mirror of
https://github.com/Mikaela/Limnoria.git
synced 2024-11-29 14:19:25 +01:00
net: remove fallback implementation of ssl_wrap_socket.
We no longer support Python < 3.4.
This commit is contained in:
parent
2924845de4
commit
b4df468b3a
@ -160,44 +160,21 @@ def check_certificate_fingerprint(conn, trusted_fingerprints):
|
|||||||
return
|
return
|
||||||
raise ssl.CertificateError('No matching fingerprint.')
|
raise ssl.CertificateError('No matching fingerprint.')
|
||||||
|
|
||||||
if hasattr(ssl, 'create_default_context'):
|
def ssl_wrap_socket(conn, hostname, logger, certfile=None,
|
||||||
def ssl_wrap_socket(conn, hostname, logger, certfile=None,
|
trusted_fingerprints=None, verify=True, ca_file=None,
|
||||||
trusted_fingerprints=None, verify=True, ca_file=None,
|
**kwargs):
|
||||||
**kwargs):
|
context = ssl.create_default_context(**kwargs)
|
||||||
context = ssl.create_default_context(**kwargs)
|
if trusted_fingerprints or not verify:
|
||||||
if trusted_fingerprints or not verify:
|
# Do not use Certification Authorities
|
||||||
# Do not use Certification Authorities
|
context.check_hostname = False
|
||||||
context.check_hostname = False
|
context.verify_mode = ssl.CERT_NONE
|
||||||
context.verify_mode = ssl.CERT_NONE
|
if ca_file:
|
||||||
if ca_file:
|
context.load_verify_locations(cafile=ca_file)
|
||||||
context.load_verify_locations(cafile=ca_file)
|
if certfile:
|
||||||
if certfile:
|
context.load_cert_chain(certfile)
|
||||||
context.load_cert_chain(certfile)
|
conn = context.wrap_socket(conn, server_hostname=hostname)
|
||||||
conn = context.wrap_socket(conn, server_hostname=hostname)
|
if verify and trusted_fingerprints:
|
||||||
if verify and trusted_fingerprints:
|
check_certificate_fingerprint(conn, trusted_fingerprints)
|
||||||
check_certificate_fingerprint(conn, trusted_fingerprints)
|
return conn
|
||||||
return conn
|
|
||||||
else:
|
|
||||||
def ssl_wrap_socket(conn, hostname, logger, verify=True,
|
|
||||||
certfile=None,
|
|
||||||
ca_file=None, trusted_fingerprints=None):
|
|
||||||
# TLSv1.0 is the only TLS version Python < 2.7.9 supports
|
|
||||||
# (besides SSLv2 and v3, which are known to be insecure)
|
|
||||||
try:
|
|
||||||
conn = ssl.wrap_socket(conn,
|
|
||||||
server_hostname=hostname,
|
|
||||||
certfile=certfile, ca_certs=ca_file,
|
|
||||||
ssl_version=ssl.PROTOCOL_TLSv1)
|
|
||||||
except TypeError: # server_hostname is not supported
|
|
||||||
conn = ssl.wrap_socket(conn,
|
|
||||||
certfile=certfile, ca_certs=ca_file,
|
|
||||||
ssl_version=ssl.PROTOCOL_TLSv1)
|
|
||||||
if trusted_fingerprints:
|
|
||||||
check_certificate_fingerprint(conn, trusted_fingerprints)
|
|
||||||
elif verify:
|
|
||||||
logger.critical('This Python version does not support SSL/TLS '
|
|
||||||
'certification authority verification, which makes your '
|
|
||||||
'connection vulnerable to man-in-the-middle attacks. See: '
|
|
||||||
'<http://docs.limnoria.net/en/latest/use/security.html#ssl-python-versions>')
|
|
||||||
return conn
|
|
||||||
# vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79:
|
# vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79:
|
||||||
|
Loading…
Reference in New Issue
Block a user