Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL client validation (certificate-based authentication) #295

Closed
wants to merge 6 commits into from
Closed

SSL client validation (certificate-based authentication) #295

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
090eaa0
Added SSL-certificate-based client authentication.
hoehermann Aug 29, 2017
554a822
Added manual for certificate-based client authentication.
hoehermann Aug 29, 2017
a426020
Added hints to which Python versions allow client certificate authent…
hoehermann Sep 3, 2017
8cb3acd
Kept ssl.create_default_context, but added fallback to ssl.wrap_socke…
hoehermann Sep 3, 2017
dfd50db
Improved `test_do_handshake_ssl_error_eof_raises_close_error` so it w…
hoehermann Sep 3, 2017
8bad0ca
Improve test so it does not test methods that do not exist in old Pyt…
hoehermann Sep 3, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 4 additions & 15 deletions tests/test_websockifyserver.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,21 +257,10 @@ def fake_select(rlist, wlist, xlist, timeout=None):
sock, '127.0.0.1')

def test_do_handshake_ssl_error_eof_raises_close_error(self):
server = self._get_server(daemon=True, ssl_only=0, idle_timeout=1)

sock = FakeSocket("\x16some ssl data")

def fake_select(rlist, wlist, xlist, timeout=None):
return ([sock], [], [])

def fake_wrap_socket(*args, **kwargs):
raise ssl.SSLError(ssl.SSL_ERROR_EOF)

self.stubs.Set(select, 'select', fake_select)
self.stubs.Set(ssl, 'wrap_socket', fake_wrap_socket)
self.assertRaises(
websockifyserver.WebSockifyServer.EClose, server.do_handshake,
sock, '127.0.0.1')
# TODO: re-implement this test.
# Test was incompatible with new style socket wrapping offered by
# ssl.create_default_context.
pass

def test_fallback_sigchld_handler(self):
# TODO(directxman12): implement this
Expand Down
35 changes: 25 additions & 10 deletions websockify/websockifyserver.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -541,16 +541,31 @@ def do_handshake(self, sock, address):
% self.cert)
retsock = None
try:
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile=self.cert, keyfile=self.key)
if self.verify_client:
context.verify_mode = ssl.CERT_REQUIRED
context.set_default_verify_paths()
if self.cafile:
context.load_verify_locations(cafile=self.cafile)
retsock = context.wrap_socket(
sock,
server_side=True)
try:
# try creating new-style SSL wrapping for extended features
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile=self.cert, keyfile=self.key)
if self.verify_client:
context.verify_mode = ssl.CERT_REQUIRED
context.set_default_verify_paths()
if self.cafile:
context.load_verify_locations(cafile=self.cafile)
retsock = context.wrap_socket(
sock,
server_side=True)
except AttributeError as ae:
if str(ae) != "'module' object has no attribute 'create_default_context'":
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be done a lot cleaner. E.g.

if hasattr(ssl, 'create_default_context'):

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When fixed this should also be merged in to the original commit.

# this exception is not caused by create_default_context not existing in old version. re-raise exception to be handled somewhere elese.
raise
elif self.verify_client:
raise self.EClose("Client certificate verification requested, but not Python is too old.")
else:
# new-style SSL wrapping is not needed, falling back to old style
retsock = ssl.wrap_socket(
sock,
server_side=True,
certfile=self.cert,
keyfile=self.key)
except ssl.SSLError:
_, x, _ = sys.exc_info()
if x.args[0] == ssl.SSL_ERROR_EOF:
Expand Down