diff options
author | Tobias Henkel <tobias.henkel@bmw.de> | 2019-05-04 12:11:41 +0200 |
---|---|---|
committer | Tobias Henkel <tobias.henkel@bmw.de> | 2019-05-04 12:11:41 +0200 |
commit | 58b2f277b7108c5da841631b9d6f7946f1a08c82 (patch) | |
tree | 4742b6d3fa9ee9999785da18c9164a3b75ae37ef | |
parent | 88b2c09878051851157fc0dda87282b0fd5a4930 (diff) | |
download | gear-58b2f277b7108c5da841631b9d6f7946f1a08c82.tar.gz |
Add support for server name indication
According to the python docs [1] it is recommended to use
SSLContext.wrap_socket to create an ssl connection since Python 3.2
and 2.7.9. This enables us to also leverage server name indication
(SNI).
One use case where SNI is beneficial is an easy and standard way to
route traffic into an Openshift cluster. The most common way to get
traffic into an Openshift cluster is using a routes. The routes in an
openshift cluster work with either HTTP, HTTPS with SNI or TLS with
SNI [2]. TLS with SNI in this case also works with non-http
connections like gearman is using.
[1] https://docs.python.org/3/library/ssl.html#socket-creation
[2] https://docs.okd.io/3.11/dev_guide/expose_service/expose_internal_ip_router.html#overview
Change-Id: I19c1edc4a14a303d2a91894e0065c8d31f89ce24
-rw-r--r-- | gear/__init__.py | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/gear/__init__.py b/gear/__init__.py index 8c13c45..3348859 100644 --- a/gear/__init__.py +++ b/gear/__init__.py @@ -205,11 +205,12 @@ class Connection(object): if self.use_ssl: self.log.debug("Using SSL") - s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1, - cert_reqs=ssl.CERT_REQUIRED, - keyfile=self.ssl_key, - certfile=self.ssl_cert, - ca_certs=self.ssl_ca) + context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context.verify_mode = ssl.CERT_REQUIRED + context.check_hostname = False + context.load_cert_chain(self.ssl_cert, self.ssl_key) + context.load_verify_locations(self.ssl_ca) + s = context.wrap_socket(s, server_hostname=self.host) try: s.connect(sa) @@ -2851,12 +2852,11 @@ class Server(BaseClientServer): self.log.debug("Accepting new connection") c, addr = self.socket.accept() if self.use_ssl: - c = ssl.wrap_socket(c, server_side=True, - keyfile=self.ssl_key, - certfile=self.ssl_cert, - ca_certs=self.ssl_ca, - cert_reqs=ssl.CERT_REQUIRED, - ssl_version=ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context.verify_mode = ssl.CERT_REQUIRED + context.load_cert_chain(self.ssl_cert, self.ssl_key) + context.load_verify_locations(self.ssl_ca) + c = context.wrap_socket(c, server_side=True) conn = ServerConnection(addr, c, self.use_ssl, self.client_id) self.log.info("Accepted connection %s" % (conn,)) |