net: remove fallback implementation of ssl_wrap_socket.

We no longer support Python < 3.4.
2024-10-04 18:38:39 +02:00 · 2020-05-26 22:46:28 +02:00 · 2020-05-26 22:46:28 +02:00 · b4df468b3a
commit b4df468b3a
parent 2924845de4
1 changed files with 17 additions and 40 deletions
--- a/src/utils/net.py
+++ b/src/utils/net.py
@ -160,44 +160,21 @@ def check_certificate_fingerprint(conn, trusted_fingerprints):
            return
    raise ssl.CertificateError('No matching fingerprint.')

-if hasattr(ssl, 'create_default_context'):
-    def ssl_wrap_socket(conn, hostname, logger, certfile=None,
-            trusted_fingerprints=None, verify=True, ca_file=None,
-            **kwargs):
-        context = ssl.create_default_context(**kwargs)
-        if trusted_fingerprints or not verify:
-            # Do not use Certification Authorities
-            context.check_hostname = False
-            context.verify_mode = ssl.CERT_NONE
-        if ca_file:
-            context.load_verify_locations(cafile=ca_file)
-        if certfile:
-            context.load_cert_chain(certfile)
-        conn = context.wrap_socket(conn, server_hostname=hostname)
-        if verify and trusted_fingerprints:
-            check_certificate_fingerprint(conn, trusted_fingerprints)
-        return conn
-else:
-    def ssl_wrap_socket(conn, hostname, logger, verify=True,
-            certfile=None,
-            ca_file=None, trusted_fingerprints=None):
-        # TLSv1.0 is the only TLS version Python < 2.7.9 supports
-        # (besides SSLv2 and v3, which are known to be insecure)
-        try:
-            conn = ssl.wrap_socket(conn,
-                    server_hostname=hostname,
-                    certfile=certfile, ca_certs=ca_file,
-                    ssl_version=ssl.PROTOCOL_TLSv1)
-        except TypeError: # server_hostname is not supported
-            conn = ssl.wrap_socket(conn,
-                    certfile=certfile, ca_certs=ca_file,
-                    ssl_version=ssl.PROTOCOL_TLSv1)
-        if trusted_fingerprints:
-            check_certificate_fingerprint(conn, trusted_fingerprints)
-        elif verify:
-            logger.critical('This Python version does not support SSL/TLS '
-                    'certification authority verification, which makes your '
-                    'connection vulnerable to man-in-the-middle attacks. See: '
-                    '<http://docs.limnoria.net/en/latest/use/security.html#ssl-python-versions>')
-        return conn
+def ssl_wrap_socket(conn, hostname, logger, certfile=None,
+        trusted_fingerprints=None, verify=True, ca_file=None,
+        **kwargs):
+    context = ssl.create_default_context(**kwargs)
+    if trusted_fingerprints or not verify:
+        # Do not use Certification Authorities
+        context.check_hostname = False
+        context.verify_mode = ssl.CERT_NONE
+    if ca_file:
+        context.load_verify_locations(cafile=ca_file)
+    if certfile:
+        context.load_cert_chain(certfile)
+    conn = context.wrap_socket(conn, server_hostname=hostname)
+    if verify and trusted_fingerprints:
+        check_certificate_fingerprint(conn, trusted_fingerprints)
+    return conn
+
 # vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79: