#
#
-# Copyright (C) 2007, 2008 Google Inc.
+# Copyright (C) 2007, 2008, 2010 Google Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
"""
self.ssl_key_pem = utils.ReadFile(ssl_key_path)
self.ssl_cert_pem = utils.ReadFile(ssl_cert_path)
+ self.ssl_cert_path = ssl_cert_path
def GetKey(self):
return OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM,
self._ssl_key = None
self._ssl_cert = None
- def _CreateSocket(self, ssl_params, ssl_verify_peer):
+ def _CreateSocket(self, ssl_params, ssl_verify_peer, family):
"""Creates a TCP socket and initializes SSL if needed.
@type ssl_params: HttpSslParams
@type ssl_verify_peer: bool
@param ssl_verify_peer: Whether to require client certificate
and compare it with our certificate
+ @type family: int
+ @param family: socket.AF_INET | socket.AF_INET6
"""
- self._ssl_params = ssl_params
+ assert family in (socket.AF_INET, socket.AF_INET6)
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ self._ssl_params = ssl_params
+ sock = socket.socket(family, socket.SOCK_STREAM)
# Should we enable SSL?
self.using_ssl = ssl_params is not None
ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
ctx.set_options(OpenSSL.SSL.OP_NO_SSLv2)
+ ciphers = self.GetSslCiphers()
+ logging.debug("Setting SSL cipher string %s", ciphers)
+ ctx.set_cipher_list(ciphers)
+
ctx.use_privatekey(self._ssl_key)
ctx.use_certificate(self._ssl_cert)
ctx.check_privatekey()
OpenSSL.SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
self._SSLVerifyCallback)
+ # Also add our certificate as a trusted CA to be sent to the client.
+ # This is required at least for GnuTLS clients to work.
+ try:
+ # This will fail for PyOpenssl versions before 0.10
+ ctx.add_client_ca(self._ssl_cert)
+ except AttributeError:
+ # Fall back to letting OpenSSL read the certificate file directly.
+ ctx.load_client_ca(ssl_params.ssl_cert_path)
+
return OpenSSL.SSL.Connection(ctx, sock)
+ def GetSslCiphers(self): # pylint: disable-msg=R0201
+ """Returns the ciphers string for SSL.
+
+ """
+ return constants.OPENSSL_CIPHERS
+
def _SSLVerifyCallback(self, conn, cert, errnum, errdepth, ok):
"""Verify the certificate provided by the peer