Handler of a client socket
(self, sock, addr, dest)
| 332 | return privkey, certs |
| 333 | |
| 334 | def handler(self, sock, addr, dest): |
| 335 | """ |
| 336 | Handler of a client socket |
| 337 | """ |
| 338 | ctx = self.CONTEXT(addr, dest) # we have a context object |
| 339 | # Initialize peer socket |
| 340 | ss = self._getpeersock(dest) |
| 341 | # Wrap both server and peer sockets in SSL |
| 342 | if self.tls: |
| 343 | # Build client SSL context |
| 344 | clisslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) |
| 345 | clisslcontext.load_default_certs() |
| 346 | clisslcontext.check_hostname = False |
| 347 | clisslcontext.verify_mode = ssl.CERT_NONE |
| 348 | |
| 349 | # This acts as follows: |
| 350 | # - start the server-side TLS handshake |
| 351 | # - use the SNI callback to pop a client-side socket (using the real |
| 352 | # provided SNI) |
| 353 | # - serve the certificate |
| 354 | |
| 355 | _clisock = [ss] |
| 356 | |
| 357 | def cb_sni(sock, server_name, _): |
| 358 | """ |
| 359 | This callback occurs after the TLSClientHello is received by the server |
| 360 | """ |
| 361 | ss = _clisock[0] |
| 362 | ctx.tls_sni_name = server_name # the requested SNI |
| 363 | # Use that SNI to wrap the client socket |
| 364 | ss = clisslcontext.wrap_socket(ss, server_hostname=server_name) |
| 365 | # Get certificate chain |
| 366 | cas = ss._sslobj.get_unverified_chain() |
| 367 | if self.crtfile is None: |
| 368 | # SELF-SIGNED mode |
| 369 | # Generate private key based on the type of certificate |
| 370 | privkey, certs = self.get_key_and_alike_chain( |
| 371 | cas, dest, server_name |
| 372 | ) |
| 373 | # Load result certificate our SSL server |
| 374 | # (this is dumb but we need to store them on disk) |
| 375 | certfile = get_temp_file() |
| 376 | with open(certfile, "w") as fd: |
| 377 | for c in certs: |
| 378 | fd.write(c.pem) |
| 379 | keyfile = get_temp_file() |
| 380 | with open(keyfile, "wb") as fd: |
| 381 | password = os.urandom(32) |
| 382 | fd.write( |
| 383 | privkey.key.private_bytes( |
| 384 | encoding=serialization.Encoding.PEM, |
| 385 | format=serialization.PrivateFormat.PKCS8, |
| 386 | encryption_algorithm=serialization.BestAvailableEncryption( # noqa: E501 |
| 387 | password |
| 388 | ), |
| 389 | ) |
| 390 | ) |
| 391 | else: |
nothing calls this directly
no test coverage detected