(self)
| 2292 | self.daemon = True |
| 2293 | |
| 2294 | def wrap_conn(self): |
| 2295 | try: |
| 2296 | self.sslconn = self.server.context.wrap_socket( |
| 2297 | self.sock, server_side=True) |
| 2298 | self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol()) |
| 2299 | except (ConnectionResetError, BrokenPipeError, ConnectionAbortedError) as e: |
| 2300 | # We treat ConnectionResetError as though it were an |
| 2301 | # SSLError - OpenSSL on Ubuntu abruptly closes the |
| 2302 | # connection when asked to use an unsupported protocol. |
| 2303 | # |
| 2304 | # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL |
| 2305 | # tries to send session tickets after handshake. |
| 2306 | # https://github.com/openssl/openssl/issues/6342 |
| 2307 | # |
| 2308 | # ConnectionAbortedError is raised in TLS 1.3 mode, when OpenSSL |
| 2309 | # tries to send session tickets after handshake when using WinSock. |
| 2310 | self.server.conn_errors.append(str(e)) |
| 2311 | if self.server.chatty: |
| 2312 | handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n") |
| 2313 | self.running = False |
| 2314 | self.close() |
| 2315 | return False |
| 2316 | except (ssl.SSLError, OSError) as e: |
| 2317 | # OSError may occur with wrong protocols, e.g. both |
| 2318 | # sides use PROTOCOL_TLS_SERVER. |
| 2319 | # |
| 2320 | # XXX Various errors can have happened here, for example |
| 2321 | # a mismatching protocol version, an invalid certificate, |
| 2322 | # or a low-level bug. This should be made more discriminating. |
| 2323 | # |
| 2324 | # bpo-31323: Store the exception as string to prevent |
| 2325 | # a reference leak: server -> conn_errors -> exception |
| 2326 | # -> traceback -> self (ConnectionHandler) -> server |
| 2327 | self.server.conn_errors.append(str(e)) |
| 2328 | if self.server.chatty: |
| 2329 | handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n") |
| 2330 | |
| 2331 | # bpo-44229, bpo-43855, bpo-44237, and bpo-33450: |
| 2332 | # Ignore spurious EPROTOTYPE returned by write() on macOS. |
| 2333 | # See also http://erickt.github.io/blog/2014/11/19/adventures-in-debugging-a-potential-osx-kernel-bug/ |
| 2334 | if e.errno != errno.EPROTOTYPE and sys.platform != "darwin": |
| 2335 | self.running = False |
| 2336 | self.close() |
| 2337 | return False |
| 2338 | else: |
| 2339 | self.server.shared_ciphers.append(self.sslconn.shared_ciphers()) |
| 2340 | if self.server.context.verify_mode == ssl.CERT_REQUIRED: |
| 2341 | cert = self.sslconn.getpeercert() |
| 2342 | if support.verbose and self.server.chatty: |
| 2343 | sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n") |
| 2344 | cert_binary = self.sslconn.getpeercert(True) |
| 2345 | if support.verbose and self.server.chatty: |
| 2346 | if cert_binary is None: |
| 2347 | sys.stdout.write(" client did not provide a cert\n") |
| 2348 | else: |
| 2349 | sys.stdout.write(f" cert binary is {len(cert_binary)}b\n") |
| 2350 | cipher = self.sslconn.cipher() |
| 2351 | if support.verbose and self.server.chatty: |
no test coverage detected