diff options
author | Jason R. Coombs <jaraco@jaraco.com> | 2016-04-30 11:45:18 -0400 |
---|---|---|
committer | Jason R. Coombs <jaraco@jaraco.com> | 2016-04-30 11:45:18 -0400 |
commit | baf1cfad6a76e98adc078f36a70a5ceecd6138fb (patch) | |
tree | 61ccef2f4f66a3fb56863db1d03098deb24c4439 /cherrypy/wsgiserver/ssl_builtin.py | |
parent | 32a163ca17e1c3d78945ad2214e6c1fb5a8e0bf1 (diff) | |
parent | 7f77d77d18234382582c8a3a3e2a526841e900ba (diff) | |
download | cherrypy-baf1cfad6a76e98adc078f36a70a5ceecd6138fb.tar.gz |
Merge https://bitbucket.org/cherrypy/cherrypy/pull-requests/125/
Diffstat (limited to 'cherrypy/wsgiserver/ssl_builtin.py')
-rw-r--r-- | cherrypy/wsgiserver/ssl_builtin.py | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/cherrypy/wsgiserver/ssl_builtin.py b/cherrypy/wsgiserver/ssl_builtin.py index 2c74ad84..3faf7039 100644 --- a/cherrypy/wsgiserver/ssl_builtin.py +++ b/cherrypy/wsgiserver/ssl_builtin.py @@ -33,6 +33,14 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter): private_key = None """The filename of the server's private key file.""" + + certificate_chain = None + """The filename of the certificate chain file.""" + + """The ssl.SSLContext that will be used to wrap sockets where available + (on Python > 2.7.9 / 3.3) + """ + context = None def __init__(self, certificate, private_key, certificate_chain=None): if ssl is None: @@ -40,6 +48,12 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter): self.certificate = certificate self.private_key = private_key self.certificate_chain = certificate_chain + if hasattr(ssl, 'create_default_context'): + self.context = ssl.create_default_context( + purpose=ssl.Purpose.CLIENT_AUTH, + cafile=certificate_chain + ) + self.context.load_cert_chain(certificate, private_key) def bind(self, sock): """Wrap and return the given socket.""" @@ -48,10 +62,15 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter): def wrap(self, sock): """Wrap and return the given socket, plus WSGI environ entries.""" try: - s = ssl.wrap_socket(sock, do_handshake_on_connect=True, - server_side=True, certfile=self.certificate, - keyfile=self.private_key, - ssl_version=ssl.PROTOCOL_SSLv23) + if self.context is not None: + s = self.context.wrap_socket(sock,do_handshake_on_connect=True, + server_side=True) + else: + s = ssl.wrap_socket(sock, do_handshake_on_connect=True, + server_side=True, certfile=self.certificate, + keyfile=self.private_key, + ssl_version=ssl.PROTOCOL_SSLv23, + ca_certs=self.certificate_chain) except ssl.SSLError: e = sys.exc_info()[1] if e.errno == ssl.SSL_ERROR_EOF: |