diff options
Diffstat (limited to 'amqp/transport.py')
-rw-r--r-- | amqp/transport.py | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/amqp/transport.py b/amqp/transport.py index 4130681..7056be8 100644 --- a/amqp/transport.py +++ b/amqp/transport.py @@ -525,9 +525,13 @@ class SSLTransport(_AbstractTransport): context.load_verify_locations(ca_certs) if ciphers is not None: context.set_ciphers(ciphers) - if cert_reqs is not None: - context.verify_mode = cert_reqs - # Set SNI headers if supported + # Set SNI headers if supported. + # Must set context.check_hostname before setting context.verify_mode + # to avoid setting context.verify_mode=ssl.CERT_NONE while + # context.check_hostname is still True (the default value in context + # if client-side) which results in the following exception: + # ValueError: Cannot set verify_mode to CERT_NONE when check_hostname + # is enabled. try: context.check_hostname = ( ssl.HAS_SNI and server_hostname is not None @@ -535,6 +539,11 @@ class SSLTransport(_AbstractTransport): except AttributeError: pass # ask forgiveness not permission + # See note above re: ordering for context.check_hostname and + # context.verify_mode assignments. + if cert_reqs is not None: + context.verify_mode = cert_reqs + if ca_certs is None and context.verify_mode != ssl.CERT_NONE: purpose = ( ssl.Purpose.CLIENT_AUTH |