I'm working on a prototype of a web service that exposes a REST API over
HTTPS. I'm using Tornado to implement the server side and so far I'm very
happy with this framework, in particular with the clear abstractions it
provides to the application.
Now I need to prototype a companion server side application that provides
some specific authentication mechanism. In particular, this application
needs to be involved in the SSL handshake when establishing the secure
connection with the client (which is command-line based intended to be used
in scripts, not a web browser). This kind of behavior is possible to
implement if one uses the pyOpenSSL package which provides the server a way
to specify a callback which is called each time a client establishes a new
As far as I understand by reading the Tornado 2.4 sources, the method
TCPServer._handle_connection creates a SSLIOStream object by wrapping the
secure socket created by the Python ssl.wrap_socket() function. So, there
is no direct mechanism for my application to provide Tornado a way to
establish my "custom" secure connection.
I would therefore appreciate some guidance from this community on a clean
way to implement this using Tornado. I thought that subclassing HTTPServer
and overriding the method TCPServer._handle_connection (which given its
name, is not meant to be overridden) could add the desired functionality,
provided that the resulting secure socket (the one created with pyOpenSSL)
exposes an interface compatible with the one the class SSLIOStream exposes.
Would this work? Do you see any cleaner way to implement what I need? Any
feedback on this would be really appreciated.