cheroot.ssl.builtin module#

A library for integrating Python’s builtin ssl library with Cheroot.

The ssl module must be importable for SSL functionality.

To use this module, set HTTPServer.ssl_adapter to an instance of BuiltinSSLAdapter.

class cheroot.ssl.builtin.BuiltinSSLAdapter(certificate, private_key, certificate_chain=None, ciphers=None, *, private_key_password=None)#

Bases: Adapter

Wrapper for integrating Python’s builtin ssl with Cheroot.

This adapter uses TLSSocket internally to provide a consistent interface for SSL/TLS connections.

CERT_KEY_TO_ENV = {'issuer': 'I_DN', 'notAfter': 'V_END', 'notBefore': 'V_START', 'serialNumber': 'M_SERIAL', 'subject': 'S_DN', 'subjectAltName': 'SAN', 'version': 'M_VERSION'}#

CERT_KEY_TO_LDAP_CODE = {'commonName': 'CN', 'countryName': 'C', 'description': 'D', 'emailAddress': 'Email', 'givenName': 'G', 'initials': 'I', 'localityName': 'L', 'organizationName': 'O', 'organizationalUnitName': 'OU', 'stateOrProvinceName': 'ST', 'surname': 'S', 'title': 'T', 'userid': 'UID'}#

_abc_impl = <_abc._abc_data object>#

_check_for_plain_http(raw_socket)#

Check if the client sent plain HTTP by peeking at first bytes.

This is a best-effort check to provide a helpful error message when clients accidentally use HTTP on an HTTPS port. If we can’t detect plain HTTP (timeout, no data yet, etc), we return False and let the SSL handshake proceed, which will fail with its own error.

Returns:: bool: True if plain HTTP is detected, False otherwise

_create_context()#: Return an py:class:ssl.SSLContext from self attributes.

_create_ssl_socket(raw_socket, server_side)#: Create SSL socket without handshake.

_get_client_cert_environ(conn, ssl_environ)#: Populate the WSGI environment with client certificate details.

_get_library_version_environ()#

Get SSL library version information.

Overrides base class method to provide builtin ssl module version.

_get_optional_environ(conn)#

Get optional environment variables.

Overrides base class method for builtin ssl-specific handling.

_get_server_cert_environ()#: Get server certificate info using builtin ssl certificate parsing.

_handle_ssl_error(error)#: Handle SSL errors during handshake.

_make_env_cert_dict(env_prefix, parsed_cert)#

Return a dict of WSGI environment variables for a certificate.

E.g. SSL_CLIENT_M_VERSION, SSL_CLIENT_M_SERIAL, etc. See https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars.

_make_env_dn_dict(env_prefix, cert_value)#

Return a dict of WSGI environment variables for a certificate DN.

E.g. SSL_CLIENT_S_DN_CN, SSL_CLIENT_S_DN_C, etc. See SSL_CLIENT_S_DN_x509 at https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars.

_make_env_san_dict(env_prefix, cert_value)#

Return a dict of WSGI environment variables for a certificate DN.

E.g. SSL_CLIENT_SAN_Email_0, SSL_CLIENT_SAN_DNS_0, etc. See SSL_CLIENT_SAN_* at https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars.

_perform_handshake(ssl_socket, raw_socket)#: Perform SSL handshake with error handling and retries.

_wait_for_handshake_data(raw_socket, direction)#: Wait for socket to be ready for read or write during handshake.

_wrap_with_builtin(raw_socket, server_side=True)#

Create a TLSSocket using Python’s built-in ssl module.

Args:: raw_socket: The raw socket to wrap server_side: True if this is the server side
Returns:: TLSSocket: Wrapped socket ready for secure I/O

bind(sock)#: Prepare the server socket.

certificate = None#: The file name of the server SSL certificate.

certificate_chain = None#: The file name of the certificate chain file.

ciphers = None#: The ciphers list of SSL.

property context#: Get the SSL context.

private_key = None#: The file name of the server’s private key file.

private_key_password = None#: Optional passphrase for password protected private key.

wrap(sock)#

Wrap client socket with SSL and return environ entries.

Args:: sock: Raw socket to wrap with TLS
Returns:: tuple: (TLSSocket, ssl_environ_dict)