def ssl_context(cacert, srvcrt, srvkey):
# general setup: TLSv1.2, no compression, paranoid ciphers
sslctx = SSL.Context(SSL.TLSv1_2_METHOD)
sslctx.set_verify_depth(9)
sslctx.set_options(SSL.OP_NO_COMPRESSION)
sslctx.set_mode(_ssl_lib.SSL_MODE_ENABLE_PARTIAL_WRITE | _ssl_lib.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)
sslctx.set_cipher_list(libmu.defs.Defs.cipher_list)
sslctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, lambda _, __, ___, ____, ok: ok)
# use CA cert provided during lambda invocation
fmt_cert = format_ssl_cert(cacert)
x509_cert = crypto.load_certificate(crypto.FILETYPE_PEM, fmt_cert)
sslctx.get_cert_store().add_cert(x509_cert)
# add my certificate chain
has_cert = False
for cert in srvcrt.split(' '):
x509_cert = crypto.load_certificate(crypto.FILETYPE_PEM, format_ssl_cert(cert))
if not has_cert:
sslctx.use_certificate(x509_cert)
has_cert = True
else:
sslctx.add_extra_chain_cert(x509_cert)
# private key
sslctx.use_privatekey(crypto.load_privatekey(crypto.FILETYPE_PEM, format_ssl_key(srvkey)))
# check that all's well
sslctx.check_privatekey()
return sslctx
###
# SSLize a connected socket, requiring a supplied cacert
###
评论列表
文章目录
