diff options
author | Tobias Henkel <tobias.henkel@bmw.de> | 2019-05-04 12:11:41 +0200 |
---|---|---|
committer | Tobias Henkel <tobias.henkel@bmw.de> | 2019-05-04 12:11:41 +0200 |
commit | 58b2f277b7108c5da841631b9d6f7946f1a08c82 (patch) | |
tree | 4742b6d3fa9ee9999785da18c9164a3b75ae37ef /gear/__init__.py | |
parent | 88b2c09878051851157fc0dda87282b0fd5a4930 (diff) | |
download | gear-58b2f277b7108c5da841631b9d6f7946f1a08c82.tar.gz |
Add support for server name indication
According to the python docs [1] it is recommended to use
SSLContext.wrap_socket to create an ssl connection since Python 3.2
and 2.7.9. This enables us to also leverage server name indication
(SNI).
One use case where SNI is beneficial is an easy and standard way to
route traffic into an Openshift cluster. The most common way to get
traffic into an Openshift cluster is using a routes. The routes in an
openshift cluster work with either HTTP, HTTPS with SNI or TLS with
SNI [2]. TLS with SNI in this case also works with non-http
connections like gearman is using.
[1] https://docs.python.org/3/library/ssl.html#socket-creation
[2] https://docs.okd.io/3.11/dev_guide/expose_service/expose_internal_ip_router.html#overview
Change-Id: I19c1edc4a14a303d2a91894e0065c8d31f89ce24
Diffstat (limited to 'gear/__init__.py')
-rw-r--r-- | gear/__init__.py | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/gear/__init__.py b/gear/__init__.py index 8c13c45..3348859 100644 --- a/gear/__init__.py +++ b/gear/__init__.py @@ -205,11 +205,12 @@ class Connection(object): if self.use_ssl: self.log.debug("Using SSL") - s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1, - cert_reqs=ssl.CERT_REQUIRED, - keyfile=self.ssl_key, - certfile=self.ssl_cert, - ca_certs=self.ssl_ca) + context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context.verify_mode = ssl.CERT_REQUIRED + context.check_hostname = False + context.load_cert_chain(self.ssl_cert, self.ssl_key) + context.load_verify_locations(self.ssl_ca) + s = context.wrap_socket(s, server_hostname=self.host) try: s.connect(sa) @@ -2851,12 +2852,11 @@ class Server(BaseClientServer): self.log.debug("Accepting new connection") c, addr = self.socket.accept() if self.use_ssl: - c = ssl.wrap_socket(c, server_side=True, - keyfile=self.ssl_key, - certfile=self.ssl_cert, - ca_certs=self.ssl_ca, - cert_reqs=ssl.CERT_REQUIRED, - ssl_version=ssl.PROTOCOL_TLSv1) + context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + context.verify_mode = ssl.CERT_REQUIRED + context.load_cert_chain(self.ssl_cert, self.ssl_key) + context.load_verify_locations(self.ssl_ca) + c = context.wrap_socket(c, server_side=True) conn = ServerConnection(addr, c, self.use_ssl, self.client_id) self.log.info("Accepted connection %s" % (conn,)) |