Added SSL-certificate-based client authentication.

* Incorporates #190 without breaking compatibility towards old Python versions.
* A new plugin allows authenticating clients by the "common name" defined in their certificate.
* Added manual for certificate-based client authentication, including hints to which Python versions allow client certificate authentication.
* Adjusted test to work with new ssl.create_default_context.

1 files changed, 18 insertions, 1 deletions

diff --git a/tests/test_websockifyserver.py b/tests/test_websockifyserver.py
index 9af117d..63c9449 100644
--- a/tests/test_websockifyserver.py
+++ b/tests/test_websockifyserver.py
@@ -267,8 +267,25 @@ class WebSockifyServerTestCase(unittest.TestCase):
         def fake_wrap_socket(*args, **kwargs):
             raise ssl.SSLError(ssl.SSL_ERROR_EOF)
 
+        class fake_create_default_context():
+            def __init__(self, purpose):
+                self.verify_mode = None
+            def load_cert_chain(self, certfile, keyfile):
+                pass
+            def set_default_verify_paths(self):
+                pass
+            def load_verify_locations(self, cafile):
+                pass
+            def wrap_socket(self, *args, **kwargs):
+                raise ssl.SSLError(ssl.SSL_ERROR_EOF)
+
         self.stubs.Set(select, 'select', fake_select)
-        self.stubs.Set(ssl, 'wrap_socket', fake_wrap_socket)
+        if (hasattr(ssl, 'create_default_context')):
+            # for recent versions of python
+            self.stubs.Set(ssl, 'create_default_context', fake_create_default_context)
+        else:
+            # for fallback for old versions of python
+            self.stubs.Set(ssl, 'wrap_socket', fake_wrap_socket)
         self.assertRaises(
             websockifyserver.WebSockifyServer.EClose, server.do_handshake,
             sock, '127.0.0.1')