Re: [tornado] How to use custom secure connections with Tornado?
89 views
Skip to first unread message
Ben Darnell
Sep 28, 2012, 1:49:32 PM9/28/12
to python-...@googlegroups.com
SSLIOStream uses the standard library's ssl module. If you need to
use PyOpenSSL instead, you'll probably need to make your own IOStream
subclass. As long as PyOpenSSL exposes the asynchronous handshake
error codes (WANT_READ, WANT_WRITE, etc), it should be fairly
straightforward to translate SSLIOStream to another library.
-Ben
On Fri, Sep 28, 2012 at 1:31 AM, Fabio Hernandez <fairn...@gmail.com> wrote:
> Hello,
>
> I'm working on a prototype of a web service that exposes a REST API over
> HTTPS. I'm using Tornado to implement the server side and so far I'm very
> happy with this framework, in particular with the clear abstractions it
> provides to the application.
>
> Now I need to prototype a companion server side application that provides
> some specific authentication mechanism. In particular, this application
> needs to be involved in the SSL handshake when establishing the secure
> connection with the client (which is command-line based intended to be used
> in scripts, not a web browser). This kind of behavior is possible to
> implement if one uses the pyOpenSSL package which provides the server a way
> to specify a callback which is called each time a client establishes a new
> secure connection.
>
> As far as I understand by reading the Tornado 2.4 sources, the method
> TCPServer._handle_connection creates a SSLIOStream object by wrapping the
> secure socket created by the Python ssl.wrap_socket() function. So, there is
> no direct mechanism for my application to provide Tornado a way to establish
> my "custom" secure connection.
>
> I would therefore appreciate some guidance from this community on a clean
> way to implement this using Tornado. I thought that subclassing HTTPServer
> and overriding the method TCPServer._handle_connection (which given its
> name, is not meant to be overridden) could add the desired functionality,
> provided that the resulting secure socket (the one created with pyOpenSSL)
> exposes an interface compatible with the one the class SSLIOStream exposes.
>
> Would this work? Do you see any cleaner way to implement what I need? Any
> feedback on this would be really appreciated.
>
> Regards,
>
> Fabio Hernandez
use PyOpenSSL instead, you'll probably need to make your own IOStream
subclass. As long as PyOpenSSL exposes the asynchronous handshake
error codes (WANT_READ, WANT_WRITE, etc), it should be fairly
straightforward to translate SSLIOStream to another library.
-Ben
On Fri, Sep 28, 2012 at 1:31 AM, Fabio Hernandez <fairn...@gmail.com> wrote:
> Hello,
>
> I'm working on a prototype of a web service that exposes a REST API over
> HTTPS. I'm using Tornado to implement the server side and so far I'm very
> happy with this framework, in particular with the clear abstractions it
> provides to the application.
>
> Now I need to prototype a companion server side application that provides
> some specific authentication mechanism. In particular, this application
> needs to be involved in the SSL handshake when establishing the secure
> connection with the client (which is command-line based intended to be used
> in scripts, not a web browser). This kind of behavior is possible to
> implement if one uses the pyOpenSSL package which provides the server a way
> to specify a callback which is called each time a client establishes a new
> secure connection.
>
> As far as I understand by reading the Tornado 2.4 sources, the method
> TCPServer._handle_connection creates a SSLIOStream object by wrapping the
> secure socket created by the Python ssl.wrap_socket() function. So, there is
> no direct mechanism for my application to provide Tornado a way to establish
> my "custom" secure connection.
>
> I would therefore appreciate some guidance from this community on a clean
> way to implement this using Tornado. I thought that subclassing HTTPServer
> and overriding the method TCPServer._handle_connection (which given its
> name, is not meant to be overridden) could add the desired functionality,
> provided that the resulting secure socket (the one created with pyOpenSSL)
> exposes an interface compatible with the one the class SSLIOStream exposes.
>
> Would this work? Do you see any cleaner way to implement what I need? Any
> feedback on this would be really appreciated.
>
> Regards,
>
> Fabio Hernandez
Reply all
Reply to author
Forward
0 new messages