichts Bremen unter HRB 13215
On Mon, Feb 11, 2013 at 9:24 AM, Michael Schlenker <msc@contact.de> wrote:
Is there some pre-made solution, or would i have to hook into the connection setup of twisted.web and check the first few bytes for the signs of an SSL Handshake signature?
Subclassing the HTTP protocol class and just adding a check in dataReceived is probably the easiest thing to do, yes. Might be worth filing a ticket for this as well. My guess is the logic would be something like "in dataReceived, if you've not hit first line, and any byte is non-ASCII, close connection", which has the nice property of being more general than just SSL. Or perhaps check what Apache does exactly. -- Itamar Turner-Trauring, Future Foundries LLC http://futurefoundries.com/ — Twisted consulting, training and support.
Am 11.02.2013 15:51, schrieb Itamar Turner-Trauring:
On Mon, Feb 11, 2013 at 9:24 AM, Michael Schlenker <msc@contact.de <mailto:msc@contact.de>> wrote:
Is there some pre-made solution, or would i have to hook into the connection setup of twisted.web and check the first few bytes for the signs of an SSL Handshake signature?
Subclassing the HTTP protocol class and just adding a check in dataReceived is probably the easiest thing to do, yes. Might be worth filing a ticket for this as well. My guess is the logic would be something like "in dataReceived, if you've not hit first line, and any byte is non-ASCII, close connection", which has the nice property of being more general than just SSL. Or perhaps check what Apache does exactly.
Okay, solved it like this: from twisted.web import server, http class HTTPChannel(http.HTTPChannel): """ HTTP Channel that recognizes connection attempts via non-HTTP and closes the connection in such cases. """ def __init__(self): http.HTTPChannel.__init__(self) self.__request_line_received = False def lineReceived(self, line): self.__request_line_received = True http.HTTPChannel.lineReceived(self, line) def dataReceived(self, data): if not self.__request_line_received: # check for any binary garbage, e.g. not ASCII # e.g. ssl connection attempt try: data.decode('ascii') except UnicodeDecodeError: return self.transport.loseConnection() http.HTTPChannel.dataReceived(self, data) class Site(server.Site): protocol = HTTPChannel Works fine. Thx for the suggestion to check for ASCII. Michael -- Michael Schlenker Software Architect CONTACT Software GmbH Tel.: +49 (421) 20153-80 Wiener Straße 1-3 Fax: +49 (421) 20153-41 28359 Bremen http://www.contact.de/ E-Mail: msc@contact.de Sitz der Gesellschaft: Bremen Geschäftsführer: Karl Heinz Zachries, Ralf Holtgrefe Eingetragen im Handelsregister des Amtsgerichts Bremen unter HRB 13215
participants (2)
-
Itamar Turner-Trauring -
Michael Schlenker