Support restriction the TLS cipher selection in test_server.py

net/tools/testserver/testserver.py

 #!/usr/bin/python2.4
 # Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 """This is a simple HTTP server used for testing Chrome.
 
 It supports several test URLs, as specified by the handlers in TestPageHandler.
 It defaults to living on localhost:8888.
 It can use https if you specify the flag --https=CERT where CERT is the path
@@ skipping 46 matching lines @@
     self.stop = False
     self.nonce_time = None
     while not self.stop:
       self.handle_request()
     self.socket.close()
 
 class HTTPSServer(tlslite.api.TLSSocketServerMixIn, StoppableHTTPServer):
   """This is a specialization of StoppableHTTPerver that add https support."""
 
   def __init__(self, server_address, request_hander_class, cert_path,
-               ssl_client_auth, ssl_client_cas):
+               ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers):
     s = open(cert_path).read()
     x509 = tlslite.api.X509()
     x509.parse(s)
     self.cert_chain = tlslite.api.X509CertChain([x509])
     s = open(cert_path).read()
     self.private_key = tlslite.api.parsePEMKey(s, private=True)
     self.ssl_client_auth = ssl_client_auth
     self.ssl_client_cas = []
     for ca_file in ssl_client_cas:
         s = open(ca_file).read()
         x509 = tlslite.api.X509()
         x509.parse(s)
         self.ssl_client_cas.append(x509.subject)
+    self.ssl_handshake_settings = tlslite.api.HandshakeSettings()
+    if ssl_bulk_ciphers is not None:
+      self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers
 
     self.session_cache = tlslite.api.SessionCache()
     StoppableHTTPServer.__init__(self, server_address, request_hander_class)
 
   def handshake(self, tlsConnection):
     """Creates the SSL connection."""
     try:
       tlsConnection.handshakeServer(certChain=self.cert_chain,
                                     privateKey=self.private_key,
                                     sessionCache=self.session_cache,
                                     reqCert=self.ssl_client_auth,
+                                    settings=self.ssl_handshake_settings,
                                     reqCAs=self.ssl_client_cas)
       tlsConnection.ignoreAbruptClose = True
       return True
     except tlslite.api.TLSAbruptCloseError:
       # Ignore abrupt close.
       return True
     except tlslite.api.TLSError, error:
       print "Handshake failure:", str(error)
       return False
 
@@ skipping 1060 matching lines @@
       if not os.path.isfile(options.cert):
         print 'specified server cert file not found: ' + options.cert + \
               ' exiting...'
         return
       for ca_cert in options.ssl_client_ca:
         if not os.path.isfile(ca_cert):
           print 'specified trusted client CA file not found: ' + ca_cert + \
                 ' exiting...'
           return
       server = HTTPSServer(('127.0.0.1', port), TestPageHandler, options.cert,
-                           options.ssl_client_auth, options.ssl_client_ca)
+                           options.ssl_client_auth, options.ssl_client_ca,
+                           options.ssl_bulk_cipher)
       print 'HTTPS server started on port %d...' % port
     else:
       server = StoppableHTTPServer(('127.0.0.1', port), TestPageHandler)
       print 'HTTP server started on port %d...' % port
 
     server.data_dir = MakeDataDir()
     server.file_root_url = options.file_root_url
     server._sync_handler = None
 
   # means FTP Server
@@ skipping 50 matching lines @@
   option_parser.add_option('', '--data-dir', dest='data_dir',
                            help='Directory from which to read the files.')
   option_parser.add_option('', '--https', dest='cert',
                            help='Specify that https should be used, specify '
                            'the path to the cert containing the private key '
                            'the server should use.')
   option_parser.add_option('', '--ssl-client-auth', action='store_true',
                            help='Require SSL client auth on every connection.')
   option_parser.add_option('', '--ssl-client-ca', action='append', default=[],
                            help='Specify that the client certificate request '
-                           'should indicate that it supports the CA contained '
-                           'in the specified certificate file')
+                           'should include the CA named in the subject of '
+                           'the DER-encoded certificate contained in the '
+                           'specified file. This option may appear multiple '
+                           'times, indicating multiple CA names should be '
+                           'sent in the request.')
+  option_parser.add_option('', '--ssl-bulk-cipher', action='append',
+                           help='Specify the bulk encryption algorithm(s)'
+                           'that will be accepted by the SSL server. Valid '
+                           'values are "aes256", "aes128", "3des", "rc4". If '
+                           'omitted, all algorithms will be used. This '
+                           'option may appear multiple times, indicating '
+                           'multiple algorithms should be enabled.');
   option_parser.add_option('', '--file-root-url', default='/files/',
                            help='Specify a root URL for files served.')
   option_parser.add_option('', '--startup-pipe', type='int',
                            dest='startup_pipe',
                            help='File handle of pipe to parent process')
   options, args = option_parser.parse_args()
 
   sys.exit(main(options, args))