Improve reliability of secure local connections (#51)

Move SSL/TLS handshake to client connection handler

Author: simonrob

emailproxy.py

@@ -4,7 +4,7 @@
 __author__ = 'Simon Robinson'
 __copyright__ = 'Copyright (c) 2022 Simon Robinson'
 __license__ = 'Apache 2.0'
-__version__ = '2022-08-17'  # ISO 8601 (YYYY-MM-DD)
+__version__ = '2022-08-19'  # ISO 8601 (YYYY-MM-DD)
 
 import argparse
 import asyncore
@@ -597,6 +597,9 @@ def __init__(self, proxy_type, connection, socket_map, connection_info, server_c
         self.censor_next_log = False  # try to avoid logging credentials
         self.authenticated = False
 
+        self.ssl_handshake_completed = not (
+                custom_configuration['local_certificate_path'] and custom_configuration['local_key_path'])
+
     def info_string(self):
         if Log.get_level() == logging.DEBUG:
             return '%s (%s:%d; %s:%d->%s:%d%s)' % (
@@ -607,20 +610,28 @@ def info_string(self):
         else:
             return '%s (%s:%d)' % (self.proxy_type, self.local_address[0], self.local_address[1])
 
-    def handle_connect(self):
-        pass
-
-    def get_data(self):
+    def ssl_handshake(self):
         try:
-            byte_data = self.recv(RECEIVE_BUFFER_SIZE)
-            return byte_data
-        except (ssl.SSLWantReadError, ssl.SSLWantWriteError) as e:  # only relevant when using local certificates
-            Log.info(self.info_string(), 'Warning: caught client-side SSL recv error',
-                     '(see https://github.com/simonrob/email-oauth2-proxy/issues/9):', Log.error_string(e))
-            return None
+            # noinspection PyUnresolvedReferences
+            self.socket.do_handshake()
+        except (ssl.SSLWantReadError, ssl.SSLWantWriteError):  # only relevant when using local certificates
+            return
+        else:
+            Log.debug(self.info_string(), '[ SSL/TLS handshake complete ]')
+            self.ssl_handshake_completed = True
+
+    def readable(self):
+        return super().readable() and self.ssl_handshake_completed
+
+    def writable(self):
+        return super().writable() and self.ssl_handshake_completed
 
     def handle_read(self):
-        byte_data = self.get_data()
+        if not self.ssl_handshake_completed:
+            self.ssl_handshake()
+            return
+
+        byte_data = self.recv(RECEIVE_BUFFER_SIZE)
         if not byte_data:
             return
 
@@ -675,18 +686,11 @@ def process_data(self, byte_data, censor_server_log=False):
             self.close()
 
     def send(self, byte_data):
+        while not self.ssl_handshake_completed:
+            self.ssl_handshake()
+
         Log.debug(self.info_string(), '<--', byte_data)
-        try:
-            super().send(byte_data)
-        except (ssl.SSLWantReadError, ssl.SSLWantWriteError) as e:  # only relevant when using local certificates
-            Log.info(self.info_string(), 'Warning: caught client-side SSL send error',
-                     '(see https://github.com/simonrob/email-oauth2-proxy/issues/9):', Log.error_string(e))
-            while True:
-                try:
-                    super().send(byte_data)
-                    break
-                except (ssl.SSLWantReadError, ssl.SSLWantWriteError):
-                    time.sleep(1)
+        super().send(byte_data)
 
     def log_info(self, message, message_type='info'):
         # override to redirect error messages to our own log
@@ -1355,7 +1359,7 @@ def start(self):
         self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
         self.set_reuse_addr()
         self.bind(self.local_address)
-        self.listen(1)
+        self.listen(5)
 
     def create_socket(self, socket_family=socket.AF_INET, socket_type=socket.SOCK_STREAM):
         if self.custom_configuration['local_certificate_path'] and self.custom_configuration['local_key_path']:
@@ -1366,7 +1370,9 @@ def create_socket(self, socket_family=socket.AF_INET, socket_type=socket.SOCK_ST
             ssl_context.load_cert_chain(
                 certfile=self.custom_configuration['local_certificate_path'],
                 keyfile=self.custom_configuration['local_key_path'])
-            self.set_socket(ssl_context.wrap_socket(new_socket, server_side=True))
+            # suppress_ragged_eofs=True: see test_ssl.py documentation in https://github.com/python/cpython/pull/5266
+            self.set_socket(ssl_context.wrap_socket(new_socket, server_side=True, suppress_ragged_eofs=True,
+                                                    do_handshake_on_connect=False))
         else:
             super().create_socket(socket_family, socket_type)