OLD | NEW |
1 #!/usr/bin/env python | 1 #!/usr/bin/env python |
2 # Copyright 2013 The Chromium Authors. All rights reserved. | 2 # Copyright 2013 The Chromium Authors. All rights reserved. |
3 # Use of this source code is governed by a BSD-style license that can be | 3 # Use of this source code is governed by a BSD-style license that can be |
4 # found in the LICENSE file. | 4 # found in the LICENSE file. |
5 | 5 |
6 """This is a simple HTTP/FTP/TCP/UDP/BASIC_AUTH_PROXY/WEBSOCKET server used for | 6 """This is a simple HTTP/FTP/TCP/UDP/BASIC_AUTH_PROXY/WEBSOCKET server used for |
7 testing Chrome. | 7 testing Chrome. |
8 | 8 |
9 It supports several test URLs, as specified by the handlers in TestPageHandler. | 9 It supports several test URLs, as specified by the handlers in TestPageHandler. |
10 By default, it listens on an ephemeral port and sends the port number back to | 10 By default, it listens on an ephemeral port and sends the port number back to |
(...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
147 class HTTPSServer(tlslite.api.TLSSocketServerMixIn, | 147 class HTTPSServer(tlslite.api.TLSSocketServerMixIn, |
148 testserver_base.ClientRestrictingServerMixIn, | 148 testserver_base.ClientRestrictingServerMixIn, |
149 testserver_base.BrokenPipeHandlerMixIn, | 149 testserver_base.BrokenPipeHandlerMixIn, |
150 testserver_base.StoppableHTTPServer): | 150 testserver_base.StoppableHTTPServer): |
151 """This is a specialization of StoppableHTTPServer that add https support and | 151 """This is a specialization of StoppableHTTPServer that add https support and |
152 client verification.""" | 152 client verification.""" |
153 | 153 |
154 def __init__(self, server_address, request_hander_class, pem_cert_and_key, | 154 def __init__(self, server_address, request_hander_class, pem_cert_and_key, |
155 ssl_client_auth, ssl_client_cas, ssl_client_cert_types, | 155 ssl_client_auth, ssl_client_cas, ssl_client_cert_types, |
156 ssl_bulk_ciphers, ssl_key_exchanges, enable_npn, | 156 ssl_bulk_ciphers, ssl_key_exchanges, enable_npn, |
157 record_resume_info, tls_intolerant, signed_cert_timestamps, | 157 record_resume_info, tls_intolerant, |
| 158 tls_intolerance_type, signed_cert_timestamps, |
158 fallback_scsv_enabled, ocsp_response): | 159 fallback_scsv_enabled, ocsp_response): |
159 self.cert_chain = tlslite.api.X509CertChain() | 160 self.cert_chain = tlslite.api.X509CertChain() |
160 self.cert_chain.parsePemList(pem_cert_and_key) | 161 self.cert_chain.parsePemList(pem_cert_and_key) |
161 # Force using only python implementation - otherwise behavior is different | 162 # Force using only python implementation - otherwise behavior is different |
162 # depending on whether m2crypto Python module is present (error is thrown | 163 # depending on whether m2crypto Python module is present (error is thrown |
163 # when it is). m2crypto uses a C (based on OpenSSL) implementation under | 164 # when it is). m2crypto uses a C (based on OpenSSL) implementation under |
164 # the hood. | 165 # the hood. |
165 self.private_key = tlslite.api.parsePEMKey(pem_cert_and_key, | 166 self.private_key = tlslite.api.parsePEMKey(pem_cert_and_key, |
166 private=True, | 167 private=True, |
167 implementations=['python']) | 168 implementations=['python']) |
168 self.ssl_client_auth = ssl_client_auth | 169 self.ssl_client_auth = ssl_client_auth |
169 self.ssl_client_cas = [] | 170 self.ssl_client_cas = [] |
170 self.ssl_client_cert_types = [] | 171 self.ssl_client_cert_types = [] |
171 if enable_npn: | 172 if enable_npn: |
172 self.next_protos = ['http/1.1'] | 173 self.next_protos = ['http/1.1'] |
173 else: | 174 else: |
174 self.next_protos = None | 175 self.next_protos = None |
175 if tls_intolerant == 0: | |
176 self.tls_intolerant = None | |
177 else: | |
178 self.tls_intolerant = (3, tls_intolerant) | |
179 self.signed_cert_timestamps = signed_cert_timestamps | 176 self.signed_cert_timestamps = signed_cert_timestamps |
180 self.fallback_scsv_enabled = fallback_scsv_enabled | 177 self.fallback_scsv_enabled = fallback_scsv_enabled |
181 self.ocsp_response = ocsp_response | 178 self.ocsp_response = ocsp_response |
182 | 179 |
183 if ssl_client_auth: | 180 if ssl_client_auth: |
184 for ca_file in ssl_client_cas: | 181 for ca_file in ssl_client_cas: |
185 s = open(ca_file).read() | 182 s = open(ca_file).read() |
186 x509 = tlslite.api.X509() | 183 x509 = tlslite.api.X509() |
187 x509.parse(s) | 184 x509.parse(s) |
188 self.ssl_client_cas.append(x509.subject) | 185 self.ssl_client_cas.append(x509.subject) |
189 | 186 |
190 for cert_type in ssl_client_cert_types: | 187 for cert_type in ssl_client_cert_types: |
191 self.ssl_client_cert_types.append({ | 188 self.ssl_client_cert_types.append({ |
192 "rsa_sign": tlslite.api.ClientCertificateType.rsa_sign, | 189 "rsa_sign": tlslite.api.ClientCertificateType.rsa_sign, |
193 "dss_sign": tlslite.api.ClientCertificateType.dss_sign, | 190 "dss_sign": tlslite.api.ClientCertificateType.dss_sign, |
194 "ecdsa_sign": tlslite.api.ClientCertificateType.ecdsa_sign, | 191 "ecdsa_sign": tlslite.api.ClientCertificateType.ecdsa_sign, |
195 }[cert_type]) | 192 }[cert_type]) |
196 | 193 |
197 self.ssl_handshake_settings = tlslite.api.HandshakeSettings() | 194 self.ssl_handshake_settings = tlslite.api.HandshakeSettings() |
198 if ssl_bulk_ciphers is not None: | 195 if ssl_bulk_ciphers is not None: |
199 self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers | 196 self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers |
200 if ssl_key_exchanges is not None: | 197 if ssl_key_exchanges is not None: |
201 self.ssl_handshake_settings.keyExchangeNames = ssl_key_exchanges | 198 self.ssl_handshake_settings.keyExchangeNames = ssl_key_exchanges |
| 199 if tls_intolerant != 0: |
| 200 self.ssl_handshake_settings.tlsIntolerant = (3, tls_intolerant) |
| 201 self.ssl_handshake_settings.tlsIntoleranceType = tls_intolerance_type |
202 | 202 |
203 if record_resume_info: | 203 if record_resume_info: |
204 # If record_resume_info is true then we'll replace the session cache with | 204 # If record_resume_info is true then we'll replace the session cache with |
205 # an object that records the lookups and inserts that it sees. | 205 # an object that records the lookups and inserts that it sees. |
206 self.session_cache = RecordingSSLSessionCache() | 206 self.session_cache = RecordingSSLSessionCache() |
207 else: | 207 else: |
208 self.session_cache = tlslite.api.SessionCache() | 208 self.session_cache = tlslite.api.SessionCache() |
209 testserver_base.StoppableHTTPServer.__init__(self, | 209 testserver_base.StoppableHTTPServer.__init__(self, |
210 server_address, | 210 server_address, |
211 request_hander_class) | 211 request_hander_class) |
212 | 212 |
213 def handshake(self, tlsConnection): | 213 def handshake(self, tlsConnection): |
214 """Creates the SSL connection.""" | 214 """Creates the SSL connection.""" |
215 | 215 |
216 try: | 216 try: |
217 self.tlsConnection = tlsConnection | 217 self.tlsConnection = tlsConnection |
218 tlsConnection.handshakeServer(certChain=self.cert_chain, | 218 tlsConnection.handshakeServer(certChain=self.cert_chain, |
219 privateKey=self.private_key, | 219 privateKey=self.private_key, |
220 sessionCache=self.session_cache, | 220 sessionCache=self.session_cache, |
221 reqCert=self.ssl_client_auth, | 221 reqCert=self.ssl_client_auth, |
222 settings=self.ssl_handshake_settings, | 222 settings=self.ssl_handshake_settings, |
223 reqCAs=self.ssl_client_cas, | 223 reqCAs=self.ssl_client_cas, |
224 reqCertTypes=self.ssl_client_cert_types, | 224 reqCertTypes=self.ssl_client_cert_types, |
225 nextProtos=self.next_protos, | 225 nextProtos=self.next_protos, |
226 tlsIntolerant=self.tls_intolerant, | |
227 signedCertTimestamps= | 226 signedCertTimestamps= |
228 self.signed_cert_timestamps, | 227 self.signed_cert_timestamps, |
229 fallbackSCSV=self.fallback_scsv_enabled, | 228 fallbackSCSV=self.fallback_scsv_enabled, |
230 ocspResponse = self.ocsp_response) | 229 ocspResponse = self.ocsp_response) |
231 tlsConnection.ignoreAbruptClose = True | 230 tlsConnection.ignoreAbruptClose = True |
232 return True | 231 return True |
233 except tlslite.api.TLSAbruptCloseError: | 232 except tlslite.api.TLSAbruptCloseError: |
234 # Ignore abrupt close. | 233 # Ignore abrupt close. |
235 return True | 234 return True |
236 except tlslite.api.TLSError, error: | 235 except tlslite.api.TLSError, error: |
(...skipping 1738 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1975 | 1974 |
1976 server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key, | 1975 server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key, |
1977 self.options.ssl_client_auth, | 1976 self.options.ssl_client_auth, |
1978 self.options.ssl_client_ca, | 1977 self.options.ssl_client_ca, |
1979 self.options.ssl_client_cert_type, | 1978 self.options.ssl_client_cert_type, |
1980 self.options.ssl_bulk_cipher, | 1979 self.options.ssl_bulk_cipher, |
1981 self.options.ssl_key_exchange, | 1980 self.options.ssl_key_exchange, |
1982 self.options.enable_npn, | 1981 self.options.enable_npn, |
1983 self.options.record_resume, | 1982 self.options.record_resume, |
1984 self.options.tls_intolerant, | 1983 self.options.tls_intolerant, |
| 1984 self.options.tls_intolerance_type, |
1985 self.options.signed_cert_timestamps_tls_ext.decode( | 1985 self.options.signed_cert_timestamps_tls_ext.decode( |
1986 "base64"), | 1986 "base64"), |
1987 self.options.fallback_scsv, | 1987 self.options.fallback_scsv, |
1988 stapled_ocsp_response) | 1988 stapled_ocsp_response) |
1989 print 'HTTPS server started on https://%s:%d...' % \ | 1989 print 'HTTPS server started on https://%s:%d...' % \ |
1990 (host, server.server_port) | 1990 (host, server.server_port) |
1991 else: | 1991 else: |
1992 server = HTTPServer((host, port), TestPageHandler) | 1992 server = HTTPServer((host, port), TestPageHandler) |
1993 print 'HTTP server started on http://%s:%d...' % \ | 1993 print 'HTTP server started on http://%s:%d...' % \ |
1994 (host, server.server_port) | 1994 (host, server.server_port) |
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2121 help='If non-zero then the generated ' | 2121 help='If non-zero then the generated ' |
2122 'certificate will have this serial number') | 2122 'certificate will have this serial number') |
2123 self.option_parser.add_option('--tls-intolerant', dest='tls_intolerant', | 2123 self.option_parser.add_option('--tls-intolerant', dest='tls_intolerant', |
2124 default='0', type='int', | 2124 default='0', type='int', |
2125 help='If nonzero, certain TLS connections ' | 2125 help='If nonzero, certain TLS connections ' |
2126 'will be aborted in order to test version ' | 2126 'will be aborted in order to test version ' |
2127 'fallback. 1 means all TLS versions will be ' | 2127 'fallback. 1 means all TLS versions will be ' |
2128 'aborted. 2 means TLS 1.1 or higher will be ' | 2128 'aborted. 2 means TLS 1.1 or higher will be ' |
2129 'aborted. 3 means TLS 1.2 or higher will be ' | 2129 'aborted. 3 means TLS 1.2 or higher will be ' |
2130 'aborted.') | 2130 'aborted.') |
| 2131 self.option_parser.add_option('--tls-intolerance-type', |
| 2132 dest='tls_intolerance_type', |
| 2133 default="alert", |
| 2134 help='Controls how the server reacts to a ' |
| 2135 'TLS version it is intolerant to. Valid ' |
| 2136 'values are "alert", "close", and "reset".') |
2131 self.option_parser.add_option('--signed-cert-timestamps-tls-ext', | 2137 self.option_parser.add_option('--signed-cert-timestamps-tls-ext', |
2132 dest='signed_cert_timestamps_tls_ext', | 2138 dest='signed_cert_timestamps_tls_ext', |
2133 default='', | 2139 default='', |
2134 help='Base64 encoded SCT list. If set, ' | 2140 help='Base64 encoded SCT list. If set, ' |
2135 'server will respond with a ' | 2141 'server will respond with a ' |
2136 'signed_certificate_timestamp TLS extension ' | 2142 'signed_certificate_timestamp TLS extension ' |
2137 'whenever the client supports it.') | 2143 'whenever the client supports it.') |
2138 self.option_parser.add_option('--fallback-scsv', dest='fallback_scsv', | 2144 self.option_parser.add_option('--fallback-scsv', dest='fallback_scsv', |
2139 default=False, const=True, | 2145 default=False, const=True, |
2140 action='store_const', | 2146 action='store_const', |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2196 action='store_const', | 2202 action='store_const', |
2197 help='Enable server support for the NPN ' | 2203 help='Enable server support for the NPN ' |
2198 'extension. The server will advertise ' | 2204 'extension. The server will advertise ' |
2199 'support for exactly one protocol, http/1.1') | 2205 'support for exactly one protocol, http/1.1') |
2200 self.option_parser.add_option('--file-root-url', default='/files/', | 2206 self.option_parser.add_option('--file-root-url', default='/files/', |
2201 help='Specify a root URL for files served.') | 2207 help='Specify a root URL for files served.') |
2202 | 2208 |
2203 | 2209 |
2204 if __name__ == '__main__': | 2210 if __name__ == '__main__': |
2205 sys.exit(ServerRunner().main()) | 2211 sys.exit(ServerRunner().main()) |
OLD | NEW |