The provided below cp_tls_builtin.py and cp_tls_pyopenssl.py modules are
almost bare minimum CherryPy apps set up to serve a static string over HTTPS.
I say "almost" because having an HTTP handler mounted isn't really necesary to
verify that TLS works but having it provides a nice visual cue when using
curl, for example.
This instruction assumes that you have a freshly made virtualenv where you
executed something like pip install 'CherryPy[ssl]' trustme. The ssl extra
is only needed to pull in pyOpenSSL and isn't needed for the built-in stdlib
TLS adapter. The trustme project is needed for demonstration purposes — it'll
generate a test certificate with the key and a trusted CA that signed it, along
with a certificate chain file to be used by our test HTTP client (curl).
- Download said Python modules to a dedicated directory.
- Make sure that the virtualenv with the above deps is activated.
- In that directory, run
python -m trustme— this will generate test TLS certificates and related files as described earlier. - Run
python -m cp_tls_builtinorpython -m cp_tls_pyopenssldepending on which adapter you'd like to test. It'll run a CherryPy app with TLS in foreground. - In a separate terminal tab, while being in the same directory, run
curl --cacert client.pem https://localhost:4443.
As a successful outcome, you'll see "TLS works!". If you want to inspect the TLS
exchange, you can run
openssl s_client -CAfile client.pem -connect localhost -port 4443 -debug.
N.B. The example does not need sudo anywhere as it uses port 4443 which typically
is not privileged.