TLSServer: certificate one request behind...

Fabiano Sidler fabianosidler at swissonline.ch
Wed Mar 14 16:12:57 EDT 2018 

Thus wrote Fabiano Sidler:
> What's the reason for this? Please find attached my TLSServer.

Oh, sorry...! Apparently, the attachment has been stripped. Here inline:

=== tlsserver.py ===
from socketserver import ThreadingTCPServer,StreamRequestHandler
import ssl

class TLSServer(ThreadingTCPServer):
	def __init__(self, *args, **kwargs):
		super(TLSServer, self).__init__(*args, **kwargs)
		ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
		ctx.set_servername_callback(self.servername_callback)
		ctx.check_hostname = False
		self._ctx = ctx
	def get_request(self):
		s,a = super(TLSServer, self).get_request()
		s = self._ctx.wrap_socket(s, server_side=True)
		return s,a
	def servername_callback(self, sock, req_hostname, cb_context):
		return ssl.ALERT_DESCRIPTION_INTERNAL_ERROR


from OpenSSL import crypto as x509
from tempfile import NamedTemporaryFile

class SelfSigningServer(TLSServer):
	def servername_callback(self, sock, req_hostname, cb_context):
		key = x509.PKey()
		key.generate_key(x509.TYPE_RSA, 2048)
		cert = x509.X509()
		subj = cert.get_subject()
		subj.C  = 'CH'
		subj.ST = 'ZH'
		subj.L  = 'Zurich'
		subj.O  = 'ACME Inc.'
		subj.OU = 'IT dept.'
		subj.CN = req_hostname
		cert.set_version(0x02)
		cert.set_serial_number(1000)
		cert.gmtime_adj_notBefore(0)
		cert.gmtime_adj_notAfter(10*365*24*60*60)
		cert.set_issuer(subj)
		cert.set_pubkey(key)
		cert.sign(key, 'sha256')
		certfile = NamedTemporaryFile()
		keyfile = NamedTemporaryFile()
		certfile.write(x509.dump_certificate(x509.FILETYPE_PEM, cert))
		keyfile.write(x509.dump_privatekey(x509.FILETYPE_PEM, key))
		certfile.seek(0)
		keyfile.seek(0)
		cb_context.load_cert_chain(certfile=certfile.name, keyfile=keyfile.name)
		cb_context.set_servername_callback(self.servername_callback)
		sock.context = cb_context
		certfile.close()
		keyfile.close()

class SelfSigningHandler(StreamRequestHandler):
	def handle(self):
		self.wfile.write(b'Hello World!\r\n')

server = SelfSigningServer(('localhost',1234), SelfSigningHandler)
server.serve_forever()
=== tlsserver.py ===

Thanks again!

More information about the Python-list mailing list