Skip to content
python socket server supports raw tcp and ssl simultaneously. multiple experiments based on echo service.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


A simple python socket server supports both raw tcp and ssl, simultaneously.

Real implementation of multiple techniques to resolve the problem.

Why ?

It came up while I was working on other side project (which is pending now 🤐). Although the problem seems super simple (encapsulate TLS around normal socket? or just resume the handshake phase?), but there is no real article related to this situation. Also other open source projects might already have solved in someway, but you will have to spend days to dig into them.

So I would like to amplify it, and share my little work.

Btw, why are you here? 🙄

Technical details

... a long time ago in a galaxy far, far away 🖖 ... there is a mysterious scroll 📜 ...


This is a message from 2020. Please use ...

Python 3

pip -r requirements.txt



Pick your experiment server 👉 python <file> --help

  • MSGPEEK technique include these experiments
  • Hijack TLS handshake technique
  • A demo web service based on 1st technique and twisted framework. Please generate a valid certificate for your wanted hostname (tutorial below), trust its chain - how? - and DO NOT forget to change hosts file 😁. I already provided a sample hostname as default and a root certificate to trust.


  • raw 👉 nc localhost 9999

  • ssl 👉 python --help


> Create a self-signed root CA
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

> Generate Key for domain
openssl genrsa -out 4096

> Generate CSR (check out 'san.conf' in cert directory) with SAN extension (Chrome requirement 🤐)
openssl req -new -out -key -config san.conf

> Sign with our rootCA (check out 'san.conf' in cert directory)
openssl x509 -req -days 3650 -in -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out -extensions v3_req -extfile san.conf

> Debug
openssl req -text -noout -in
openssl x509 -text -noout -in

> Note
- Because the chain has only 2 nodes, so no need to create fullchain
- SAN is required by Chrome to trust the certificate, so if you don't want to mess with it just create/sign a certficate with CommonName (CN) == your donmain name. Ref below.



all techniques used in this project are implemented at experiment level, do not use in production.



You can’t perform that action at this time.