TLSServer: certificate one request behind...
Fabiano Sidler
fabianosidler at swissonline.ch
Wed Mar 14 16:12:57 EDT 2018
Thus wrote Fabiano Sidler:
> What's the reason for this? Please find attached my TLSServer.
Oh, sorry...! Apparently, the attachment has been stripped. Here inline:
=== tlsserver.py ===
from socketserver import ThreadingTCPServer,StreamRequestHandler
import ssl
class TLSServer(ThreadingTCPServer):
def __init__(self, *args, **kwargs):
super(TLSServer, self).__init__(*args, **kwargs)
ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ctx.set_servername_callback(self.servername_callback)
ctx.check_hostname = False
self._ctx = ctx
def get_request(self):
s,a = super(TLSServer, self).get_request()
s = self._ctx.wrap_socket(s, server_side=True)
return s,a
def servername_callback(self, sock, req_hostname, cb_context):
return ssl.ALERT_DESCRIPTION_INTERNAL_ERROR
from OpenSSL import crypto as x509
from tempfile import NamedTemporaryFile
class SelfSigningServer(TLSServer):
def servername_callback(self, sock, req_hostname, cb_context):
key = x509.PKey()
key.generate_key(x509.TYPE_RSA, 2048)
cert = x509.X509()
subj = cert.get_subject()
subj.C = 'CH'
subj.ST = 'ZH'
subj.L = 'Zurich'
subj.O = 'ACME Inc.'
subj.OU = 'IT dept.'
subj.CN = req_hostname
cert.set_version(0x02)
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(subj)
cert.set_pubkey(key)
cert.sign(key, 'sha256')
certfile = NamedTemporaryFile()
keyfile = NamedTemporaryFile()
certfile.write(x509.dump_certificate(x509.FILETYPE_PEM, cert))
keyfile.write(x509.dump_privatekey(x509.FILETYPE_PEM, key))
certfile.seek(0)
keyfile.seek(0)
cb_context.load_cert_chain(certfile=certfile.name, keyfile=keyfile.name)
cb_context.set_servername_callback(self.servername_callback)
sock.context = cb_context
certfile.close()
keyfile.close()
class SelfSigningHandler(StreamRequestHandler):
def handle(self):
self.wfile.write(b'Hello World!\r\n')
server = SelfSigningServer(('localhost',1234), SelfSigningHandler)
server.serve_forever()
=== tlsserver.py ===
Thanks again!
More information about the Python-list
mailing list