enable ssl_version as a JKG config option (#340)

* enable ssl_version as a JKG config option

Author: applecool

kernel_gateway/gatewayapp.py

@@ -9,6 +9,7 @@
 import sys
 import signal
 import socket
+import ssl
 from distutils.util import strtobool
 
 import nbformat
@@ -52,7 +53,8 @@
     'seed_uri': 'KernelGatewayApp.seed_uri',
     'keyfile': 'KernelGatewayApp.keyfile',
     'certfile': 'KernelGatewayApp.certfile',
-    'client-ca': 'KernelGatewayApp.client_ca'
+    'client-ca': 'KernelGatewayApp.client_ca',
+    'ssl_version': 'KernelGatewayApp.ssl_version'
 })
 
 
@@ -298,6 +300,16 @@ def keyfile_default(self):
     def client_ca_default(self):
         return os.getenv(self.client_ca_env)
 
+    ssl_version_env = 'KG_SSL_VERSION'
+    ssl_version_default_value = ssl.PROTOCOL_TLSv1_2
+    ssl_version = Integer(None, config=True, allow_none=True,
+                        help="""Sets the SSL version to use for the web socket connection. (KG_SSL_VERSION env var)""")
+    
+    @default('ssl_version')
+    def ssl_version_default(self):
+        ssl_from_env = os.getenv(self.ssl_version_env)
+        return ssl_from_env if ssl_from_env is None else int(ssl_from_env)
+
     kernel_spec_manager = Instance(KernelSpecManager, allow_none=True)
 
     kernel_spec_manager_class = Type(
@@ -494,14 +506,13 @@ def _build_ssl_options(self):
             ssl_options['keyfile'] = self.keyfile
         if self.client_ca:
             ssl_options['ca_certs'] = self.client_ca
+        if self.ssl_version:
+            ssl_options['ssl_version'] = self.ssl_version
         if not ssl_options:
             # None indicates no SSL config
             ssl_options = None
         else:
-            # SSL may be missing, so only import it if it's to be used
-            import ssl
-            # Disable SSLv3 by default, since its use is discouraged.
-            ssl_options.setdefault('ssl_version', ssl.PROTOCOL_TLSv1)
+            ssl_options.setdefault('ssl_version', self.ssl_version_default_value)
             if ssl_options.get('ca_certs', False):
                 ssl_options.setdefault('cert_reqs', ssl.CERT_REQUIRED)
 

kernel_gateway/tests/test_gatewayapp.py

@@ -43,6 +43,7 @@ def test_config_env_vars(self):
         os.environ['KG_KEYFILE'] = '/test/fake.key'
         os.environ['KG_CERTFILE'] = '/test/fake.crt'
         os.environ['KG_CLIENT_CA'] = '/test/fake_ca.crt'
+        os.environ['KG_SSL_VERSION'] = '3'
         os.environ['KG_TRUST_XHEADERS'] = 'false'
 
 
@@ -67,6 +68,7 @@ def test_config_env_vars(self):
         self.assertEqual(app.keyfile, '/test/fake.key')
         self.assertEqual(app.certfile, '/test/fake.crt')
         self.assertEqual(app.client_ca, '/test/fake_ca.crt')
+        self.assertEqual(app.ssl_version, 3)
         self.assertEqual(app.trust_xheaders, False)
 
     def test_trust_xheaders(self):
@@ -77,7 +79,14 @@ def test_trust_xheaders(self):
         app = KernelGatewayApp()
         self.assertEqual(app.trust_xheaders, True)
 
-
+    def test_ssl_options(self):
+        app = KernelGatewayApp()
+        ssl_options = app._build_ssl_options()
+        self.assertIsNone(ssl_options)
+        app = KernelGatewayApp()
+        os.environ['KG_CERTFILE'] = '/test/fake.crt'
+        ssl_options = app._build_ssl_options()
+        self.assertEqual(ssl_options['ssl_version'], 5)
 
 class TestGatewayAppBase(AsyncHTTPTestCase, ExpectLog):
     """Base class for integration style tests using HTTP/Websockets against an