diff options
author | Joffrey F <f.joffrey@gmail.com> | 2016-02-05 12:41:02 -0800 |
---|---|---|
committer | Joffrey F <f.joffrey@gmail.com> | 2016-02-05 12:41:02 -0800 |
commit | 8bdaffc2e7feb6201744a58d5a1e7db83fae094b (patch) | |
tree | 886a97d3fdc1846944874157aa25f094459a056c | |
parent | 9d8663c5ab17fd4cd3e6a23c3dbbd949c3664482 (diff) | |
parent | b808cc45b43a2de397e7e0fb2eb8c2d98250e263 (diff) | |
download | docker-py-8bdaffc2e7feb6201744a58d5a1e7db83fae094b.tar.gz |
Merge pull request #920 from docker/ssl_version_simpler
Remove obsolete SSL version computation
-rw-r--r-- | docker/ssladapter/ssladapter.py | 13 | ||||
-rw-r--r-- | docker/tls.py | 5 | ||||
-rw-r--r-- | tests/unit/utils_test.py | 17 |
3 files changed, 18 insertions, 17 deletions
diff --git a/docker/ssladapter/ssladapter.py b/docker/ssladapter/ssladapter.py index b653b68..5b43aa2 100644 --- a/docker/ssladapter/ssladapter.py +++ b/docker/ssladapter/ssladapter.py @@ -4,7 +4,6 @@ """ from distutils.version import StrictVersion from requests.adapters import HTTPAdapter -import ssl try: import requests.packages.urllib3 as urllib3 @@ -14,20 +13,10 @@ except ImportError: PoolManager = urllib3.poolmanager.PoolManager -def get_max_tls_protocol(): - protocols = ('PROTOCOL_TLSv1_2', - 'PROTOCOL_TLSv1_1', - 'PROTOCOL_TLSv1') - for proto in protocols: - if hasattr(ssl, proto): - return getattr(ssl, proto) - - class SSLAdapter(HTTPAdapter): '''An HTTPS Transport Adapter that uses an arbitrary SSL version.''' def __init__(self, ssl_version=None, assert_hostname=None, assert_fingerprint=None, **kwargs): - ssl_version = ssl_version or get_max_tls_protocol() self.ssl_version = ssl_version self.assert_hostname = assert_hostname self.assert_fingerprint = assert_fingerprint @@ -41,7 +30,7 @@ class SSLAdapter(HTTPAdapter): 'assert_hostname': self.assert_hostname, 'assert_fingerprint': self.assert_fingerprint, } - if self.can_override_ssl_version(): + if self.ssl_version and self.can_override_ssl_version(): kwargs['ssl_version'] = self.ssl_version self.poolmanager = PoolManager(**kwargs) diff --git a/docker/tls.py b/docker/tls.py index 85fa245..01573a6 100644 --- a/docker/tls.py +++ b/docker/tls.py @@ -19,11 +19,6 @@ class TLSConfig(object): # here, but also disable any public/default CA pool verification by # leaving tls_verify=False - # urllib3 sets a default ssl_version if ssl_version is None, - # but that default is the vulnerable PROTOCOL_SSLv23 selection, - # so we override the default with the maximum supported in the running - # Python interpeter up to TLS 1.2. (see: http://tinyurl.com/kxga8hb) - ssl_version = ssl_version or ssladapter.get_max_tls_protocol() self.ssl_version = ssl_version self.assert_hostname = assert_hostname self.assert_fingerprint = assert_fingerprint diff --git a/tests/unit/utils_test.py b/tests/unit/utils_test.py index 99e7a0b..df29b9d 100644 --- a/tests/unit/utils_test.py +++ b/tests/unit/utils_test.py @@ -12,9 +12,17 @@ import tempfile import pytest import six +try: + from ssl import OP_NO_SSLv3, OP_NO_SSLv2, OP_NO_TLSv1 +except ImportError: + OP_NO_SSLv2 = 0x1000000 + OP_NO_SSLv3 = 0x2000000 + OP_NO_TLSv1 = 0x4000000 + from docker.client import Client from docker.constants import DEFAULT_DOCKER_API_VERSION from docker.errors import DockerException, InvalidVersion +from docker.ssladapter import ssladapter from docker.utils import ( parse_repository_tag, parse_host, convert_filters, kwargs_from_env, create_host_config, Ulimit, LogConfig, parse_bytes, parse_env_file, @@ -927,3 +935,12 @@ class TarTest(base.Cleanup, base.BaseTestCase): self.assertEqual( sorted(tar_data.getnames()), ['bar', 'bar/foo', 'foo'] ) + + +class SSLAdapterTest(base.BaseTestCase): + def test_only_uses_tls(self): + ssl_context = ssladapter.urllib3.util.ssl_.create_urllib3_context() + + assert ssl_context.options & OP_NO_SSLv3 + assert ssl_context.options & OP_NO_SSLv2 + assert not ssl_context.options & OP_NO_TLSv1 |