Use SSLContext to wrap sockets where available

author: Kieran Hall <kieranh5511> 2015-05-21 19:40:10 +0000
committer: Kieran Hall <kieranh5511> 2015-05-21 19:40:10 +0000
commit: d4620e07ea73cddd1b7d01374c7a2b44432f7627 (patch)
tree: 10e3677a8e0b3031e0fed9e299a0bc66b46bffbb
parent: 1a24e561595addb4cb6263e46d190e412ce37b8f (diff)
download: cherrypy-d4620e07ea73cddd1b7d01374c7a2b44432f7627.tar.gz
1 files changed, 19 insertions, 4 deletions
diff --git a/cherrypy/wsgiserver/ssl_builtin.py b/cherrypy/wsgiserver/ssl_builtin.py
index 2c74ad84..b6bec0ba 100644
--- a/cherrypy/wsgiserver/ssl_builtin.py
+++ b/cherrypy/wsgiserver/ssl_builtin.py
@@ -33,6 +33,11 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter):
 
     private_key = None
     """The filename of the server's private key file."""
+    
+    """The ssl.SSLContext that will be used to wrap sockets where available
+    (on Python > 2.7.9 / 3.3)
+    """
+    context = None
 
     def __init__(self, certificate, private_key, certificate_chain=None):
         if ssl is None:
@@ -40,6 +45,12 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter):
         self.certificate = certificate
         self.private_key = private_key
         self.certificate_chain = certificate_chain
+        if hasattr(ssl, 'create_default_context'):
+            self.context = ssl.create_default_context(
+                purpose=ssl.Purpose.CLIENT_AUTH,
+                cafile=certificate_chain
+            )
+            self.context.load_cert_chain(certificate, private_key)
 
     def bind(self, sock):
         """Wrap and return the given socket."""
@@ -48,10 +59,14 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter):
     def wrap(self, sock):
         """Wrap and return the given socket, plus WSGI environ entries."""
         try:
-            s = ssl.wrap_socket(sock, do_handshake_on_connect=True,
-                                server_side=True, certfile=self.certificate,
-                                keyfile=self.private_key,
-                                ssl_version=ssl.PROTOCOL_SSLv23)
+            if self.context is not None:
+                s = self.context.wrap_socket(sock,do_handshake_on_connect=True,
+                                             server_side=True)
+            else:
+                s = ssl.wrap_socket(sock, do_handshake_on_connect=True,
+                                    server_side=True, certfile=self.certificate,
+                                    keyfile=self.private_key,
+                                    ssl_version=ssl.PROTOCOL_SSLv23)
         except ssl.SSLError:
             e = sys.exc_info()[1]
             if e.errno == ssl.SSL_ERROR_EOF:
author	Kieran Hall <kieranh5511>	2015-05-21 19:40:10 +0000
committer	Kieran Hall <kieranh5511>	2015-05-21 19:40:10 +0000
commit	d4620e07ea73cddd1b7d01374c7a2b44432f7627 (patch)
tree	10e3677a8e0b3031e0fed9e299a0bc66b46bffbb
parent	1a24e561595addb4cb6263e46d190e412ce37b8f (diff)
download	cherrypy-d4620e07ea73cddd1b7d01374c7a2b44432f7627.tar.gz