[Twisted-web] Enforcing SSL for non-SSL requests

Marek Habersack grendel at caudium.net
Tue Aug 9 17:26:57 MDT 2005 

Hello everybody,
 
  I'm trying to find a way for a Nevow-based application to enforce SSL
connection on the client when they come in using insecure HTTP. Currently
when the client comes in using a http://site.com URL typed in the browser,
they will get no error and no response from the server as the connection is
closed. The application log reveals the following:

2005/08/09 12:12 CEST [HTTPChannel,0,127.0.0.1] Traceback (most recent call last):
 File "/usr/local/lib/python2.4/site-packages/twisted/python/log.py", line 56, in callWithLogger
  return callWithContext({"system": lp}, func, *args, **kw)
 File "/usr/local/lib/python2.4/site-packages/twisted/python/log.py", line 41, in callWithContext
  return context.call({ILogContext: newCtx}, func, *args, **kw)
 File "/usr/local/lib/python2.4/site-packages/twisted/python/context.py", line 31, in callWithContext
  return func(*args,**kw)
 File "/usr/local/lib/python2.4/site-packages/twisted/internet/pollreactor.py", line 160, in _doReadOrWrite
  why = selectable.doRead()
 --- <exception caught here> ---
 File "/usr/local/lib/python2.4/site-packages/twisted/internet/tcp.py", line 111, in doRead
  return Connection.doRead(self)
 File "/usr/local/lib/python2.4/site-packages/twisted/internet/tcp.py", line 343, in doRead
  data = self.socket.recv(self.bufferSize)
 OpenSSL.SSL.Error: [('SSL routines', 'SSL23_GET_CLIENT_HELLO', 'http request')]

The error above is obvious and the solution would be to either redirect the
client to https://site.com or present them with some information that the
site requires secure connections and have them click a link that would send
them to https://site.com. My meager knowledge of Twisted/Nevow tells me that
it isn't possible to subclass the Connection class to handle the situation
in some generic way without having to rewrite parts of Twisted. Ideally, it
should be possible to be able to handle that situation by either providing a
handler for the exception to the SSLServer object (which is the class I'm
using) or by subclassing SSLServer or, perhaps, by putting the code to
handle the situation deeper inside Twisted so that the solution is more
generic and not limited to SSLServer. It is entirely possible that such
solution already exists and I'm simply not aware of it :) - I would
appreciate any help/hints/pointers/rtfms on the issue,

tia,

marek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://twistedmatrix.com/pipermail/twisted-web/attachments/20050810/22366205/attachment.bin

More information about the Twisted-web mailing list