commit fc1303e2b59e47fc3bdecf17bce84b50a4092155
author Roger Meier <roger@apache.org> Tue Dec 02 00:11:54 2014 +0100
committer Roger Meier <roger@apache.org> Tue Dec 02 00:11:54 2014 +0100
tree c2ad4dd52a4846ff6212a98e3de4df2111ab0fa6
parent 4bf97c196aba9e50289333c15336ad109fc87f2d

THRIFT-2846 Expose ciphers parameter from ssl.wrap_socket()

Patch: Rodney Richardson

This closes #277

lib/py/src/transport/TSSLSocket.py

diff --git a/lib/py/src/transport/TSSLSocket.py b/lib/py/src/transport/TSSLSocket.py
index 81e0984..b252c84 100644
--- a/lib/py/src/transport/TSSLSocket.py
+++ b/lib/py/src/transport/TSSLSocket.py
@@ -45,7 +45,8 @@
                ca_certs=None,
                keyfile=None,
                certfile=None,
-               unix_socket=None):
+               unix_socket=None,
+               ciphers=None):
     """Create SSL TSocket
 
     @param validate: Set to False to disable SSL certificate validation
@@ -58,6 +59,9 @@
     @type keyfile: str
     @param certfile: The cert file
     @type certfile: str
+    @param ciphers: The cipher suites to allow. This is passed to
+                    the ssl_wrap function as the 'ciphers' parameter.
+    @type ciphers: str
     
     Raises an IOError exception if validate is True and the ca_certs file is
     None, not present or unreadable.
@@ -72,6 +76,7 @@
     self.ca_certs = ca_certs
     self.keyfile = keyfile
     self.certfile = certfile
+    self.ciphers = ciphers
     if validate:
       if ca_certs is None or not os.access(ca_certs, os.R_OK):
         raise IOError('Certificate Authority ca_certs file "%s" '
@@ -92,7 +97,8 @@
                                       ca_certs=self.ca_certs,
                                       keyfile=self.keyfile,
                                       certfile=self.certfile,
-                                      cert_reqs=self.cert_reqs)
+                                      cert_reqs=self.cert_reqs
+                                      ciphers=self.ciphers)
         self.handle.settimeout(self._timeout)
         try:
           self.handle.connect(ip_port)
@@ -167,7 +173,8 @@
                host=None,
                port=9090,
                certfile='cert.pem',
-               unix_socket=None):
+               unix_socket=None,
+               ciphers=None):
     """Initialize a TSSLServerSocket
 
     @param certfile: filename of the server certificate, defaults to cert.pem
@@ -178,9 +185,14 @@
     @type host: str
     @param port: The port to listen on for inbound connections.
     @type port: int
+    @param ciphers: The cipher suites to allow. This is passed to
+                    the ssl_wrap function as the 'ciphers' parameter.
+    @type ciphers: str
+
     """
     self.setCertfile(certfile)
     TSocket.TServerSocket.__init__(self, host, port)
+    self.ciphers = ciphers
 
   def setCertfile(self, certfile):
     """Set or change the server certificate file used to wrap new connections.
@@ -199,7 +211,8 @@
     plain_client, addr = self.handle.accept()
     try:
       client = ssl.wrap_socket(plain_client, certfile=self.certfile,
-                      server_side=True, ssl_version=self.SSL_VERSION)
+                      server_side=True, ssl_version=self.SSL_VERSION,
+                      ciphers=self.ciphers)
     except ssl.SSLError, ssl_exc:
       # failed handshake/ssl wrap, close socket to client
       plain_client.close()