Access client x509 certificate in twisted / lean handler
Trying to figure out how to determine which client is connected in the protocol handler by accessing the x509 certificate. (Twisted, Thrift)
I found a twisted pass certificate for the ssl handler showing that it can be called self.transport.getPeerCertificate in the handler, but the transport does not appear to be available when using the lean handler. Is there a way to get the x509 cert in a handler when using twisted thrift?
#!/usr/bin/env python
from OpenSSL import SSL
from twisted.internet import reactor, ssl
from thrift.transport import TTwisted
from thrift.protocol import TBinaryProtocol
from zope.interface import implements
from stwisted.test import TestStuff
class TestHandler:
implements(TestStuff.Iface)
def echo(self, instring):
#Need to be able to see the clients x509 cert here
return instring[::-1]
def Callback(connection, x509, errnum, errdepth, ok):
if ok and errnum == 0:
if errdepth == 0:
try:
print 'Cert: %s' % x509.get_subject()
except:
print 'Couldn\'t find appropriate tags in cert'
return False
return True
else:
print 'Invalid cert from subject: %s' % x509.get_subject()
print 'Error no: %d' % errnum
return False
def main():
print 'Started'
handler = TestHandler()
processor = TestStuff.Processor(handler)
pfactory = TBinaryProtocol.TBinaryProtocolFactory()
sfactory = TTwisted.ThriftServerFactory(processor, protofactory)
sslCtxFactory = ssl.DefaultOpenSSLContextFactory('server.key',
'server.crt',
SSL.TLSv1_METHOD)
ctx = sslCtxFactory.getContext()
ctx.set_verify(
SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
Callback
)
ctx.load_verify_locations('ca_chain.crt')
reactor.listenSSL(4444, sfactory, sslCtxFactory)
print 'Starting Reactor'
reactor.run()
if __name__ == '__main__':
main()
+3
source to share
No one has answered this question yet
See similar questions:
or similar: