%PDF- %PDF-
Direktori : /usr/lib/python3/dist-packages/twisted/protocols/ |
Current File : //usr/lib/python3/dist-packages/twisted/protocols/tls.py |
# -*- test-case-name: twisted.protocols.test.test_tls,twisted.internet.test.test_tls,twisted.test.test_sslverify -*- # Copyright (c) Twisted Matrix Laboratories. # See LICENSE for details. """ Implementation of a TLS transport (L{ISSLTransport}) as an L{IProtocol<twisted.internet.interfaces.IProtocol>} layered on top of any L{ITransport<twisted.internet.interfaces.ITransport>} implementation, based on U{OpenSSL<http://www.openssl.org>}'s memory BIO features. L{TLSMemoryBIOFactory} is a L{WrappingFactory} which wraps protocols created by the factory it wraps with L{TLSMemoryBIOProtocol}. L{TLSMemoryBIOProtocol} intercedes between the underlying transport and the wrapped protocol to implement SSL and TLS. Typical usage of this module looks like this:: from twisted.protocols.tls import TLSMemoryBIOFactory from twisted.internet.protocol import ServerFactory from twisted.internet.ssl import PrivateCertificate from twisted.internet import reactor from someapplication import ApplicationProtocol serverFactory = ServerFactory() serverFactory.protocol = ApplicationProtocol certificate = PrivateCertificate.loadPEM(certPEMData) contextFactory = certificate.options() tlsFactory = TLSMemoryBIOFactory(contextFactory, False, serverFactory) reactor.listenTCP(12345, tlsFactory) reactor.run() This API offers somewhat more flexibility than L{twisted.internet.interfaces.IReactorSSL}; for example, a L{TLSMemoryBIOProtocol} instance can use another instance of L{TLSMemoryBIOProtocol} as its transport, yielding TLS over TLS - useful to implement onion routing. It can also be used to run TLS over unusual transports, such as UNIX sockets and stdio. """ from __future__ import annotations from typing import Callable, Iterable, Optional, cast from zope.interface import directlyProvides, implementer, providedBy from OpenSSL.SSL import Connection, Error, SysCallError, WantReadError, ZeroReturnError from twisted.internet._producer_helpers import _PullToPush from twisted.internet._sslverify import _setAcceptableProtocols from twisted.internet.interfaces import ( IDelayedCall, IHandshakeListener, ILoggingContext, INegotiated, IOpenSSLClientConnectionCreator, IOpenSSLServerConnectionCreator, IProtocol, IProtocolNegotiationFactory, IPushProducer, IReactorTime, ISystemHandle, ITransport, ) from twisted.internet.main import CONNECTION_LOST from twisted.internet.protocol import Protocol from twisted.protocols.policies import ProtocolWrapper, WrappingFactory from twisted.python.failure import Failure @implementer(IPushProducer) class _ProducerMembrane: """ Stand-in for producer registered with a L{TLSMemoryBIOProtocol} transport. Ensures that producer pause/resume events from the undelying transport are coordinated with pause/resume events from the TLS layer. @ivar _producer: The application-layer producer. """ _producerPaused = False def __init__(self, producer): self._producer = producer def pauseProducing(self): """ C{pauseProducing} the underlying producer, if it's not paused. """ if self._producerPaused: return self._producerPaused = True self._producer.pauseProducing() def resumeProducing(self): """ C{resumeProducing} the underlying producer, if it's paused. """ if not self._producerPaused: return self._producerPaused = False self._producer.resumeProducing() def stopProducing(self): """ C{stopProducing} the underlying producer. There is only a single source for this event, so it's simply passed on. """ self._producer.stopProducing() def _representsEOF(exceptionObject: Error) -> bool: """ Does the given OpenSSL.SSL.Error represent an end-of-file? """ reasonString: str if isinstance(exceptionObject, SysCallError): _, reasonString = exceptionObject.args else: errorQueue = exceptionObject.args[0] _, _, reasonString = errorQueue[-1] return reasonString.casefold().startswith("unexpected eof") @implementer(ISystemHandle, INegotiated, ITransport) class TLSMemoryBIOProtocol(ProtocolWrapper): """ L{TLSMemoryBIOProtocol} is a protocol wrapper which uses OpenSSL via a memory BIO to encrypt bytes written to it before sending them on to the underlying transport and decrypts bytes received from the underlying transport before delivering them to the wrapped protocol. In addition to producer events from the underlying transport, the need to wait for reads before a write can proceed means the L{TLSMemoryBIOProtocol} may also want to pause a producer. Pause/resume events are therefore merged using the L{_ProducerMembrane} wrapper. Non-streaming (pull) producers are supported by wrapping them with L{_PullToPush}. Because TLS may need to wait for reads before writing, some writes may be buffered until a read occurs. @ivar _tlsConnection: The L{OpenSSL.SSL.Connection} instance which is encrypted and decrypting this connection. @ivar _lostTLSConnection: A flag indicating whether connection loss has already been dealt with (C{True}) or not (C{False}). TLS disconnection is distinct from the underlying connection being lost. @ivar _appSendBuffer: application-level (cleartext) data that is waiting to be transferred to the TLS buffer, but can't be because the TLS connection is handshaking. @type _appSendBuffer: L{list} of L{bytes} @ivar _connectWrapped: A flag indicating whether or not to call C{makeConnection} on the wrapped protocol. This is for the reactor's L{twisted.internet.interfaces.ITLSTransport.startTLS} implementation, since it has a protocol which it has already called C{makeConnection} on, and which has no interest in a new transport. See #3821. @ivar _handshakeDone: A flag indicating whether or not the handshake is known to have completed successfully (C{True}) or not (C{False}). This is used to control error reporting behavior. If the handshake has not completed, the underlying L{OpenSSL.SSL.Error} will be passed to the application's C{connectionLost} method. If it has completed, any unexpected L{OpenSSL.SSL.Error} will be turned into a L{ConnectionLost}. This is weird; however, it is simply an attempt at a faithful re-implementation of the behavior provided by L{twisted.internet.ssl}. @ivar _reason: If an unexpected L{OpenSSL.SSL.Error} occurs which causes the connection to be lost, it is saved here. If appropriate, this may be used as the reason passed to the application protocol's C{connectionLost} method. @ivar _producer: The current producer registered via C{registerProducer}, or L{None} if no producer has been registered or a previous one was unregistered. @ivar _aborted: C{abortConnection} has been called. No further data will be received to the wrapped protocol's C{dataReceived}. @type _aborted: L{bool} """ _reason = None _handshakeDone = False _lostTLSConnection = False _producer = None _aborted = False def __init__(self, factory, wrappedProtocol, _connectWrapped=True): ProtocolWrapper.__init__(self, factory, wrappedProtocol) self._connectWrapped = _connectWrapped def getHandle(self): """ Return the L{OpenSSL.SSL.Connection} object being used to encrypt and decrypt this connection. This is done for the benefit of L{twisted.internet.ssl.Certificate}'s C{peerFromTransport} and C{hostFromTransport} methods only. A different system handle may be returned by future versions of this method. """ return self._tlsConnection def makeConnection(self, transport): """ Connect this wrapper to the given transport and initialize the necessary L{OpenSSL.SSL.Connection} with a memory BIO. """ self._tlsConnection = self.factory._createConnection(self) self._appSendBuffer = [] # Add interfaces provided by the transport we are wrapping: for interface in providedBy(transport): directlyProvides(self, interface) # Intentionally skip ProtocolWrapper.makeConnection - it might call # wrappedProtocol.makeConnection, which we want to make conditional. Protocol.makeConnection(self, transport) self.factory.registerProtocol(self) if self._connectWrapped: # Now that the TLS layer is initialized, notify the application of # the connection. ProtocolWrapper.makeConnection(self, transport) # Now that we ourselves have a transport (initialized by the # ProtocolWrapper.makeConnection call above), kick off the TLS # handshake. self._checkHandshakeStatus() def _checkHandshakeStatus(self): """ Ask OpenSSL to proceed with a handshake in progress. Initially, this just sends the ClientHello; after some bytes have been stuffed in to the C{Connection} object by C{dataReceived}, it will then respond to any C{Certificate} or C{KeyExchange} messages. """ # The connection might already be aborted (eg. by a callback during # connection setup), so don't even bother trying to handshake in that # case. if self._aborted: return try: self._tlsConnection.do_handshake() except WantReadError: self._flushSendBIO() except Error: self._tlsShutdownFinished(Failure()) else: self._handshakeDone = True if IHandshakeListener.providedBy(self.wrappedProtocol): self.wrappedProtocol.handshakeCompleted() def _flushSendBIO(self): """ Read any bytes out of the send BIO and write them to the underlying transport. """ try: bytes = self._tlsConnection.bio_read(2**15) except WantReadError: # There may be nothing in the send BIO right now. pass else: self.transport.write(bytes) def _flushReceiveBIO(self): """ Try to receive any application-level bytes which are now available because of a previous write into the receive BIO. This will take care of delivering any application-level bytes which are received to the protocol, as well as handling of the various exceptions which can come from trying to get such bytes. """ # Keep trying this until an error indicates we should stop or we # close the connection. Looping is necessary to make sure we # process all of the data which was put into the receive BIO, as # there is no guarantee that a single recv call will do it all. while not self._lostTLSConnection: try: bytes = self._tlsConnection.recv(2**15) except WantReadError: # The newly received bytes might not have been enough to produce # any application data. break except ZeroReturnError: # TLS has shut down and no more TLS data will be received over # this connection. self._shutdownTLS() # Passing in None means the user protocol's connnectionLost # will get called with reason from underlying transport: self._tlsShutdownFinished(None) except Error: # Something went pretty wrong. For example, this might be a # handshake failure during renegotiation (because there were no # shared ciphers, because a certificate failed to verify, etc). # TLS can no longer proceed. failure = Failure() self._tlsShutdownFinished(failure) else: if not self._aborted: ProtocolWrapper.dataReceived(self, bytes) # The received bytes might have generated a response which needs to be # sent now. For example, the handshake involves several round-trip # exchanges without ever producing application-bytes. self._flushSendBIO() def dataReceived(self, bytes): """ Deliver any received bytes to the receive BIO and then read and deliver to the application any application-level data which becomes available as a result of this. """ # Let OpenSSL know some bytes were just received. self._tlsConnection.bio_write(bytes) # If we are still waiting for the handshake to complete, try to # complete the handshake with the bytes we just received. if not self._handshakeDone: self._checkHandshakeStatus() # If the handshake still isn't finished, then we've nothing left to # do. if not self._handshakeDone: return # If we've any pending writes, this read may have un-blocked them, so # attempt to unbuffer them into the OpenSSL layer. if self._appSendBuffer: self._unbufferPendingWrites() # Since the handshake is complete, the wire-level bytes we just # processed might turn into some application-level bytes; try to pull # those out. self._flushReceiveBIO() def _shutdownTLS(self): """ Initiate, or reply to, the shutdown handshake of the TLS layer. """ try: shutdownSuccess = self._tlsConnection.shutdown() except Error: # Mid-handshake, a call to shutdown() can result in a # WantWantReadError, or rather an SSL_ERR_WANT_READ; but pyOpenSSL # doesn't allow us to get at the error. See: # https://github.com/pyca/pyopenssl/issues/91 shutdownSuccess = False self._flushSendBIO() if shutdownSuccess: # Both sides have shutdown, so we can start closing lower-level # transport. This will also happen if we haven't started # negotiation at all yet, in which case shutdown succeeds # immediately. self.transport.loseConnection() def _tlsShutdownFinished(self, reason): """ Called when TLS connection has gone away; tell underlying transport to disconnect. @param reason: a L{Failure} whose value is an L{Exception} if we want to report that failure through to the wrapped protocol's C{connectionLost}, or L{None} if the C{reason} that C{connectionLost} should receive should be coming from the underlying transport. @type reason: L{Failure} or L{None} """ if reason is not None: # Squash an EOF in violation of the TLS protocol into # ConnectionLost, so that applications which might run over # multiple protocols can recognize its type. if _representsEOF(reason.value): reason = Failure(CONNECTION_LOST) if self._reason is None: self._reason = reason self._lostTLSConnection = True # We may need to send a TLS alert regarding the nature of the shutdown # here (for example, why a handshake failed), so always flush our send # buffer before telling our lower-level transport to go away. self._flushSendBIO() # Using loseConnection causes the application protocol's # connectionLost method to be invoked non-reentrantly, which is always # a nice feature. However, for error cases (reason != None) we might # want to use abortConnection when it becomes available. The # loseConnection call is basically tested by test_handshakeFailure. # At least one side will need to do it or the test never finishes. self.transport.loseConnection() def connectionLost(self, reason): """ Handle the possible repetition of calls to this method (due to either the underlying transport going away or due to an error at the TLS layer) and make sure the base implementation only gets invoked once. """ if not self._lostTLSConnection: # Tell the TLS connection that it's not going to get any more data # and give it a chance to finish reading. self._tlsConnection.bio_shutdown() self._flushReceiveBIO() self._lostTLSConnection = True reason = self._reason or reason self._reason = None self.connected = False ProtocolWrapper.connectionLost(self, reason) # Breaking reference cycle between self._tlsConnection and self. self._tlsConnection = None def loseConnection(self): """ Send a TLS close alert and close the underlying connection. """ if self.disconnecting or not self.connected: return # If connection setup has not finished, OpenSSL 1.0.2f+ will not shut # down the connection until we write some data to the connection which # allows the handshake to complete. However, since no data should be # written after loseConnection, this means we'll be stuck forever # waiting for shutdown to complete. Instead, we simply abort the # connection without trying to shut down cleanly: if not self._handshakeDone and not self._appSendBuffer: self.abortConnection() self.disconnecting = True if not self._appSendBuffer and self._producer is None: self._shutdownTLS() def abortConnection(self): """ Tear down TLS state so that if the connection is aborted mid-handshake we don't deliver any further data from the application. """ self._aborted = True self.disconnecting = True self._shutdownTLS() self.transport.abortConnection() def failVerification(self, reason): """ Abort the connection during connection setup, giving a reason that certificate verification failed. @param reason: The reason that the verification failed; reported to the application protocol's C{connectionLost} method. @type reason: L{Failure} """ self._reason = reason self.abortConnection() def write(self, bytes): """ Process the given application bytes and send any resulting TLS traffic which arrives in the send BIO. If C{loseConnection} was called, subsequent calls to C{write} will drop the bytes on the floor. """ # Writes after loseConnection are not supported, unless a producer has # been registered, in which case writes can happen until the producer # is unregistered: if self.disconnecting and self._producer is None: return self._write(bytes) def _bufferedWrite(self, octets): """ Put the given octets into L{TLSMemoryBIOProtocol._appSendBuffer}, and tell any listening producer that it should pause because we are now buffering. """ self._appSendBuffer.append(octets) if self._producer is not None: self._producer.pauseProducing() def _unbufferPendingWrites(self): """ Un-buffer all waiting writes in L{TLSMemoryBIOProtocol._appSendBuffer}. """ pendingWrites, self._appSendBuffer = self._appSendBuffer, [] for eachWrite in pendingWrites: self._write(eachWrite) if self._appSendBuffer: # If OpenSSL ran out of buffer space in the Connection on our way # through the loop earlier and re-buffered any of our outgoing # writes, then we're done; don't consider any future work. return if self._producer is not None: # If we have a registered producer, let it know that we have some # more buffer space. self._producer.resumeProducing() return if self.disconnecting: # Finally, if we have no further buffered data, no producer wants # to send us more data in the future, and the application told us # to end the stream, initiate a TLS shutdown. self._shutdownTLS() def _write(self, bytes): """ Process the given application bytes and send any resulting TLS traffic which arrives in the send BIO. This may be called by C{dataReceived} with bytes that were buffered before C{loseConnection} was called, which is why this function doesn't check for disconnection but accepts the bytes regardless. """ if self._lostTLSConnection: return # A TLS payload is 16kB max bufferSize = 2**14 # How far into the input we've gotten so far alreadySent = 0 while alreadySent < len(bytes): toSend = bytes[alreadySent : alreadySent + bufferSize] try: sent = self._tlsConnection.send(toSend) except WantReadError: self._bufferedWrite(bytes[alreadySent:]) break except Error: # Pretend TLS connection disconnected, which will trigger # disconnect of underlying transport. The error will be passed # to the application protocol's connectionLost method. The # other SSL implementation doesn't, but losing helpful # debugging information is a bad idea. self._tlsShutdownFinished(Failure()) break else: # We've successfully handed off the bytes to the OpenSSL # Connection object. alreadySent += sent # See if OpenSSL wants to hand any bytes off to the underlying # transport as a result. self._flushSendBIO() def writeSequence(self, iovec): """ Write a sequence of application bytes by joining them into one string and passing them to L{write}. """ self.write(b"".join(iovec)) def getPeerCertificate(self): return self._tlsConnection.get_peer_certificate() @property def negotiatedProtocol(self): """ @see: L{INegotiated.negotiatedProtocol} """ protocolName = None try: # If ALPN is not implemented that's ok, NPN might be. protocolName = self._tlsConnection.get_alpn_proto_negotiated() except (NotImplementedError, AttributeError): pass if protocolName not in (b"", None): # A protocol was selected using ALPN. return protocolName try: protocolName = self._tlsConnection.get_next_proto_negotiated() except (NotImplementedError, AttributeError): pass if protocolName != b"": return protocolName return None def registerProducer(self, producer, streaming): # If we've already disconnected, nothing to do here: if self._lostTLSConnection: producer.stopProducing() return # If we received a non-streaming producer, wrap it so it becomes a # streaming producer: if not streaming: producer = streamingProducer = _PullToPush(producer, self) producer = _ProducerMembrane(producer) # This will raise an exception if a producer is already registered: self.transport.registerProducer(producer, True) self._producer = producer # If we received a non-streaming producer, we need to start the # streaming wrapper: if not streaming: streamingProducer.startStreaming() def unregisterProducer(self): # If we have no producer, we don't need to do anything here. if self._producer is None: return # If we received a non-streaming producer, we need to stop the # streaming wrapper: if isinstance(self._producer._producer, _PullToPush): self._producer._producer.stopStreaming() self._producer = None self._producerPaused = False self.transport.unregisterProducer() if self.disconnecting and not self._appSendBuffer: self._shutdownTLS() @implementer(IOpenSSLClientConnectionCreator, IOpenSSLServerConnectionCreator) class _ContextFactoryToConnectionFactory: """ Adapter wrapping a L{twisted.internet.interfaces.IOpenSSLContextFactory} into a L{IOpenSSLClientConnectionCreator} or L{IOpenSSLServerConnectionCreator}. See U{https://twistedmatrix.com/trac/ticket/7215} for work that should make this unnecessary. """ def __init__(self, oldStyleContextFactory): """ Construct a L{_ContextFactoryToConnectionFactory} with a L{twisted.internet.interfaces.IOpenSSLContextFactory}. Immediately call C{getContext} on C{oldStyleContextFactory} in order to force advance parameter checking, since old-style context factories don't actually check that their arguments to L{OpenSSL} are correct. @param oldStyleContextFactory: A factory that can produce contexts. @type oldStyleContextFactory: L{twisted.internet.interfaces.IOpenSSLContextFactory} """ oldStyleContextFactory.getContext() self._oldStyleContextFactory = oldStyleContextFactory def _connectionForTLS(self, protocol): """ Create an L{OpenSSL.SSL.Connection} object. @param protocol: The protocol initiating a TLS connection. @type protocol: L{TLSMemoryBIOProtocol} @return: a connection @rtype: L{OpenSSL.SSL.Connection} """ context = self._oldStyleContextFactory.getContext() return Connection(context, None) def serverConnectionForTLS(self, protocol): """ Construct an OpenSSL server connection from the wrapped old-style context factory. @note: Since old-style context factories don't distinguish between clients and servers, this is exactly the same as L{_ContextFactoryToConnectionFactory.clientConnectionForTLS}. @param protocol: The protocol initiating a TLS connection. @type protocol: L{TLSMemoryBIOProtocol} @return: a connection @rtype: L{OpenSSL.SSL.Connection} """ return self._connectionForTLS(protocol) def clientConnectionForTLS(self, protocol): """ Construct an OpenSSL server connection from the wrapped old-style context factory. @note: Since old-style context factories don't distinguish between clients and servers, this is exactly the same as L{_ContextFactoryToConnectionFactory.serverConnectionForTLS}. @param protocol: The protocol initiating a TLS connection. @type protocol: L{TLSMemoryBIOProtocol} @return: a connection @rtype: L{OpenSSL.SSL.Connection} """ return self._connectionForTLS(protocol) class _AggregateSmallWrites: """ Aggregate small writes so they get written in large batches. If this is used as part of a transport, the transport needs to call ``flush()`` immediately when ``loseConnection()`` is called, otherwise any buffered writes will never get written. @cvar MAX_BUFFER_SIZE: The maximum amount of bytes to buffer before writing them out. """ MAX_BUFFER_SIZE = 64_000 def __init__(self, write: Callable[[bytes], object], clock: IReactorTime): self._write = write self._clock = clock self._buffer: list[bytes] = [] self._bufferLeft = self.MAX_BUFFER_SIZE self._scheduled: Optional[IDelayedCall] = None def write(self, data: bytes) -> None: """ Buffer the data, or write it immediately if we've accumulated enough to make it worth it. Accumulating too much data can result in higher memory usage. """ self._buffer.append(data) self._bufferLeft -= len(data) if self._bufferLeft < 0: # We've accumulated enough we should just write it out. No need to # schedule a flush, since we just flushed everything. self.flush() return if self._scheduled: # We already have a scheduled send, so with the data in the buffer, # there is nothing more to do here. return # Schedule the write of the accumulated buffer for the next reactor # iteration. self._scheduled = self._clock.callLater(0, self._scheduledFlush) def _scheduledFlush(self) -> None: """Called in next reactor iteration.""" self._scheduled = None self.flush() def flush(self) -> None: """Flush any buffered writes.""" if self._buffer: self._bufferLeft = self.MAX_BUFFER_SIZE self._write(b"".join(self._buffer)) del self._buffer[:] def _get_default_clock() -> IReactorTime: """ Return the default reactor. This is a function so it can be monkey-patched in tests, specifically L{twisted.web.test.test_agent}. """ from twisted.internet import reactor return cast(IReactorTime, reactor) class BufferingTLSTransport(TLSMemoryBIOProtocol): """ A TLS transport implemented by wrapping buffering around a L{TLSMemoryBIOProtocol}. Doing many small writes directly to a L{OpenSSL.SSL.Connection}, as implemented in L{TLSMemoryBIOProtocol}, can add significant CPU and bandwidth overhead. Thus, even when writing is possible, small writes will get aggregated and written as a single write at the next reactor iteration. """ # Implementation Note: An implementation based on composition would be # nicer, but there's close integration between L{ProtocolWrapper} # subclasses like L{TLSMemoryBIOProtocol} and the corresponding factory. An # attempt to implement this with broke things like # L{TLSMemoryBIOFactory.protocols} having the correct instances, whereas # subclassing makes that work. def __init__( self, factory: TLSMemoryBIOFactory, wrappedProtocol: IProtocol, _connectWrapped: bool = True, ): super().__init__(factory, wrappedProtocol, _connectWrapped) actual_write = super().write self._aggregator = _AggregateSmallWrites(actual_write, factory._clock) # This is kinda ugly, but speeds things up a lot in a hot path with # lots of small TLS writes. May become unnecessary in Python 3.13 or # later if JIT and/or inlining becomes a thing. self.write = self._aggregator.write # type: ignore[method-assign] def writeSequence(self, sequence: Iterable[bytes]) -> None: self._aggregator.write(b"".join(sequence)) def loseConnection(self) -> None: self._aggregator.flush() super().loseConnection() class TLSMemoryBIOFactory(WrappingFactory): """ L{TLSMemoryBIOFactory} adds TLS to connections. @ivar _creatorInterface: the interface which L{_connectionCreator} is expected to implement. @type _creatorInterface: L{zope.interface.interfaces.IInterface} @ivar _connectionCreator: a callable which creates an OpenSSL Connection object. @type _connectionCreator: 1-argument callable taking L{TLSMemoryBIOProtocol} and returning L{OpenSSL.SSL.Connection}. """ protocol = BufferingTLSTransport noisy = False # disable unnecessary logging. def __init__( self, contextFactory, isClient, wrappedFactory, clock=None, ): """ Create a L{TLSMemoryBIOFactory}. @param contextFactory: Configuration parameters used to create an OpenSSL connection. In order of preference, what you should pass here should be: 1. L{twisted.internet.ssl.CertificateOptions} (if you're writing a server) or the result of L{twisted.internet.ssl.optionsForClientTLS} (if you're writing a client). If you want security you should really use one of these. 2. If you really want to implement something yourself, supply a provider of L{IOpenSSLClientConnectionCreator} or L{IOpenSSLServerConnectionCreator}. 3. If you really have to, supply a L{twisted.internet.ssl.ContextFactory}. This will likely be deprecated at some point so please upgrade to the new interfaces. @type contextFactory: L{IOpenSSLClientConnectionCreator} or L{IOpenSSLServerConnectionCreator}, or, for compatibility with older code, anything implementing L{twisted.internet.interfaces.IOpenSSLContextFactory}. See U{https://twistedmatrix.com/trac/ticket/7215} for information on the upcoming deprecation of passing a L{twisted.internet.ssl.ContextFactory} here. @param isClient: Is this a factory for TLS client connections; in other words, those that will send a C{ClientHello} greeting? L{True} if so, L{False} otherwise. This flag determines what interface is expected of C{contextFactory}. If L{True}, C{contextFactory} should provide L{IOpenSSLClientConnectionCreator}; otherwise it should provide L{IOpenSSLServerConnectionCreator}. @type isClient: L{bool} @param wrappedFactory: A factory which will create the application-level protocol. @type wrappedFactory: L{twisted.internet.interfaces.IProtocolFactory} """ WrappingFactory.__init__(self, wrappedFactory) if isClient: creatorInterface = IOpenSSLClientConnectionCreator else: creatorInterface = IOpenSSLServerConnectionCreator self._creatorInterface = creatorInterface if not creatorInterface.providedBy(contextFactory): contextFactory = _ContextFactoryToConnectionFactory(contextFactory) self._connectionCreator = contextFactory if clock is None: clock = _get_default_clock() self._clock = clock def logPrefix(self): """ Annotate the wrapped factory's log prefix with some text indicating TLS is in use. @rtype: C{str} """ if ILoggingContext.providedBy(self.wrappedFactory): logPrefix = self.wrappedFactory.logPrefix() else: logPrefix = self.wrappedFactory.__class__.__name__ return f"{logPrefix} (TLS)" def _applyProtocolNegotiation(self, connection): """ Applies ALPN/NPN protocol neogitation to the connection, if the factory supports it. @param connection: The OpenSSL connection object to have ALPN/NPN added to it. @type connection: L{OpenSSL.SSL.Connection} @return: Nothing @rtype: L{None} """ if IProtocolNegotiationFactory.providedBy(self.wrappedFactory): protocols = self.wrappedFactory.acceptableProtocols() context = connection.get_context() _setAcceptableProtocols(context, protocols) return def _createConnection(self, tlsProtocol): """ Create an OpenSSL connection and set it up good. @param tlsProtocol: The protocol which is establishing the connection. @type tlsProtocol: L{TLSMemoryBIOProtocol} @return: an OpenSSL connection object for C{tlsProtocol} to use @rtype: L{OpenSSL.SSL.Connection} """ connectionCreator = self._connectionCreator if self._creatorInterface is IOpenSSLClientConnectionCreator: connection = connectionCreator.clientConnectionForTLS(tlsProtocol) self._applyProtocolNegotiation(connection) connection.set_connect_state() else: connection = connectionCreator.serverConnectionForTLS(tlsProtocol) self._applyProtocolNegotiation(connection) connection.set_accept_state() return connection