> I'm working on a prototype of a web service that exposes a REST API over
> HTTPS. I'm using Tornado to implement the server side and so far I'm very
> happy with this framework, in particular with the clear abstractions it
> provides to the application.

> Now I need to prototype a companion server side application that provides
> some specific authentication mechanism. In particular, this application
> needs to be involved in the SSL handshake when establishing the secure
> connection with the client (which is command-line based intended to be used
> in scripts, not a web browser). This kind of behavior is possible to
> implement if one uses the pyOpenSSL package which provides the server a way
> to specify a callback which is called each time a client establishes a new
> secure connection.

> As far as I understand by reading the Tornado 2.4 sources, the method
> TCPServer._handle_connection creates a SSLIOStream object by wrapping the
> secure socket created by the Python ssl.wrap_socket() function. So, there is
> no direct mechanism for my application to provide Tornado a way to establish
> my "custom" secure connection.

> I would therefore appreciate some guidance from this community on a clean
> way to implement this using Tornado. I thought that subclassing HTTPServer
> and overriding the method TCPServer._handle_connection (which given its
> name, is not meant to be overridden) could add the desired functionality,
> provided that the resulting secure socket (the one created with pyOpenSSL)
> exposes an interface compatible with the one the class SSLIOStream exposes.

> Would this work? Do you see any cleaner way to implement what I need? Any
> feedback on this would be really appreciated.

> Regards,

> Fabio Hernandez