ssl: add AutopushSSLContextFactory

Adds the ability to use a certificate chain file and turns off SSLv3.
mozilla-services · Apr 9, 2015 · 5ca8328 · 5ca8328
1 parent 94b6668
commit 5ca8328
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 7 deletions.
diff --git a/autopush/main.py b/autopush/main.py
@@ -4,13 +4,14 @@
 import configargparse
 import cyclone.web
 from autobahn.twisted.websocket import WebSocketServerFactory, listenWS
-from twisted.internet import reactor, task, ssl
+from twisted.internet import reactor, task
 from twisted.python import log
 
 from autopush.endpoint import (EndpointHandler, RegistrationHandler)
 from autopush.health import StatusHandler
 from autopush.logging import setup_logging
 from autopush.settings import AutopushSettings
+from autopush.ssl import AutopushSSLContextFactory
 from autopush.utils import str2bool
 from autopush.websocket import (
     SimplePushServerProtocol,
@@ -274,16 +275,16 @@ def connection_main(sysargs=None):
 
     # Start the WebSocket listener.
     if args.ssl_key:
-        contextFactory = ssl.DefaultOpenSSLContextFactory(args.ssl_key,
-                                                          args.ssl_cert)
+        contextFactory = AutopushSSLContextFactory(args.ssl_key,
+                                                   args.ssl_cert)
         listenWS(factory, contextFactory)
     else:
         reactor.listenTCP(args.port, factory)
 
     # Start the internal routing listener.
     if args.router_ssl_key:
-        contextFactory = ssl.DefaultOpenSSLContextFactory(args.router_ssl_key,
-                                                          args.router_ssl_cert)
+        contextFactory = AutopushSSLContextFactory(args.router_ssl_key,
+                                                   args.router_ssl_cert)
         reactor.listenSSL(args.router_port, site, contextFactory)
     else:
         reactor.listenTCP(args.router_port, site)
@@ -335,8 +336,8 @@ def endpoint_main(sysargs=None):
     settings.metrics.start()
 
     if args.ssl_key:
-        contextFactory = ssl.DefaultOpenSSLContextFactory(args.ssl_key,
-                                                          args.ssl_cert)
+        contextFactory = AutopushSSLContextFactory(args.ssl_key,
+                                                   args.ssl_cert)
         reactor.listenSSL(args.port, site, contextFactory)
     else:
         reactor.listenTCP(args.port, site)

diff --git a/autopush/ssl.py b/autopush/ssl.py
@@ -0,0 +1,13 @@
+from OpenSSL import SSL
+from twisted.internet import ssl
+
+
+class AutopushSSLContextFactory(ssl.DefaultOpenSSLContextFactory):
+    def cacheContext(self):
+        if self._context is None:
+            ctx = self._contextFactory(self.sslmethod)
+            ctx.set_options(SSL.OP_NO_SSLv2)
+            ctx.set_options(SSL.OP_NO_SSLv3)
+            ctx.use_certificate_chain_file(self.certificateFileName)
+            ctx.use_privatekey_file(self.privateKeyFileName)
+            self._context = ctx