self.tls_client_ca = None
self.tls_module = 'ssl'
self.use_basic_auth = False
+ self.basic_auth_credential = 'Basic ' + base64.b64encode('test:test')
class RecordingSSLSessionCache(object):
def __init__(self, server_address, request_hander_class, pem_cert_and_key,
ssl_client_auth, ssl_client_cas, ssl_client_cert_types,
ssl_bulk_ciphers, ssl_key_exchanges, enable_npn,
- record_resume_info, tls_intolerant, signed_cert_timestamps,
- fallback_scsv_enabled, ocsp_response):
+ record_resume_info, tls_intolerant,
+ tls_intolerance_type, signed_cert_timestamps,
+ fallback_scsv_enabled, ocsp_response, disable_session_cache):
self.cert_chain = tlslite.api.X509CertChain()
self.cert_chain.parsePemList(pem_cert_and_key)
# Force using only python implementation - otherwise behavior is different
self.next_protos = ['http/1.1']
else:
self.next_protos = None
- if tls_intolerant == 0:
- self.tls_intolerant = None
- else:
- self.tls_intolerant = (3, tls_intolerant)
self.signed_cert_timestamps = signed_cert_timestamps
self.fallback_scsv_enabled = fallback_scsv_enabled
self.ocsp_response = ocsp_response
self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers
if ssl_key_exchanges is not None:
self.ssl_handshake_settings.keyExchangeNames = ssl_key_exchanges
+ if tls_intolerant != 0:
+ self.ssl_handshake_settings.tlsIntolerant = (3, tls_intolerant)
+ self.ssl_handshake_settings.tlsIntoleranceType = tls_intolerance_type
+
- if record_resume_info:
+ if disable_session_cache:
+ self.session_cache = None
+ elif record_resume_info:
# If record_resume_info is true then we'll replace the session cache with
# an object that records the lookups and inserts that it sees.
self.session_cache = RecordingSSLSessionCache()
reqCAs=self.ssl_client_cas,
reqCertTypes=self.ssl_client_cert_types,
nextProtos=self.next_protos,
- tlsIntolerant=self.tls_intolerant,
signedCertTimestamps=
self.signed_cert_timestamps,
fallbackSCSV=self.fallback_scsv_enabled,
self.options.enable_npn,
self.options.record_resume,
self.options.tls_intolerant,
+ self.options.tls_intolerance_type,
self.options.signed_cert_timestamps_tls_ext.decode(
"base64"),
self.options.fallback_scsv,
- stapled_ocsp_response)
+ stapled_ocsp_response,
+ self.options.disable_session_cache)
print 'HTTPS server started on https://%s:%d...' % \
(host, server.server_port)
else:
websocket_options.private_key = self.options.cert_and_key_file
websocket_options.certificate = self.options.cert_and_key_file
if self.options.ssl_client_auth:
+ websocket_options.tls_client_cert_optional = False
websocket_options.tls_client_auth = True
if len(self.options.ssl_client_ca) != 1:
raise testserver_base.OptionError(
print 'WebSocket server started on %s://%s:%d...' % \
(scheme, host, server.server_port)
server_data['port'] = server.server_port
+ websocket_options.use_basic_auth = self.options.ws_basic_auth
elif self.options.server_type == SERVER_TCP_ECHO:
# Used for generating the key (randomly) that encodes the "echo request"
# message.
def add_options(self):
testserver_base.TestServerRunner.add_options(self)
+ self.option_parser.add_option('--disable-session-cache',
+ action='store_true',
+ dest='disable_session_cache',
+ help='tells the server to disable the'
+ 'TLS session cache.')
self.option_parser.add_option('-f', '--ftp', action='store_const',
const=SERVER_FTP, default=SERVER_HTTP,
dest='server_type',
'aborted. 2 means TLS 1.1 or higher will be '
'aborted. 3 means TLS 1.2 or higher will be '
'aborted.')
+ self.option_parser.add_option('--tls-intolerance-type',
+ dest='tls_intolerance_type',
+ default="alert",
+ help='Controls how the server reacts to a '
+ 'TLS version it is intolerant to. Valid '
+ 'values are "alert", "close", and "reset".')
self.option_parser.add_option('--signed-cert-timestamps-tls-ext',
dest='signed_cert_timestamps_tls_ext',
default='',
'support for exactly one protocol, http/1.1')
self.option_parser.add_option('--file-root-url', default='/files/',
help='Specify a root URL for files served.')
+ # TODO(ricea): Generalize this to support basic auth for HTTP too.
+ self.option_parser.add_option('--ws-basic-auth', action='store_true',
+ dest='ws_basic_auth',
+ help='Enable basic-auth for WebSocket')
if __name__ == '__main__':