diff options
Diffstat (limited to 'redis/connection.py')
-rwxr-xr-x | redis/connection.py | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/redis/connection.py b/redis/connection.py index a349a0f..bde74b1 100755 --- a/redis/connection.py +++ b/redis/connection.py @@ -31,7 +31,7 @@ from redis.exceptions import ( TimeoutError, ) from redis.retry import Retry -from redis.utils import HIREDIS_AVAILABLE, str_if_bytes +from redis.utils import CRYPTOGRAPHY_AVAILABLE, HIREDIS_AVAILABLE, str_if_bytes try: import ssl @@ -907,6 +907,7 @@ class SSLConnection(Connection): ssl_check_hostname=False, ssl_ca_path=None, ssl_password=None, + ssl_validate_ocsp=False, **kwargs, ): """Constructor @@ -948,6 +949,7 @@ class SSLConnection(Connection): self.ca_path = ssl_ca_path self.check_hostname = ssl_check_hostname self.certificate_password = ssl_password + self.ssl_validate_ocsp = ssl_validate_ocsp def _connect(self): "Wrap the socket with SSL support" @@ -963,7 +965,18 @@ class SSLConnection(Connection): ) if self.ca_certs is not None or self.ca_path is not None: context.load_verify_locations(cafile=self.ca_certs, capath=self.ca_path) - return context.wrap_socket(sock, server_hostname=self.host) + sslsock = context.wrap_socket(sock, server_hostname=self.host) + if self.ssl_validate_ocsp is True and CRYPTOGRAPHY_AVAILABLE is False: + raise RedisError("cryptography is not installed.") + elif self.ssl_validate_ocsp is True and CRYPTOGRAPHY_AVAILABLE: + from .ocsp import OCSPVerifier + + o = OCSPVerifier(sslsock, self.host, self.port, self.ca_certs) + if o.is_valid(): + return sslsock + else: + raise ConnectionError("ocsp validation error") + return sslsock class UnixDomainSocketConnection(Connection): |