Tornado with SSL

[yogesh panchal]

Hi,

I am trying to use tornado with ssl for my web application,

I added following code to my main.py file

http_server = tornado.httpserver.HTTPServer(application,
ssl_options=dict(
certfile="/PATH-TO/Certificate.crt",
keyfile="/PATH-TO/Certificate.key",
cert_reqs=ssl.CERT_REQUIRED,
ca_certs="cacert.crt"))
application.listen(8888)
tornado.ioloop.IOLoop.instance().start()

After adding above code to my main.py & when i run my web application
i can access it through

http://localhost:8888

but i cannot access it through

https://localhost:8888

when i use https i dont get any error & in browser only loading icon.

[Srini]

How are the certificates generated? Typically they are associated with a domain or subdomain of a domain.

I would use ngnix for ssl termination rather than depend on an app server.

[Ben Darnell]

You need to call listen() on the HTTPServer you created. You're using
Application.listen instead which creates a new HTTPServer (ignoring
the one that already exists) and listens on it. To support both HTTP
and HTTPS you'll need to create two HTTPServers on different ports,
one with ssl_options and one without.

Also, setting cert_reqs to ssl.CERT_REQUIRED means your server will
ask for client certificates too - this is probably not what you want.

-Ben

[yogesh panchal]

Hi Ben,

          Thanks for reply, you mean to say i have to create two HTTPServer please see the code below i worte if i am wrong please correct me.


if __name__ == "__main__":                                                                                               
     http_server = tornado.httpserver.HTTPServer(application,
     ssl_options=dict(
                   certfile="/PATH-TO/server.crt",
                   keyfile="/PATH-TO/server.key",                                                                                  
                   ca_certs="cacert.crt"))
     application.listen(8080)
     tornado.ioloop.IOLoop.instance().start()

     http_server = tornado.httpserver.HTTPServer(application)
     application.listen(8888)
     tornado.ioloop.IOLoop.instance().start()

AND i am using application.listen(8888) because i have define application = tornado....
 see code below.

application = tornado.web.Application([(r"/",LoginHandler),


Thanks & Regards

Yogesh Panchal


>>> If You Go Black There is No Other Way to Come Back ........!

[yogesh panchal]

Hi Srini,
          
           Thanks for reply, I am using OpenSSL With Tornado, & certificates are generated using commands i found while searching google, & currently i am testing this on local machine once its done correctly on local machine then i am going to purchase SSL from Domain Provider.

How can i use nginx along with my Tornado & python application..?? I am confused about this.. Do i need to change my code or something else..?

[Ben Darnell]

If you create an HTTPServer, you must call listen() (or
bind()/start()) on it or else it won't do anything. You want to
create one Application and add it to two HTTPServers, and then call
listen on each HTTPServer (or, now that I think about it, you can also
simply call Application.listen twice and pass it ssl_options one of
those times). Read the code for Application.listen and you'll see
what's going on. Also, you should only start the IOLoop once, after
all the servers have been created.

-Ben

[yogesh panchal]

Hi Ben,

           First of all thanks for your help, i completed tornado with openssl using followinf code.

http_server = tornado.httpserver.HTTPServer(application,

                                            ssl_options={
        "certfile": os.path.join("./", "cert.pem"),

        "keyfile": os.path.join("./", "key.pem"),


})

if __name__ == "__main__":

    http_server.listen(8888)
    tornado.ioloop.IOLoop.instance().start()

--

[Rajdeep Rath]

I have used letsencrypt with tornado and it works fine. You can also generate via website - https://zerossl.com/. Can't recall if I had to ever generate the CSR manually though.

On Mon, 16 Sep, 2019, 4:56 pm Murali Darvadi, <123d....@gmail.com> wrote:

How did you generate these certificate and key in .pem format, I'm having same issue like you but im using .crt and .key formats. Its not working for me.

--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-tornad...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/python-tornado/882c9e40-e27f-4d69-bc91-4121940705a4%40googlegroups.com.

[Pierce Lopez]

Files in PEM format are often given other filename extensions, which are somewhat arbitrary. If you cat them, or open them in a text editor, they look like this inside:

-----BEGIN CERTIFICATE-----
MIIEzjCCAragAwIBAgIJAOWuVyOjYZjAMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD

... more base64 lines ...

c5/cEpnCN6oRI+qsg+J+svS7M+m6g3BLcYkFeleJ+2Luz3SJcBpdpBJwntkly0nQ
qFHMPp/sj4riwUN/O8ZV54MeGHmXpvCQKlXYJJVLUcYdgg==
-----END CERTIFICATE-----

and for the private key:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDbL7kmg7QOOWOC

... more base64 lines ...

tqcysunvzupwwyJjEVzulqwlXoOdwThCQ8WTHDB2+4OSHf++NlYU11HC9JZ7RDhV
qPpQvL1gcVl67atpC6V3Wm4=
-----END PRIVATE KEY-----

The filename extension is just a convention (of which there are a few).

- Pierce