(self)
| 2571 | self.daemon = True |
| 2572 | |
| 2573 | def wrap_conn(self): |
| 2574 | try: |
| 2575 | self.sslconn = self.server.context.wrap_socket( |
| 2576 | self.sock, server_side=True) |
| 2577 | self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol()) |
| 2578 | except (ConnectionResetError, BrokenPipeError, ConnectionAbortedError) as e: |
| 2579 | # We treat ConnectionResetError as though it were an |
| 2580 | # SSLError - OpenSSL on Ubuntu abruptly closes the |
| 2581 | # connection when asked to use an unsupported protocol. |
| 2582 | # |
| 2583 | # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL |
| 2584 | # tries to send session tickets after handshake. |
| 2585 | # https://github.com/openssl/openssl/issues/6342 |
| 2586 | # |
| 2587 | # ConnectionAbortedError is raised in TLS 1.3 mode, when OpenSSL |
| 2588 | # tries to send session tickets after handshake when using WinSock. |
| 2589 | self.server.conn_errors.append(str(e)) |
| 2590 | if self.server.chatty: |
| 2591 | handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n") |
| 2592 | self.running = False |
| 2593 | self.close() |
| 2594 | return False |
| 2595 | except (ssl.SSLError, OSError) as e: |
| 2596 | # OSError may occur with wrong protocols, e.g. both |
| 2597 | # sides use PROTOCOL_TLS_SERVER. |
| 2598 | # |
| 2599 | # XXX Various errors can have happened here, for example |
| 2600 | # a mismatching protocol version, an invalid certificate, |
| 2601 | # or a low-level bug. This should be made more discriminating. |
| 2602 | # |
| 2603 | # bpo-31323: Store the exception as string to prevent |
| 2604 | # a reference leak: server -> conn_errors -> exception |
| 2605 | # -> traceback -> self (ConnectionHandler) -> server |
| 2606 | self.server.conn_errors.append(str(e)) |
| 2607 | if self.server.chatty: |
| 2608 | handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n") |
| 2609 | |
| 2610 | # bpo-44229, bpo-43855, bpo-44237, and bpo-33450: |
| 2611 | # Ignore spurious EPROTOTYPE returned by write() on macOS. |
| 2612 | # See also http://erickt.github.io/blog/2014/11/19/adventures-in-debugging-a-potential-osx-kernel-bug/ |
| 2613 | if e.errno != errno.EPROTOTYPE and sys.platform != "darwin": |
| 2614 | self.running = False |
| 2615 | self.close() |
| 2616 | return False |
| 2617 | else: |
| 2618 | self.server.shared_ciphers.append(self.sslconn.shared_ciphers()) |
| 2619 | if self.server.context.verify_mode == ssl.CERT_REQUIRED: |
| 2620 | cert = self.sslconn.getpeercert() |
| 2621 | if support.verbose and self.server.chatty: |
| 2622 | sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n") |
| 2623 | cert_binary = self.sslconn.getpeercert(True) |
| 2624 | if support.verbose and self.server.chatty: |
| 2625 | if cert_binary is None: |
| 2626 | sys.stdout.write(" client did not provide a cert\n") |
| 2627 | else: |
| 2628 | sys.stdout.write(f" cert binary is {len(cert_binary)}b\n") |
| 2629 | cipher = self.sslconn.cipher() |
| 2630 | if support.verbose and self.server.chatty: |
no test coverage detected