recv/send on raw socket before SSL wrap(), Python

Question

Hello. I'm wondering if I can recv/send data on a raw socket before wrapping it - I've looked through the documentation and searched for it but couldn't find anything specific. What I basically want to do:

client, addr = listeningSocket.accept()
client.recv(32)
client.send(b'hello')
client.setblocking(0)
sslSocket = ssl.wrap_socket(client, keyfile='key.pem', certfile='cert.pem', server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)
sslSocket.write(b'hello')

The problem is I get an error that I'm pretty sure is related to the client.recv() before wrapping (or at least I think that's it since I do not get it before adding the recv?)

sslSocket = ssl.wrap_socket(client, keyfile='key.pem', certfile='cert.pem', server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)
  File "/usr/lib/python3.1/ssl.py", line 381, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "/usr/lib/python3.1/ssl.py", line 135, in __init__
    raise x
  File "/usr/lib/python3.1/ssl.py", line 131, in __init__
    self.do_handshake()
  File "/usr/lib/python3.1/ssl.py", line 327, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 8] _ssl.c:488: EOF occurred in violation of protocol

Is this legal? Is there anyway to do this (I really need to send before wrapping since the client expects a raw string before the SSL data starts flooding.) Appreciate any guidance possible.

Note: I need to respond to a policy request from flash. The connection with flash is going to be secure, but the policy request isn't

Answer 1

I notice in the documentation for do_handshake ( http://docs.python.org/library/ssl.html#ssl.SSLSocket.do_handshake ), which is called by wrap_socket (as is apparent from your callstack), that it may raise an ssl.SSLError on nonblocking sockets, and you have to wrap it in a try/except to try until it works. So in your case, if you need a nonblocking socket, you would either need to do the handshake yourself first and pass do_handshake_on_connect=False to wrap_socket, or just wait until after the handshake to set nonblocking:

client, addr = listeningSocket.accept()
client.recv(32)
client.send(b'hello')
sslSocket = ssl.wrap_socket(client, keyfile='key.pem', certfile='cert.pem', server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)
client.setblocking(0)
sslSocket.write(b'hello')

or maybe:

client, addr = listeningSocket.accept()
client.recv(32)
client.send(b'hello')
client.setblocking(0)

while True:
    try:
        client.do_handshake()
        break
    except ssl.SSLError, err:
        if err.args[0] == ssl.SSL_ERROR_WANT_READ:
            select.select([client], [], [])
        elif err.args[0] == ssl.SSL_ERROR_WANT_WRITE:
            select.select([], [client], [])
        else:
            raise

sslSocket = ssl.wrap_socket(client, do_handshake_on_connect=False, keyfile='key.pem', certfile='cert.pem', server_side=True, ssl_version=ssl.PROTOCOL_TLSv1)
sslSocket.write(b'hello')

Yet another alternative is just to run a dedicated Flash policy server on port 843.