Python SSL server SSLSocket SSLError when accessing via Safari and Firefox

Question

I'm writing a simple server for a class and there is a 'creative' component, so I want to add SSL to it. I'm trying to wrap the connection in an SSLSocket, but I get two different errors that I can't make out. The first happens with Safari when I try to wrap the socket, and I get:

Traceback (most recent call last):
  File "./junk.py", line 12, in <module>
    connstream = ssl.wrap_socket(connected_socket,certfile="cert.pem",keyfile="cert.pem",server_side=True,cert_reqs=ssl.CERT_NONE,ssl_version=ssl.PROTOCOL_TLSv1,suppress_ragged_eofs=True)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py", line 372, in wrap_socket
    ciphers=ciphers)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py", line 134, in __init__
    self.do_handshake()
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py", line 296, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 8] _ssl.c:503: EOF occurred in violation of protocol

When Safari tells the user that the certificate isn't valid (I created a self-signed cert via the command: openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem), and then once I tell it that the cert is alright, the next time it goes through.

However, with Firefox, I get a completely different error, and it happens when I try to read what the client (Firefox) sent to the server:

Traceback (most recent call last):
  File "./junk.py", line 13, in <module>
    recieved = connstream.read() 
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py", line 151, in read
    return self._sslobj.read(len)
ssl.SSLError: [Errno 1] _ssl.c:1354: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

Below is the code that I used:

  1 #!/usr/bin/python
  2 import socket
  3 import ssl
  4 
  5 serverPort = 22222
  6 serverSocket = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
  7 serverSocket.bind( ( '127.0.0.1', serverPort ) )
  8 serverSocket.listen( 10 )
  9 
 10 while True:
 11     connected_socket, from_addr = serverSocket.accept()
 12     connstream = ssl.wrap_socket(connected_socket,certfile="cert.pem",keyfile="cert.pem",server_side=True,cert_reqs=ssl.CERT_NONE,ssl_version=ssl.PROTOCOL_TLSv1,suppress_ragged_eofs=True)
 13     recieved = connstream.read()
 14     print recieved
 15     connstream.unwrap()
 16     connected_socket.close()

Can anyone help me understand:

1) What these errors mean

2) Why I'm getting them

3) How I can go about fixing these

(I've searched in just about every way I can think of)

Thanks,

Andrew

Answer 1

I'm sorry, I can't comment yet: this is not intended to be an answer.

Why always reinventing the wheel? I mean, if you want something python-based, why don't you use Tornado? BTW, you can see how they solve this problem there: http://www.tornadoweb.org/documentation/httpserver.html

People always seem to reinvent the wheel either for "educational purpose" or because existing solutions are too "bloated", "heavy", etc. (well, to sum up "Not Invented Here"). It's a shame because the same thing is done over and over, usually the wrong way.

Safari just don't honor the handshake, certainly because your cert is self signed. Firefox just won't accept your cert because it is self-signed. These errors are normal: the user has to accept the "trusted" connection in the browser. In the meanwhile, your server receives no answer or a rejection.

Look at Tornado to see how they handle that. But I really think you'd better study it, use it and contribute to it instead of creating a brand new, half-broken, http server.