Merge https://bitbucket.org/cherrypy/cherrypy/pull-requests/125/

author: Jason R. Coombs <jaraco@jaraco.com> 2016-04-30 11:45:18 -0400
committer: Jason R. Coombs <jaraco@jaraco.com> 2016-04-30 11:45:18 -0400
commit: baf1cfad6a76e98adc078f36a70a5ceecd6138fb (patch)
tree: 61ccef2f4f66a3fb56863db1d03098deb24c4439 /cherrypy/wsgiserver/ssl_builtin.py
parent: 32a163ca17e1c3d78945ad2214e6c1fb5a8e0bf1 (diff)
parent: 7f77d77d18234382582c8a3a3e2a526841e900ba (diff)
download: cherrypy-baf1cfad6a76e98adc078f36a70a5ceecd6138fb.tar.gz
1 files changed, 23 insertions, 4 deletions
diff --git a/cherrypy/wsgiserver/ssl_builtin.py b/cherrypy/wsgiserver/ssl_builtin.py
index 2c74ad84..3faf7039 100644
--- a/cherrypy/wsgiserver/ssl_builtin.py
+++ b/cherrypy/wsgiserver/ssl_builtin.py
@@ -33,6 +33,14 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter):
 
     private_key = None
     """The filename of the server's private key file."""
+    
+    certificate_chain = None
+    """The filename of the certificate chain file."""
+    
+    """The ssl.SSLContext that will be used to wrap sockets where available
+    (on Python > 2.7.9 / 3.3)
+    """
+    context = None
 
     def __init__(self, certificate, private_key, certificate_chain=None):
         if ssl is None:
@@ -40,6 +48,12 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter):
         self.certificate = certificate
         self.private_key = private_key
         self.certificate_chain = certificate_chain
+        if hasattr(ssl, 'create_default_context'):
+            self.context = ssl.create_default_context(
+                purpose=ssl.Purpose.CLIENT_AUTH,
+                cafile=certificate_chain
+            )
+            self.context.load_cert_chain(certificate, private_key)
 
     def bind(self, sock):
         """Wrap and return the given socket."""
@@ -48,10 +62,15 @@ class BuiltinSSLAdapter(wsgiserver.SSLAdapter):
     def wrap(self, sock):
         """Wrap and return the given socket, plus WSGI environ entries."""
         try:
-            s = ssl.wrap_socket(sock, do_handshake_on_connect=True,
-                                server_side=True, certfile=self.certificate,
-                                keyfile=self.private_key,
-                                ssl_version=ssl.PROTOCOL_SSLv23)
+            if self.context is not None:
+                s = self.context.wrap_socket(sock,do_handshake_on_connect=True,
+                                             server_side=True)
+            else:
+                s = ssl.wrap_socket(sock, do_handshake_on_connect=True,
+                                    server_side=True, certfile=self.certificate,
+                                    keyfile=self.private_key,
+                                    ssl_version=ssl.PROTOCOL_SSLv23,
+                                    ca_certs=self.certificate_chain)
         except ssl.SSLError:
             e = sys.exc_info()[1]
             if e.errno == ssl.SSL_ERROR_EOF:
author	Jason R. Coombs <jaraco@jaraco.com>	2016-04-30 11:45:18 -0400
committer	Jason R. Coombs <jaraco@jaraco.com>	2016-04-30 11:45:18 -0400
commit	baf1cfad6a76e98adc078f36a70a5ceecd6138fb (patch)
tree	61ccef2f4f66a3fb56863db1d03098deb24c4439 /cherrypy/wsgiserver/ssl_builtin.py
parent	32a163ca17e1c3d78945ad2214e6c1fb5a8e0bf1 (diff)
parent	7f77d77d18234382582c8a3a3e2a526841e900ba (diff)
download	cherrypy-baf1cfad6a76e98adc078f36a70a5ceecd6138fb.tar.gz