diff options
author | Hervé Beraud <hberaud@redhat.com> | 2020-09-02 11:55:33 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-02 12:55:33 +0300 |
commit | ad9697ab2eaa97e153211c82e4bad8d655e63591 (patch) | |
tree | 804cfa8f4f8ac8316913e9fb03c2bf163a8cf6a9 | |
parent | 23a9359e34553dd18921ca2f7eebec56c3944e11 (diff) | |
download | py-amqp-ad9697ab2eaa97e153211c82e4bad8d655e63591.tar.gz |
Stop to use deprecated method ssl.wrap_socket (#327)
`ssl.wrap_socket` is deprecated since python 3.7 and since python 3.2
and 2.7.9 (released in 2014) it is recommended to use the
SSLContext.wrap_socket() instead of wrap_socket(). The top-level
function is limited and creates an insecure client socket without server
name indication or hostname matching [1].
Python 2.7 is now officially unmaintained, latest version of
python 2.7 is 2.7.18, py-amqp only support python versions who are compatible
with these changes [2].
These changes move away from `ssl.wrap_socket` by using
now `ssl.SSLContext.wrap_socket` [3].
[1] https://docs.python.org/3/library/ssl.html#ssl.wrap_socket
[2] https://github.com/celery/py-amqp/blob/master/setup.py#L24,L29
[3] https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket
-rw-r--r-- | amqp/connection.py | 4 | ||||
-rw-r--r-- | amqp/transport.py | 26 | ||||
-rw-r--r-- | t/unit/test_transport.py | 14 |
3 files changed, 16 insertions, 28 deletions
diff --git a/amqp/connection.py b/amqp/connection.py index 8936d8d..c77654d 100644 --- a/amqp/connection.py +++ b/amqp/connection.py @@ -94,8 +94,8 @@ class Connection(AbstractChannel): client name. For EXTERNAL authentication both userid and password are ignored. - The 'ssl' parameter may be simply True/False, or for Python >= 2.6 - a dictionary of options to pass to ssl.wrap_socket() such as + The 'ssl' parameter may be simply True/False, or for Python >= 3.6 + a dictionary of options to pass to ssl.SSLContext such as requiring certain certificates. The "socket_settings" parameter is a dictionary defining tcp diff --git a/amqp/transport.py b/amqp/transport.py index df78c1a..fdf20d9 100644 --- a/amqp/transport.py +++ b/amqp/transport.py @@ -336,39 +336,33 @@ class SSLTransport(_AbstractTransport): def _wrap_socket_sni(self, sock, keyfile=None, certfile=None, server_side=False, cert_reqs=ssl.CERT_NONE, - ca_certs=None, do_handshake_on_connect=False, + do_handshake_on_connect=False, suppress_ragged_eofs=True, server_hostname=None, - ciphers=None, ssl_version=ssl.PROTOCOL_TLS): + ssl_version=ssl.PROTOCOL_TLS): """Socket wrap with SNI headers. - Default `ssl.wrap_socket` method augmented with support for + stdlib `ssl.SSLContext.wrap_socket` method augmented with support for setting the server_hostname field required for SNI hostname header """ opts = { 'sock': sock, - 'keyfile': keyfile, - 'certfile': certfile, 'server_side': server_side, - 'cert_reqs': cert_reqs, - 'ca_certs': ca_certs, 'do_handshake_on_connect': do_handshake_on_connect, 'suppress_ragged_eofs': suppress_ragged_eofs, - 'ciphers': ciphers, - 'ssl_version': ssl_version + 'server_hostname': server_hostname, } - sock = ssl.wrap_socket(**opts) + context = ssl.SSLContext(ssl_version) + if certfile is not None: + context.load_cert_chain(certfile, keyfile) + if cert_reqs != ssl.CERT_NONE: + context.check_hostname = True # Set SNI headers if supported if (server_hostname is not None) and ( hasattr(ssl, 'HAS_SNI') and ssl.HAS_SNI) and ( hasattr(ssl, 'SSLContext')): - context = ssl.SSLContext(opts['ssl_version']) context.verify_mode = cert_reqs - if cert_reqs != ssl.CERT_NONE: - context.check_hostname = True - if (certfile is not None) and (keyfile is not None): - context.load_cert_chain(certfile, keyfile) - sock = context.wrap_socket(sock, server_hostname=server_hostname) + sock = context.wrap_socket(**opts) return sock def _shutdown_transport(self): diff --git a/t/unit/test_transport.py b/t/unit/test_transport.py index 3ecf717..a1bb2b1 100644 --- a/t/unit/test_transport.py +++ b/t/unit/test_transport.py @@ -1,7 +1,6 @@ import errno import os import socket -import ssl import struct from struct import pack from unittest.mock import ANY, MagicMock, Mock, call, patch @@ -616,18 +615,13 @@ class test_SSLTransport: def test_wrap_socket_sni(self): sock = Mock() - with patch('ssl.wrap_socket') as mock_ssl_wrap: + with patch('ssl.SSLContext.wrap_socket') as mock_ssl_wrap: self.t._wrap_socket_sni(sock) - mock_ssl_wrap.assert_called_with(cert_reqs=0, - certfile=None, - keyfile=None, - sock=sock, - ca_certs=None, + mock_ssl_wrap.assert_called_with(sock=sock, server_side=False, - ciphers=None, - ssl_version=ssl.PROTOCOL_TLS, + do_handshake_on_connect=False, suppress_ragged_eofs=True, - do_handshake_on_connect=False) + server_hostname=None) def test_shutdown_transport(self): self.t.sock = None |