扭曲的listenSSL虚拟主机 [英] Twisted listenSSL virtualhosts

问题描述

当前使用一个非常简单的Twisted NameVirtualHost结合一些JSON配置文件来在一个Site对象中提供真正的基本内容. Twisted服务的资源是烧瓶中内置的所有WSGI对象.

Currently using a really simple Twisted NameVirtualHost coupled with some JSON config files to serve really basic content in one Site object. The resources being served by Twisted are all WSGI objects built in flask.

我想知道如何使用SSLContext包装到这些域的连接，因为reactor.listenSSL接受一个且只有一个上下文，因此如何赋予每个域/子域自己的crt尚不清楚/密钥对.有什么方法可以为每个不需要代理的域使用ssl设置命名虚拟主机?我找不到任何将NameVirtualHost与SSL结合使用的Twisted示例，而我唯一能使用的就是钩住反应堆，仅在一个域的上下文中监听端口443?

I was wondering on how to go about wrapping the connections to these domains with an SSLContext, since reactor.listenSSL takes one and only one context, it isn't readily apparent how to give each domain/subdomain it's own crt/key pair. Is there any way to set up named virtual hosting with ssl for each domain that doesn't require proxying? I can't find any Twisted examples that use NameVirtualHost with SSL, and they only thing I could get to work is hook on the reactor listening on port 443 with only one domain's context?

我想知道是否有人尝试过?

I was wondering if anyone has attempted this?

我没有任何SSL处理的简单服务器:

My simple server without any SSL processing:

https://github.com/DeaconDesperado/twsrv/blob/master/service.py

推荐答案

TLS(替代SSL的现代协议的名称)仅在最近才支持您要查找的功能.该功能称为服务器名称指示(或 SNI ).它受现代平台上的现代浏览器支持，但不支持某些较旧但仍被广泛使用的平台(有关支持的浏览器列表，请参见Wikipedia页面).

TLS (the name for the modern protocol which replaces SSL) only very recently supports the feature you're looking for. The feature is called Server Name Indication (or SNI). It is supported by modern browsers on modern platforms, but not some older but still widely used platforms (see the wikipedia page for a list of browsers with support).

Twisted没有对此的特定内置支持.但是，它不需要任何东西. Twisted的SSL支持所基于的pyOpenSSL确实支持SNI.

Twisted has no specific, built-in support for this. However, it doesn't need any. pyOpenSSL, upon which Twisted's SSL support is based, does support SNI.

set_tlsext_servername_callback pyOpenSSL API为您提供了构建所需行为的基本机制.这使您可以定义一个回调，该回调可访问客户端请求的服务器名称.此时，您可以指定要用于连接的密钥/证书对.您可以在pyOpenSSL的示例中演示此API的使用.示例目录.

The set_tlsext_servername_callback pyOpenSSL API gives you the basic mechanism to build the behavior you want. This lets you define a callback which is given access to the server name requested by the client. At this point, you can specify the key/certificate pair you want to use for the connection. You can find an example demonstrating the use of this API in pyOpenSSL's examples directory.

以下是该示例的摘录，旨在为您提供要点:

Here's an excerpt from that example to give you the gist:

def pick_certificate(connection):
    try:
        key, cert = certificates[connection.get_servername()]
    except KeyError:
        pass
    else:
        new_context = Context(TLSv1_METHOD)
        new_context.use_privatekey(key)
        new_context.use_certificate(cert)
        connection.set_context(new_context)

server_context = Context(TLSv1_METHOD)
server_context.set_tlsext_servername_callback(pick_certificate)

您可以将此方法合并到自定义的上下文工厂中，然后将该上下文工厂提供给listenSSL调用.

You can incorporate this approach into a customized context factory and then supply that context factory to the listenSSL call.

这篇关于扭曲的listenSSL虚拟主机的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！