diff options
| author | Jason R. Coombs <jaraco@jaraco.com> | 2016-04-30 10:59:06 -0400 |
|---|---|---|
| committer | Jason R. Coombs <jaraco@jaraco.com> | 2016-04-30 10:59:06 -0400 |
| commit | 7bc33ae668c8a62c6540f310f15f3374c4bb2649 (patch) | |
| tree | 9b3f56382a8271a7dc374425e1cac25ec6c89684 | |
| parent | b0da3ad4f852d58402532c9fc016f480243cb8c8 (diff) | |
| parent | d4620e07ea73cddd1b7d01374c7a2b44432f7627 (diff) | |
| download | cherrypy-7bc33ae668c8a62c6540f310f15f3374c4bb2649.tar.gz | |
Merge https://bitbucket.org/cherrypy/cherrypy/pull-requests/99
| -rw-r--r-- | CHANGES.txt | 3 | ||||
| -rw-r--r-- | cherrypy/wsgiserver/ssl_builtin.py | 25 |
2 files changed, 22 insertions, 6 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index a3c62069..d2a369fd 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,8 +1,9 @@ -5.2.1 +5.3.0 ----- * #1202: Add support for specifying a certificate authority when serving SSL using the built-in SSL support. +* Use ssl.create_default_context when available. 5.2.0 ----- diff --git a/cherrypy/wsgiserver/ssl_builtin.py b/cherrypy/wsgiserver/ssl_builtin.py index 4827b424..3faf7039 100644 --- a/cherrypy/wsgiserver/ssl_builtin.py +++ b/cherrypy/wsgiserver/ssl_builtin.py @@ -36,6 +36,11 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter): certificate_chain = None """The filename of the certificate chain file.""" + + """The ssl.SSLContext that will be used to wrap sockets where available + (on Python > 2.7.9 / 3.3) + """ + context = None def __init__(self, certificate, private_key, certificate_chain=None): if ssl is None: @@ -43,6 +48,12 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter): self.certificate = certificate self.private_key = private_key self.certificate_chain = certificate_chain + if hasattr(ssl, 'create_default_context'): + self.context = ssl.create_default_context( + purpose=ssl.Purpose.CLIENT_AUTH, + cafile=certificate_chain + ) + self.context.load_cert_chain(certificate, private_key) def bind(self, sock): """Wrap and return the given socket.""" @@ -51,11 +62,15 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter): def wrap(self, sock): """Wrap and return the given socket, plus WSGI environ entries.""" try: - s = ssl.wrap_socket(sock, do_handshake_on_connect=True, - server_side=True, certfile=self.certificate, - keyfile=self.private_key, - ssl_version=ssl.PROTOCOL_SSLv23, - ca_certs=self.certificate_chain) + if self.context is not None: + s = self.context.wrap_socket(sock,do_handshake_on_connect=True, + server_side=True) + else: + s = ssl.wrap_socket(sock, do_handshake_on_connect=True, + server_side=True, certfile=self.certificate, + keyfile=self.private_key, + ssl_version=ssl.PROTOCOL_SSLv23, + ca_certs=self.certificate_chain) except ssl.SSLError: e = sys.exc_info()[1] if e.errno == ssl.SSL_ERROR_EOF: |