OLD | NEW |
1 #!/usr/bin/env python | 1 #!/usr/bin/env python |
2 # Copyright 2013 The Chromium Authors. All rights reserved. | 2 # Copyright 2013 The Chromium Authors. All rights reserved. |
3 # Use of this source code is governed by a BSD-style license that can be | 3 # Use of this source code is governed by a BSD-style license that can be |
4 # found in the LICENSE file. | 4 # found in the LICENSE file. |
5 | 5 |
6 """This is a simple HTTP/FTP/TCP/UDP/BASIC_AUTH_PROXY/WEBSOCKET server used for | 6 """This is a simple HTTP/FTP/TCP/UDP/BASIC_AUTH_PROXY/WEBSOCKET server used for |
7 testing Chrome. | 7 testing Chrome. |
8 | 8 |
9 It supports several test URLs, as specified by the handlers in TestPageHandler. | 9 It supports several test URLs, as specified by the handlers in TestPageHandler. |
10 By default, it listens on an ephemeral port and sends the port number back to | 10 By default, it listens on an ephemeral port and sends the port number back to |
(...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
129 class HTTPSServer(tlslite.api.TLSSocketServerMixIn, | 129 class HTTPSServer(tlslite.api.TLSSocketServerMixIn, |
130 testserver_base.ClientRestrictingServerMixIn, | 130 testserver_base.ClientRestrictingServerMixIn, |
131 testserver_base.BrokenPipeHandlerMixIn, | 131 testserver_base.BrokenPipeHandlerMixIn, |
132 testserver_base.StoppableHTTPServer): | 132 testserver_base.StoppableHTTPServer): |
133 """This is a specialization of StoppableHTTPServer that add https support and | 133 """This is a specialization of StoppableHTTPServer that add https support and |
134 client verification.""" | 134 client verification.""" |
135 | 135 |
136 def __init__(self, server_address, request_hander_class, pem_cert_and_key, | 136 def __init__(self, server_address, request_hander_class, pem_cert_and_key, |
137 ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers, | 137 ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers, |
138 record_resume_info, tls_intolerant, signed_cert_timestamps, | 138 record_resume_info, tls_intolerant, signed_cert_timestamps, |
139 fallback_scsv_enabled): | 139 fallback_scsv_enabled, ocsp_response): |
140 self.cert_chain = tlslite.api.X509CertChain().parseChain(pem_cert_and_key) | 140 self.cert_chain = tlslite.api.X509CertChain().parseChain(pem_cert_and_key) |
141 # Force using only python implementation - otherwise behavior is different | 141 # Force using only python implementation - otherwise behavior is different |
142 # depending on whether m2crypto Python module is present (error is thrown | 142 # depending on whether m2crypto Python module is present (error is thrown |
143 # when it is). m2crypto uses a C (based on OpenSSL) implementation under | 143 # when it is). m2crypto uses a C (based on OpenSSL) implementation under |
144 # the hood. | 144 # the hood. |
145 self.private_key = tlslite.api.parsePEMKey(pem_cert_and_key, | 145 self.private_key = tlslite.api.parsePEMKey(pem_cert_and_key, |
146 private=True, | 146 private=True, |
147 implementations=['python']) | 147 implementations=['python']) |
148 self.ssl_client_auth = ssl_client_auth | 148 self.ssl_client_auth = ssl_client_auth |
149 self.ssl_client_cas = [] | 149 self.ssl_client_cas = [] |
150 self.tls_intolerant = tls_intolerant | 150 self.tls_intolerant = tls_intolerant |
151 self.signed_cert_timestamps = signed_cert_timestamps | 151 self.signed_cert_timestamps = signed_cert_timestamps |
152 self.fallback_scsv_enabled = fallback_scsv_enabled | 152 self.fallback_scsv_enabled = fallback_scsv_enabled |
| 153 self.ocsp_response = ocsp_response |
153 | 154 |
154 for ca_file in ssl_client_cas: | 155 for ca_file in ssl_client_cas: |
155 s = open(ca_file).read() | 156 s = open(ca_file).read() |
156 x509 = tlslite.api.X509() | 157 x509 = tlslite.api.X509() |
157 x509.parse(s) | 158 x509.parse(s) |
158 self.ssl_client_cas.append(x509.subject) | 159 self.ssl_client_cas.append(x509.subject) |
159 self.ssl_handshake_settings = tlslite.api.HandshakeSettings() | 160 self.ssl_handshake_settings = tlslite.api.HandshakeSettings() |
160 if ssl_bulk_ciphers is not None: | 161 if ssl_bulk_ciphers is not None: |
161 self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers | 162 self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers |
162 | 163 |
(...skipping 14 matching lines...) Expand all Loading... |
177 self.tlsConnection = tlsConnection | 178 self.tlsConnection = tlsConnection |
178 tlsConnection.handshakeServer(certChain=self.cert_chain, | 179 tlsConnection.handshakeServer(certChain=self.cert_chain, |
179 privateKey=self.private_key, | 180 privateKey=self.private_key, |
180 sessionCache=self.session_cache, | 181 sessionCache=self.session_cache, |
181 reqCert=self.ssl_client_auth, | 182 reqCert=self.ssl_client_auth, |
182 settings=self.ssl_handshake_settings, | 183 settings=self.ssl_handshake_settings, |
183 reqCAs=self.ssl_client_cas, | 184 reqCAs=self.ssl_client_cas, |
184 tlsIntolerant=self.tls_intolerant, | 185 tlsIntolerant=self.tls_intolerant, |
185 signedCertTimestamps= | 186 signedCertTimestamps= |
186 self.signed_cert_timestamps, | 187 self.signed_cert_timestamps, |
187 fallbackSCSV=self.fallback_scsv_enabled) | 188 fallbackSCSV=self.fallback_scsv_enabled, |
| 189 ocspResponse = self.ocsp_response) |
188 tlsConnection.ignoreAbruptClose = True | 190 tlsConnection.ignoreAbruptClose = True |
189 return True | 191 return True |
190 except tlslite.api.TLSAbruptCloseError: | 192 except tlslite.api.TLSAbruptCloseError: |
191 # Ignore abrupt close. | 193 # Ignore abrupt close. |
192 return True | 194 return True |
193 except tlslite.api.TLSError, error: | 195 except tlslite.api.TLSError, error: |
194 print "Handshake failure:", str(error) | 196 print "Handshake failure:", str(error) |
195 return False | 197 return False |
196 | 198 |
197 | 199 |
(...skipping 1741 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1939 ocsp_state = ocsp_state, | 1941 ocsp_state = ocsp_state, |
1940 serial = self.options.cert_serial) | 1942 serial = self.options.cert_serial) |
1941 | 1943 |
1942 self.__ocsp_server.ocsp_response = ocsp_der | 1944 self.__ocsp_server.ocsp_response = ocsp_der |
1943 | 1945 |
1944 for ca_cert in self.options.ssl_client_ca: | 1946 for ca_cert in self.options.ssl_client_ca: |
1945 if not os.path.isfile(ca_cert): | 1947 if not os.path.isfile(ca_cert): |
1946 raise testserver_base.OptionError( | 1948 raise testserver_base.OptionError( |
1947 'specified trusted client CA file not found: ' + ca_cert + | 1949 'specified trusted client CA file not found: ' + ca_cert + |
1948 ' exiting...') | 1950 ' exiting...') |
| 1951 |
| 1952 stapled_ocsp_response = None |
| 1953 if self.__ocsp_server and self.options.staple_ocsp_response: |
| 1954 stapled_ocsp_response = self.__ocsp_server.ocsp_response |
| 1955 |
1949 server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key, | 1956 server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key, |
1950 self.options.ssl_client_auth, | 1957 self.options.ssl_client_auth, |
1951 self.options.ssl_client_ca, | 1958 self.options.ssl_client_ca, |
1952 self.options.ssl_bulk_cipher, | 1959 self.options.ssl_bulk_cipher, |
1953 self.options.record_resume, | 1960 self.options.record_resume, |
1954 self.options.tls_intolerant, | 1961 self.options.tls_intolerant, |
1955 self.options.signed_cert_timestamps.decode( | 1962 self.options.signed_cert_timestamps_tls_ext.decode( |
1956 "base64"), | 1963 "base64"), |
1957 self.options.fallback_scsv) | 1964 self.options.fallback_scsv, |
| 1965 stapled_ocsp_response) |
1958 print 'HTTPS server started on %s:%d...' % (host, server.server_port) | 1966 print 'HTTPS server started on %s:%d...' % (host, server.server_port) |
1959 else: | 1967 else: |
1960 server = HTTPServer((host, port), TestPageHandler) | 1968 server = HTTPServer((host, port), TestPageHandler) |
1961 print 'HTTP server started on %s:%d...' % (host, server.server_port) | 1969 print 'HTTP server started on %s:%d...' % (host, server.server_port) |
1962 | 1970 |
1963 server.data_dir = self.__make_data_dir() | 1971 server.data_dir = self.__make_data_dir() |
1964 server.file_root_url = self.options.file_root_url | 1972 server.file_root_url = self.options.file_root_url |
1965 server_data['port'] = server.server_port | 1973 server_data['port'] = server.server_port |
1966 elif self.options.server_type == SERVER_WEBSOCKET: | 1974 elif self.options.server_type == SERVER_WEBSOCKET: |
1967 # Launch pywebsocket via WebSocketServer. | 1975 # Launch pywebsocket via WebSocketServer. |
(...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2085 help='If non-zero then the generated ' | 2093 help='If non-zero then the generated ' |
2086 'certificate will have this serial number') | 2094 'certificate will have this serial number') |
2087 self.option_parser.add_option('--tls-intolerant', dest='tls_intolerant', | 2095 self.option_parser.add_option('--tls-intolerant', dest='tls_intolerant', |
2088 default='0', type='int', | 2096 default='0', type='int', |
2089 help='If nonzero, certain TLS connections ' | 2097 help='If nonzero, certain TLS connections ' |
2090 'will be aborted in order to test version ' | 2098 'will be aborted in order to test version ' |
2091 'fallback. 1 means all TLS versions will be ' | 2099 'fallback. 1 means all TLS versions will be ' |
2092 'aborted. 2 means TLS 1.1 or higher will be ' | 2100 'aborted. 2 means TLS 1.1 or higher will be ' |
2093 'aborted. 3 means TLS 1.2 or higher will be ' | 2101 'aborted. 3 means TLS 1.2 or higher will be ' |
2094 'aborted.') | 2102 'aborted.') |
2095 self.option_parser.add_option('--signed-cert-timestamps', | 2103 self.option_parser.add_option('--signed-cert-timestamps-tls-ext', |
2096 dest='signed_cert_timestamps', | 2104 dest='signed_cert_timestamps_tls_ext', |
2097 default='', | 2105 default='', |
2098 help='Base64 encoded SCT list. If set, ' | 2106 help='Base64 encoded SCT list. If set, ' |
2099 'server will respond with a ' | 2107 'server will respond with a ' |
2100 'signed_certificate_timestamp TLS extension ' | 2108 'signed_certificate_timestamp TLS extension ' |
2101 'whenever the client supports it.') | 2109 'whenever the client supports it.') |
2102 self.option_parser.add_option('--fallback-scsv', dest='fallback_scsv', | 2110 self.option_parser.add_option('--fallback-scsv', dest='fallback_scsv', |
2103 default=False, const=True, | 2111 default=False, const=True, |
2104 action='store_const', | 2112 action='store_const', |
2105 help='If given, TLS_FALLBACK_SCSV support ' | 2113 help='If given, TLS_FALLBACK_SCSV support ' |
2106 'will be enabled. This causes the server to ' | 2114 'will be enabled. This causes the server to ' |
2107 'reject fallback connections from compatible ' | 2115 'reject fallback connections from compatible ' |
2108 'clients (e.g. Chrome).') | 2116 'clients (e.g. Chrome).') |
| 2117 self.option_parser.add_option('--staple-ocsp-response', |
| 2118 dest='staple_ocsp_response', |
| 2119 default=False, action='store_true', |
| 2120 help='If set, server will staple the OCSP ' |
| 2121 'response whenever OCSP is on and the client ' |
| 2122 'supports OCSP stapling.') |
2109 self.option_parser.add_option('--https-record-resume', | 2123 self.option_parser.add_option('--https-record-resume', |
2110 dest='record_resume', const=True, | 2124 dest='record_resume', const=True, |
2111 default=False, action='store_const', | 2125 default=False, action='store_const', |
2112 help='Record resumption cache events rather ' | 2126 help='Record resumption cache events rather ' |
2113 'than resuming as normal. Allows the use of ' | 2127 'than resuming as normal. Allows the use of ' |
2114 'the /ssl-session-cache request') | 2128 'the /ssl-session-cache request') |
2115 self.option_parser.add_option('--ssl-client-auth', action='store_true', | 2129 self.option_parser.add_option('--ssl-client-auth', action='store_true', |
2116 help='Require SSL client auth on every ' | 2130 help='Require SSL client auth on every ' |
2117 'connection.') | 2131 'connection.') |
2118 self.option_parser.add_option('--ssl-client-ca', action='append', | 2132 self.option_parser.add_option('--ssl-client-ca', action='append', |
(...skipping 11 matching lines...) Expand all Loading... |
2130 '"aes128", "3des", "rc4". If omitted, all ' | 2144 '"aes128", "3des", "rc4". If omitted, all ' |
2131 'algorithms will be used. This option may ' | 2145 'algorithms will be used. This option may ' |
2132 'appear multiple times, indicating ' | 2146 'appear multiple times, indicating ' |
2133 'multiple algorithms should be enabled.'); | 2147 'multiple algorithms should be enabled.'); |
2134 self.option_parser.add_option('--file-root-url', default='/files/', | 2148 self.option_parser.add_option('--file-root-url', default='/files/', |
2135 help='Specify a root URL for files served.') | 2149 help='Specify a root URL for files served.') |
2136 | 2150 |
2137 | 2151 |
2138 if __name__ == '__main__': | 2152 if __name__ == '__main__': |
2139 sys.exit(ServerRunner().main()) | 2153 sys.exit(ServerRunner().main()) |
OLD | NEW |