Problem with certificate verification using Tornado client

148 views
Skip to first unread message

Steve Zweep

unread,
Sep 23, 2014, 12:07:30 PM9/23/14
to ws...@googlegroups.com
Hi,

I've been trying to get SSL certificate verification to work when using the wss: scheme in a couple different scenarios. When using the built-in WebSocketClient this works OK. I can supply ssl_options when creating the object derived from WebSocketClient:

    # Force certificate verification
    ssl_options = {}
    ssl_options['cert_reqs'] = ssl.CERT_REQUIRED

    # Root Certificate Store
    ssl_options['ca_certs'] = '/etc/ssl/certs/ca-certificates.crt'

    print("Connecting to " + url + "...")
    try:
        ws = EchoClient(url, protocols=['http-only', 'chat'], heartbeat_freq=5.0, ssl_options=ssl_options)
...
 
With the TornadoWebSocketClient, ssl_options is also passed to the __init__ function during object construction. However, I found that setting the options as in the code above did not work. Looking into this a bit further I noticed that int TornadoWebSocketClient.__init__() creates an SSLIOStream and that object also takes ssl_options as an argument to its __init__ function. Altering the code like this:

--- src/WebSocket-for-Python/build/lib.linux-i686-2.7/ws4py/client/tornadoclient.py     2014-09-15 15:06:26.000000000 -0400
+++ websocket/client2/tornadoclient.py  2014-09-17 13:42:08.000000000 -0400
@@ -33,9 +33,8 @@
         """
         WebSocketBaseClient.__init__(self, url, protocols, extensions,
                                      ssl_options=ssl_options, headers=headers)
-        self.ssl_options["do_handshake_on_connect"] = False
         if self.scheme == "wss":
-            self.sock = ssl.wrap_socket(self.sock, **self.ssl_options)
+            self.sock = ssl.wrap_socket(self.sock, do_handshake_on_connect=False, **self.ssl_options)
             self.io = iostream.SSLIOStream(self.sock, io_loop, ssl_options=self.ssl_options)
         else:
             self.io = iostream.IOStream(self.sock, io_loop)


made the certificate verification work. Not sure if I was missing something or if this is a bug. I had to break the "do_handshake_on_connect" out of the ssl_options because SSLIOStream complained it was not a valid option.

- Steve




Sylvain Hellegouarch

unread,
Sep 23, 2014, 2:35:11 PM9/23/14
to ws...@googlegroups.com
Hi Steve,

Thanks for the report. I must say, I seldom use that client and I haven't checked for a while. I may have not tested with SSL. Or maybe the Tornado interface has changed. Go figure :)

But thank you for the report. If you enjoy creating a PR, I'll gladly merge it in! 

Thanks,
--
- Sylvain
http://twitter.com/lawouach

Steve Zweep

unread,
Sep 23, 2014, 9:39:48 PM9/23/14
to ws...@googlegroups.com
Hi Sylvain,

I haven't used git or github much in the past, but gave it a shot and created my first PR. Hope it looks OK.

- Steve
Reply all
Reply to author
Forward
0 new messages