This file allows an easy invocation of websockify as a module, which is handy when running into shebang issues (https://github.com/pypa/virtualenv/issues/596).
With this patch, `python -m websockify ...` has just the same behavior as `./run ...`.
Most installations will not have redis or simplejson installed, so
avoid having them as a hard requirement unless actually using the
TokenRedis plugin.
We should only start the server if we are the main module, and not
imported some other way. This is important for multiprocessing to
work correctly on Windows.
We can't get the inheritence right in non-trivial cases as a regular
base class, so change it to be a mix-in that is to be combined with
one of the existing request handlers from the Python library.
--ssl-version takes two possible values (tlsv1_1, tlsv1_2). Defaults
to tlsv1_1.
--ssl-ciphers takes allowed ciphers in the same format as
`openssl ciphers`.
Added options for 1.3 and the default ssl config
The change adds two options to WebSockifyServer. The first is a list of
SSL ciphers. The second is SSL options (intended use is to force a
specific TLS version).
Those two options allow for greater security of WebSocket Proxy.
b64_pton and b64_ntop functions are not portable and cannot be found in
all C library implementations (e.g. uClibc, musl).
Since c-websockify already has explicit dependency to openssl it can be
used to replace b64_pton/ntop with versions that are portable without
introducing too much additional code or dependencies.
Instead of single certificate in one file it is sometimes customary to
chain multiple certificates into the same file. This is common practice
for CAs like letsencrypt that are providing intermediate certificates.
This patch switches loading of only one certificate to loading whole chain
of certificates.
The effects can be seen with e.g. the following command:
openssl s_client -showcerts -connect websockify-hostname:8080
Before the change the verify fails:
Certificate chain
0 s:/CN=websockify-hostname
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
After the change the verify passes:
Certificate chain
0 s:/CN=websockify-hostname
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Regression caused by a29946e9. We were no longer detecting a cleanly
closed proxy socket. This is not a WebSocket, but an ordinary one,
so we should be checking for "" rather that None.