How can I implement a secure WebSocket (wss://) server in Python?

Question

I want to serve a real-time stream that has to be securely encrypted due to sensitive data.

I\'ve successfully got normal WebSockets streaming using both gevent and guni

Answer 1

Assuming that you have your app running correctly over non-SSL Tornado WebSockets, change the listen call from:

app.listen(args.listen_port, args.listen_interface) 

to:

app.listen(args.listen_port, args.listen_interface, ssl_options={ 
        "certfile": os.path.join(lib_dir, "mydomain.crt"),
        "keyfile": os.path.join(lib_dir, "mydomain.key"),
    })

where "mydomain.crt" and "mydomain.key" are your usual SSL certificate files, and lib_dir is the directory they live in.

Don't forget to change the client to use "wss:"

Also note that the port you specify in the listen call will still be used if you specify ssl_options. i.e. it will not revert to listening on port 443.

Answer 2

Take a look at the standalone websockets server of the pywebsocket project supported by Google.

Note that this Python module uses CGIHTTPServer so you need to tweak it to make it secure. I had a similar requirement for a project I was involved in some months ago, so I forked the standalone.py module and removed the dependencies with CGI stuff but I haven't tested secure connections very much.

Maybe you can import OpenSSL.SSL and set up a WebSocketServer as it is in my script. It should use a WebSocketRequestHandler with the proper configuration of use_tls, private_key and certificate in order to implement TLS (Transport Layer Security).

Read the source code. I think you can extend it to meet your needs.

Answer 3

We use Tornado and Tornadio for our realtime app, and I just switched on SSL for websockets, as well as all the other realtime socket.io protocols. It took me just over an hour! more info here:

http://devblog.resolversystems.com/?p=1084

Answer 4

You can check out the websockify project. Websockify is a proxy that allows a WebSockets capable browser to communicate with a raw binary TCP server. It does this by base64 encoding all traffic to/from the browser. However, the project is modular and the websocket.py file is a general WebSocket server that is designed to be extended (and there a couple of included tests that show how this works). It would be fairly easy to disable the base64 encoding if that is not needed for you project.

Websockify also includes a Javascript library 'websock.js' which is designed to interact with websockify. It will transparently fallback to using web-socket-js (Flash based) if the browser does not have native WebSocket support.

Websockify supports secure (TLS/wss) connections and also is able to answer Flash security policy requests inline on the same port.

Disclaimer: I made websockify.

Answer 5

In server side add this to Tornado:

tornadio2.server.SocketServer(application, ssl_options={
    "certfile": "server.crt",
    "keyfile":  "server.key",
})

In client side, refer to this link: wss://www.example.com:2201/ws, where the 2201 is the secure Websocket's TLS port.