Support external SSLContext

Author: jdecuyper

hyper/http20/connection.py

@@ -51,8 +51,10 @@ class HTTP20Connection(object):
     :param enable_push: (optional) Whether the server is allowed to push
         resources to the client (see
         :meth:`get_pushes() <hyper.HTTP20Connection.get_pushes>`).
+    :SSLContext: (optional) A class with custom certificate settings. If not provided
+        then hyper's default SSLContext is used instead.
     """
-    def __init__(self, host, port=None, window_manager=None, enable_push=False,
+    def __init__(self, host, port=None, window_manager=None, enable_push=False, SSLContext=None,
                  **kwargs):
         """
         Creates an HTTP/2 connection to a specific server.
@@ -67,6 +69,7 @@ def __init__(self, host, port=None, window_manager=None, enable_push=False,
             self.host, self.port = host, port
 
         self._enable_push = enable_push
+        self._SSLContext = SSLContext
 
         #: The size of the in-memory buffer used to store data from the
         #: network. This is used as a performance optimisation. Increase buffer
@@ -206,7 +209,7 @@ def connect(self):
         if self._sock is None:
             sock = socket.create_connection((self.host, self.port), 5)
 
-            sock, proto = wrap_socket(sock, self.host)
+            sock, proto = wrap_socket(sock, self.host, self._SSLContext)
             log.debug("Selected NPN protocol: %s", proto)
             assert proto in H2_NPN_PROTOCOLS
 

hyper/tls.py

@@ -23,15 +23,15 @@
 cert_loc = path.join(path.dirname(__file__), 'certs.pem')
 
 
-def wrap_socket(sock, server_hostname):
+def wrap_socket(sock, server_hostname, SSLContext=None):
     """
     A vastly simplified SSL wrapping function. We'll probably extend this to
     do more things later.
     """
     global _context
 
     if _context is None:  # pragma: no cover
-        _context = _init_context()
+        _context = SSLContext or _init_context()
 
     # the spec requires SNI support
     ssl_sock = _context.wrap_socket(sock, server_hostname=server_hostname)

test/test_SSLContext.py

@@ -0,0 +1,50 @@
+# -*- coding: utf-8 -*-
+"""
+Tests the hyper SSLContext.
+"""
+import hyper
+from hyper import HTTP20Connection
+import ssl
+import pytest
+
+class TestSSLContext(object):
+    """
+    Tests default and custom SSLContext
+    """
+    def test_default_context(self):
+        # Create default SSLContext
+        hyper.tls._context = hyper.tls._init_context()
+        assert hyper.tls._context.check_hostname == True
+        assert hyper.tls._context.verify_mode == ssl.CERT_REQUIRED
+        assert hyper.tls._context.options & ssl.OP_NO_COMPRESSION != 0
+
+
+    def test_custom_context(self):
+        # The following SSLContext doesn't provide any valid certicate.
+        # Its purpose is only to confirm that hyper is not using its
+        # default SSLContext.
+        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        context.verify_mode = ssl.CERT_NONE
+        context.check_hostname = False
+
+        hyper.tls._context = context
+
+        assert hyper.tls._context.check_hostname == False
+        assert hyper.tls._context.verify_mode == ssl.CERT_NONE
+        assert hyper.tls._context.options & ssl.OP_NO_COMPRESSION == 0
+
+
+    def test_http20Connection_with_custom_context(self):
+        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        context.set_default_verify_paths()
+        context.load_verify_locations(cafile='hyper\certs.pem')
+        context.verify_mode = ssl.CERT_REQUIRED
+        context.check_hostname = True
+        context.set_npn_protocols(['h2', 'h2-15'])
+        context.options |= ssl.OP_NO_COMPRESSION
+        
+        conn = HTTP20Connection('http2bin.org:443', SSLContext=context)
+        
+        assert conn._SSLContext.check_hostname == True
+        assert conn._SSLContext.verify_mode == ssl.CERT_REQUIRED
+        assert conn._SSLContext.options & ssl.OP_NO_COMPRESSION != 0