This callback occurs after the TLSClientHello is received by the server
(sock, server_name, _)
| 355 | _clisock = [ss] |
| 356 | |
| 357 | def cb_sni(sock, server_name, _): |
| 358 | """ |
| 359 | This callback occurs after the TLSClientHello is received by the server |
| 360 | """ |
| 361 | ss = _clisock[0] |
| 362 | ctx.tls_sni_name = server_name # the requested SNI |
| 363 | # Use that SNI to wrap the client socket |
| 364 | ss = clisslcontext.wrap_socket(ss, server_hostname=server_name) |
| 365 | # Get certificate chain |
| 366 | cas = ss._sslobj.get_unverified_chain() |
| 367 | if self.crtfile is None: |
| 368 | # SELF-SIGNED mode |
| 369 | # Generate private key based on the type of certificate |
| 370 | privkey, certs = self.get_key_and_alike_chain( |
| 371 | cas, dest, server_name |
| 372 | ) |
| 373 | # Load result certificate our SSL server |
| 374 | # (this is dumb but we need to store them on disk) |
| 375 | certfile = get_temp_file() |
| 376 | with open(certfile, "w") as fd: |
| 377 | for c in certs: |
| 378 | fd.write(c.pem) |
| 379 | keyfile = get_temp_file() |
| 380 | with open(keyfile, "wb") as fd: |
| 381 | password = os.urandom(32) |
| 382 | fd.write( |
| 383 | privkey.key.private_bytes( |
| 384 | encoding=serialization.Encoding.PEM, |
| 385 | format=serialization.PrivateFormat.PKCS8, |
| 386 | encryption_algorithm=serialization.BestAvailableEncryption( # noqa: E501 |
| 387 | password |
| 388 | ), |
| 389 | ) |
| 390 | ) |
| 391 | else: |
| 392 | # Certificate is provided |
| 393 | certfile = self.crtfile |
| 394 | keyfile = self.keyfile |
| 395 | sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) |
| 396 | sslcontext.check_hostname = False |
| 397 | sslcontext.verify_mode = ssl.CERT_NONE # note: server side |
| 398 | sslcontext.load_cert_chain(certfile, keyfile, password=password) |
| 399 | sock.context = sslcontext |
| 400 | # Return success |
| 401 | _clisock[0] = ss |
| 402 | return None # Continue |
| 403 | |
| 404 | # Server SSL context |
| 405 | sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) |
nothing calls this directly
no test coverage detected