search

Lawouach / WebSocket-for-Python

WebSocket client and server library for Python 2 and 3 as well as PyPy (ws4py 0.5.1)
https://ws4py.readthedocs.org/en/latest/
BSD 3-Clause "New" or "Revised" License
1.12k stars 288 forks source link

pass ssl_options to SSLIOStream() to ensure certificate validation works #147

Closed szweep closed 10 years ago

szweep commented 10 years ago

The Tornado client's init function uses an SSLIOStream object for SSL communications when using a wss: scheme. The init function for that object will use the optional ssl_options parameter to set parameters used for certificate verification. This change passes the ssl_options (already present in TornadoWebSocketClient.init()) to the SSLIOStream object.

Lawouach commented 10 years ago

Thanks for this. I'm also wondering if we shouldn't simply let tornado perform the wrap_socket call itself.

szweep commented 10 years ago

Probably. I'm no expert on Tornado, but I did see this in the sources for SSLIOStream.init:

If the socket passed to the constructor is already connected,
it should be wrapped with::

    ssl.wrap_socket(sock, do_handshake_on_connect=False, **kwargs)

before constructing the `SSLIOStream`.  Unconnected sockets will be
wrapped when `IOStream.connect` is finished.

Since the socket is not connected, the wrap_socket in WebSocketBaseClient.init appears to have no effect. I commented out that line and didn't see any change in behavior: an SSL connection was still made, certificate validation worked properly.