Quantcast

Get at SSL context

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Get at SSL context

Gertjan Klein
Hi,

I'm using CherryPy to build a little appliance accessible over the web.
I use Python 3.4 and the 'builtin' SSL module, and therefore CherryPy
calls the ssl module's create_default_context(). I would like to get at
that context to change some settings, and I can't figure out how to do this.

An additional complication is that I configured CherryPy to run two
servers, one for port 80 and one for port 443. Am I doing this right?
This is the code that creates and starts the servers:

def create_server():
     # Remove default server, we need two separate ones
     cherrypy.server.unsubscribe()

     # Create server for HTTPS
     svr = cherrypy._cpserver.Server()
     svr._socket_host = '0.0.0.0'
     svr.socket_port = 443
     svr.ssl_module = 'builtin'
     svr.ssl_certificate = CERT_INFO['ssl_certificate']
     svr.ssl_private_key = CERT_INFO['ssl_private_key']
     svr.ssl_certificate_chain = CERT_INFO['ssl_certificate_chain']
     svr.subscribe()

     # Create server for HTTPS
     svr = cherrypy._cpserver.Server()
     svr._socket_host = "0.0.0.0"
     svr.socket_port = 80
     svr.subscribe()

     # Mount root server and update global config
     cherrypy.tree.mount(Root(), '', CONF)
     cherrypy.config.update(CONF)

     # Start the server
     cherrypy.engine.start()
     cherrypy.engine.block()

(Here, CONF is a configuration dictionary specifying static dir mount
point etc., Root is the actual server class, and CERT_INFO contains
(let's encrypt) certificate file locations.) As far as I can figure out,
the actual HTTP server is not instantiated until cherrypy.engine.start()
is called, and everything I do after that seems to be ignored (which is
odd in itself).

What can I do to access the SSL context? Is it possible at all?

Regards,
Gertjan.

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Get at SSL context

Stefan Krüger
Hi Gertjan,

i don't have tested something. only looked at the documentation.
in your example you are overriding the svr variable with the new server settings?! is this only a copy and paste bug?
i think you already know the documentation to ssl: http://docs.cherrypy.org/en/latest/deploy.html#ssl
additionally i found multiple-http-servers at http://docs.cherrypy.org/en/latest/advanced.html#multiple-http-servers-support
and at http://docs.cherrypy.org/en/latest/pkg/cherrypy.html#cherrypy._cpserver.Server.ssl_context

ssl_context = None
When using PyOpenSSL, an instance of SSL.Context.

is this the thing you have searched for?


(untested copy and pasted from the documentation:)

from cherrypy._cpserver import Server
normal_server = Server()
normal_server.socket_port = 80
normal_server.subscribe()

secure_server = Server()
secure_server.socket_port = 443

secure_server.ssl_certificate = "cert.pem"

....
my_ssl_context = secure_server.ssl_context
# do something with this context...?


# now both servers are following the cherrypy life-cycle.
...
cherrypy.engine.start()
...



hope that helps you in some way..

sunny greetings
stefan


On Tuesday, September 6, 2016 at 2:10:17 PM UTC+2, Gertjan Klein wrote:
Hi,

I'm using CherryPy to build a little appliance accessible over the web.
I use Python 3.4 and the 'builtin' SSL module, and therefore CherryPy
calls the ssl module's create_default_context(). I would like to get at
that context to change some settings, and I can't figure out how to do this.

An additional complication is that I configured CherryPy to run two
servers, one for port 80 and one for port 443. Am I doing this right?
This is the code that creates and starts the servers:

def create_server():
     # Remove default server, we need two separate ones
     cherrypy.server.unsubscribe()

     # Create server for HTTPS
     svr = cherrypy._cpserver.Server()
     svr._socket_host = '0.0.0.0'
     svr.socket_port = 443
     svr.ssl_module = 'builtin'
     svr.ssl_certificate = CERT_INFO['ssl_certificate']
     svr.ssl_private_key = CERT_INFO['ssl_private_key']
     svr.ssl_certificate_chain = CERT_INFO['ssl_certificate_chain']
     svr.subscribe()

     # Create server for HTTPS
     svr = cherrypy._cpserver.Server()
     svr._socket_host = "0.0.0.0"
     svr.socket_port = 80
     svr.subscribe()

     # Mount root server and update global config
     cherrypy.tree.mount(Root(), '', CONF)
     cherrypy.config.update(CONF)

     # Start the server
     cherrypy.engine.start()
     cherrypy.engine.block()

(Here, CONF is a configuration dictionary specifying static dir mount
point etc., Root is the actual server class, and CERT_INFO contains
(let's encrypt) certificate file locations.) As far as I can figure out,
the actual HTTP server is not instantiated until cherrypy.engine.start()
is called, and everything I do after that seems to be ignored (which is
odd in itself).

What can I do to access the SSL context? Is it possible at all?

Regards,
Gertjan.

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Get at SSL context

Gertjan Klein
Stefan Krüger wrote:

Thanks for your reply! It caused me to look at this again.

> in your example you are overriding the svr variable with the new
> server settings?! is this only a copy and paste bug?

No, I create two server instances that I subscribe and then no longer
need a reference to, so I just reuse the same name.

> ssl_context = None
> When using PyOpenSSL, an instance of SSL.Context.
>
> is this the thing you have searched for?

No. :-)  I use CherryPy with the standard ssl module, not with
PyOpenSSL. I found, in ssl_builtin.py, that CherryPy will call the
standard Python ssl module create_default_context, if it has one (mine,
3.4, does). However, I couldn't find where in my source code to access
this (or on what object).

> secure_server = Server()
> secure_server.socket_port = 443
>
> secure_server.ssl_certificate = "cert.pem"
>
> ....
> my_ssl_context = secure_server.ssl_context
> # do something with this context...?

I don't know if this works with PyOpenSSL, but with the builtin ssl
module, the ssl_context property is still None at this point. Even after
starting the engine, it is None.

However, I managed to get some debug logging going (somehow the logging
I had setup previously did not work properly -- still have to figure out
why!), and thanks to that I found the path to the context:

svr.httpserver.ssl_adapter.context

This only gets setup in cherrypy.engine.start(), so the above is only
usable after that code has run. I still have to test whether changing
things on this object actually works, but it's progress. ;-)  (One thing
I'm worried about is whether threads that CherryPy uses will pick up
those changes...)

Thanks, regards,
Gertjan.


--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Get at SSL context

Gertjan Klein
An update: I managed to change the ssl context settings. Between that
and a few security headers, I now get an A+ at the SSLlabs server test. :-)

For those interested, here is how I did it:

Exported from Notepad++ Exported from Notepad++ Exported from Notepad++
Exported from Notepad++ def create_server():
     # Remove default server, we need two separate ones
     cherrypy.server.unsubscribe()

     # Create server for HTTP
     svr = cherrypy._cpserver.Server()
     svr._socket_host = "0.0.0.0"
     svr.socket_port = 80
     svr.subscribe()

     # Create server for HTTPS
     svr = cherrypy._cpserver.Server()
     svr._socket_host = '0.0.0.0'
     svr.socket_port = 443
     svr.ssl_module = 'builtin'
     svr.ssl_certificate = CERT_INFO['ssl_certificate']
     svr.ssl_private_key = CERT_INFO['ssl_private_key']
     svr.ssl_certificate_chain = CERT_INFO['ssl_certificate_chain']
     svr.subscribe()

     # Mount root server and update global config
     cherrypy.tree.mount(Root(), '', CONF)
     cherrypy.config.update(CONF)

     # Start the server
     cherrypy.engine.start()

     # Get the ssl module's default context
     ssl_context = svr.httpserver.ssl_adapter.context
     # Turn off TLS v1.0 and v1.1
     ssl_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
     # Limit ciphers to most secure ones
ssl_context.set_ciphers('AES256+EECDH:AES256+EDH:!aNULL')

     cherrypy.engine.block()

Regards,
Gertjan.

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.
Loading...