Add support for server name indication

According to the python docs [1] it is recommended to use SSLContext.wrap_socket to create an ssl connection since Python 3.2 and 2.7.9. This enables us to also leverage server name indication (SNI). One use case where SNI is beneficial is an easy and standard way to route traffic into an Openshift cluster. The most common way to get traffic into an Openshift cluster is using a routes. The routes in an openshift cluster work with either HTTP, HTTPS with SNI or TLS with SNI [2]. TLS with SNI in this case also works with non-http connections like gearman is using. [1] https://docs.python.org/3/library/ssl.html#socket-creation [2] https://docs.okd.io/3.11/dev_guide/expose_service/expose_internal_ip_router.html#overview Change-Id: I19c1edc4a14a303d2a91894e0065c8d31f89ce24
author: Tobias Henkel <tobias.henkel@bmw.de> 2019-05-04 12:11:41 +0200
committer: Tobias Henkel <tobias.henkel@bmw.de> 2019-05-04 12:11:41 +0200
commit: 58b2f277b7108c5da841631b9d6f7946f1a08c82 (patch)
tree: 4742b6d3fa9ee9999785da18c9164a3b75ae37ef
parent: 88b2c09878051851157fc0dda87282b0fd5a4930 (diff)
download: gear-58b2f277b7108c5da841631b9d6f7946f1a08c82.tar.gz
1 files changed, 11 insertions, 11 deletions
diff --git a/gear/__init__.py b/gear/__init__.py
index 8c13c45..3348859 100644
--- a/gear/__init__.py
+++ b/gear/__init__.py
@@ -205,11 +205,12 @@ class Connection(object):
 
             if self.use_ssl:
                 self.log.debug("Using SSL")
-                s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1,
-                                    cert_reqs=ssl.CERT_REQUIRED,
-                                    keyfile=self.ssl_key,
-                                    certfile=self.ssl_cert,
-                                    ca_certs=self.ssl_ca)
+                context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+                context.verify_mode = ssl.CERT_REQUIRED
+                context.check_hostname = False
+                context.load_cert_chain(self.ssl_cert, self.ssl_key)
+                context.load_verify_locations(self.ssl_ca)
+                s = context.wrap_socket(s, server_hostname=self.host)
 
             try:
                 s.connect(sa)
@@ -2851,12 +2852,11 @@ class Server(BaseClientServer):
                     self.log.debug("Accepting new connection")
                     c, addr = self.socket.accept()
                     if self.use_ssl:
-                        c = ssl.wrap_socket(c, server_side=True,
-                                            keyfile=self.ssl_key,
-                                            certfile=self.ssl_cert,
-                                            ca_certs=self.ssl_ca,
-                                            cert_reqs=ssl.CERT_REQUIRED,
-                                            ssl_version=ssl.PROTOCOL_TLSv1)
+                        context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+                        context.verify_mode = ssl.CERT_REQUIRED
+                        context.load_cert_chain(self.ssl_cert, self.ssl_key)
+                        context.load_verify_locations(self.ssl_ca)
+                        c = context.wrap_socket(c, server_side=True)
                     conn = ServerConnection(addr, c, self.use_ssl,
                                             self.client_id)
                     self.log.info("Accepted connection %s" % (conn,))
author	Tobias Henkel <tobias.henkel@bmw.de>	2019-05-04 12:11:41 +0200
committer	Tobias Henkel <tobias.henkel@bmw.de>	2019-05-04 12:11:41 +0200
commit	58b2f277b7108c5da841631b9d6f7946f1a08c82 (patch)
tree	4742b6d3fa9ee9999785da18c9164a3b75ae37ef
parent	88b2c09878051851157fc0dda87282b0fd5a4930 (diff)
download	gear-58b2f277b7108c5da841631b9d6f7946f1a08c82.tar.gz