diff options
author | Kieran Hall <kieranh5511> | 2015-05-21 19:40:10 +0000 |
---|---|---|
committer | Kieran Hall <kieranh5511> | 2015-05-21 19:40:10 +0000 |
commit | d4620e07ea73cddd1b7d01374c7a2b44432f7627 (patch) | |
tree | 10e3677a8e0b3031e0fed9e299a0bc66b46bffbb | |
parent | 1a24e561595addb4cb6263e46d190e412ce37b8f (diff) | |
download | cherrypy-d4620e07ea73cddd1b7d01374c7a2b44432f7627.tar.gz |
Use SSLContext to wrap sockets where available
-rw-r--r-- | cherrypy/wsgiserver/ssl_builtin.py | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/cherrypy/wsgiserver/ssl_builtin.py b/cherrypy/wsgiserver/ssl_builtin.py index 2c74ad84..b6bec0ba 100644 --- a/cherrypy/wsgiserver/ssl_builtin.py +++ b/cherrypy/wsgiserver/ssl_builtin.py @@ -33,6 +33,11 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter): private_key = None """The filename of the server's private key file.""" + + """The ssl.SSLContext that will be used to wrap sockets where available + (on Python > 2.7.9 / 3.3) + """ + context = None def __init__(self, certificate, private_key, certificate_chain=None): if ssl is None: @@ -40,6 +45,12 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter): self.certificate = certificate self.private_key = private_key self.certificate_chain = certificate_chain + if hasattr(ssl, 'create_default_context'): + self.context = ssl.create_default_context( + purpose=ssl.Purpose.CLIENT_AUTH, + cafile=certificate_chain + ) + self.context.load_cert_chain(certificate, private_key) def bind(self, sock): """Wrap and return the given socket.""" @@ -48,10 +59,14 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter): def wrap(self, sock): """Wrap and return the given socket, plus WSGI environ entries.""" try: - s = ssl.wrap_socket(sock, do_handshake_on_connect=True, - server_side=True, certfile=self.certificate, - keyfile=self.private_key, - ssl_version=ssl.PROTOCOL_SSLv23) + if self.context is not None: + s = self.context.wrap_socket(sock,do_handshake_on_connect=True, + server_side=True) + else: + s = ssl.wrap_socket(sock, do_handshake_on_connect=True, + server_side=True, certfile=self.certificate, + keyfile=self.private_key, + ssl_version=ssl.PROTOCOL_SSLv23) except ssl.SSLError: e = sys.exc_info()[1] if e.errno == ssl.SSL_ERROR_EOF: |