Ticket #302: ssl.2.patch

ssl.py

@@ -45 +45 @@
 
 # System imports
 from OpenSSL import SSL
+import md5
 import socket
 
+# Hack! This should be in the python SSL interface, *but isn't*.
+# (grumblegrumble)
+SSL_OP_ALL = 0x0000FFFF
+
 # sibling imports
 import tcp, main, interfaces
 
@@ -63 +68 @@
         """Return a SSL.Context object. override in subclasses."""
         raise NotImplementedError
 
+NO_VERIFY_CERT, VERIFY_CERT, REQUIRE_CERT = range(3)
 
 class DefaultOpenSSLContextFactory(ContextFactory):
-
+    _sessionIdCtxNum = 0
     def __init__(self, privateKeyFileName, certificateFileName,
-                 sslmethod=SSL.SSLv23_METHOD):
+                 sslmethod=SSL.SSLv23_METHOD,
+                 verifyPeer=NO_VERIFY_CERT, verifyDepth=10,
+                 clientCACertsFile=None):
+        """Initialize an SSL server context.
+
+        privateKeyFileName and certificateFileName should be set to the
+        PEM-encoded key and certificates for this server.
+        
+        verifyPeer can be set to NO_VERIFY_CERT (no verification),
+        VERIFY_CERT (verify client cert but don't fail if none is given),
+        or REQUIRE_CERT (verify and require client cert).
+
+        verifyDepth sets how long a certificate chain is allowed.
+        
+        clientCACertsFile can be set to a file containing (PEM-format)
+        certificates of the CAs to verify clients again. This must be
+        set if verifyPeer is non-zero.
+
+        """
         self.privateKeyFileName = privateKeyFileName
         self.certificateFileName = certificateFileName
         self.sslmethod = sslmethod
+        self.verifyPeer = verifyPeer
+        self.verifyDepth = verifyDepth
+        self.clientCACertsFile = clientCACertsFile
         self.cacheContext()
 
     def cacheContext(self):
         ctx = SSL.Context(self.sslmethod)
         ctx.use_certificate_file(self.certificateFileName)
         ctx.use_privatekey_file(self.privateKeyFileName)
+
+        ctx.set_verify_depth(self.verifyDepth)
+        
+        if self.clientCACertsFile:
+            ctx.load_client_ca(self.clientCACertsFile)
+            ctx.load_verify_locations(self.clientCACertsFile)
+        
+        if self.verifyPeer != NO_VERIFY_CERT:
+            callback = lambda conn,cert,errno,depth,retcode: retcode
+            if self.verifyPeer == REQUIRE_CERT:
+                options = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
+            else:
+                options = SSL.VERIFY_PEER
+            ctx.set_verify(options, callback)
+        
+        # turn on fixing SSL client bugs
+        ctx.set_options(SSL_OP_ALL|SSL.OP_SINGLE_DH_USE)
+
+        # session id is supposed to be unique between servers in this process.
+        # i'm unsure what the point is, but it's required. In the sample
+        # code (1 server), it's simply set to 1.
+        DefaultOpenSSLContextFactory._sessionIdCtxNum = DefaultOpenSSLContextFactory._sessionIdCtxNum + 1
+        ctx.set_session_id(md5.new("DefaultOpenSSLContextFactory%d"%DefaultOpenSSLContextFactory._sessionIdCtxNum).digest())
         self._context = ctx
 
     def __getstate__(self):
@@ -184 +234 @@
     def getDestination(self):
         return ('SSL', self.host, self.port)
 
-__all__ = ["ContextFactory", "DefaultOpenSSLContextFactory", "ClientContextFactory"]
+__all__ = ["ContextFactory", "DefaultOpenSSLContextFactory", "ClientContextFactory", "NO_VERIFY_CERT", "VERIFY_CERT", "REQUIRE_CERT"]
 
 supported = True