diff options
| author | Dana Powers <dana.powers@gmail.com> | 2019-03-21 08:32:45 -0700 |
|---|---|---|
| committer | Dana Powers <dana.powers@gmail.com> | 2019-03-21 08:32:45 -0700 |
| commit | ac7efc0426fa641a6754c25a9b2e5e2fa3515bf6 (patch) | |
| tree | be41549b0f4b3d02e95a80665ede862302cb3fe1 | |
| parent | ee4a53e9e5ae93231d6f7010f263b30a9924dabb (diff) | |
| download | kafka-python-ssl_set_ciphers.tar.gz | |
Allow configuration of SSL Ciphersssl_set_ciphers
| -rw-r--r-- | kafka/client_async.py | 6 | ||||
| -rw-r--r-- | kafka/conn.py | 11 | ||||
| -rw-r--r-- | kafka/consumer/group.py | 6 | ||||
| -rw-r--r-- | kafka/producer/kafka.py | 6 |
4 files changed, 28 insertions, 1 deletions
diff --git a/kafka/client_async.py b/kafka/client_async.py index fdf5454..90cce0c 100644 --- a/kafka/client_async.py +++ b/kafka/client_async.py @@ -123,6 +123,11 @@ class KafkaClient(object): providing a file, only the leaf certificate will be checked against this CRL. The CRL can only be checked with Python 3.4+ or 2.7.9+. Default: None. + ssl_ciphers (str): optionally set the available ciphers for ssl + connections. It should be a string in the OpenSSL cipher list + format. If no cipher can be selected (because compile-time options + or other configuration forbids use of all the specified ciphers), + an ssl.SSLError will be raised. See ssl.SSLContext.set_ciphers api_version (tuple): Specify which Kafka API version to use. If set to None, KafkaClient will attempt to infer the broker version by probing various APIs. Example: (0, 10, 2). Default: None @@ -173,6 +178,7 @@ class KafkaClient(object): 'ssl_keyfile': None, 'ssl_password': None, 'ssl_crlfile': None, + 'ssl_ciphers': None, 'api_version': None, 'api_version_auto_timeout_ms': 2000, 'selector': selectors.DefaultSelector, diff --git a/kafka/conn.py b/kafka/conn.py index 28f9f3c..5b20e5d 100644 --- a/kafka/conn.py +++ b/kafka/conn.py @@ -140,7 +140,7 @@ class BrokerConnection(object): should verify that the certificate matches the brokers hostname. default: True. ssl_cafile (str): optional filename of ca file to use in certificate - veriication. default: None. + verification. default: None. ssl_certfile (str): optional filename of file in pem format containing the client certificate, as well as any ca certificates needed to establish the certificate's authenticity. default: None. @@ -154,6 +154,11 @@ class BrokerConnection(object): providing a file, only the leaf certificate will be checked against this CRL. The CRL can only be checked with Python 3.4+ or 2.7.9+. default: None. + ssl_ciphers (str): optionally set the available ciphers for ssl + connections. It should be a string in the OpenSSL cipher list + format. If no cipher can be selected (because compile-time options + or other configuration forbids use of all the specified ciphers), + an ssl.SSLError will be raised. See ssl.SSLContext.set_ciphers api_version (tuple): Specify which Kafka API version to use. Accepted values are: (0, 8, 0), (0, 8, 1), (0, 8, 2), (0, 9), (0, 10). Default: (0, 8, 2) @@ -201,6 +206,7 @@ class BrokerConnection(object): 'ssl_keyfile': None, 'ssl_crlfile': None, 'ssl_password': None, + 'ssl_ciphers': None, 'api_version': (0, 8, 2), # default to most restrictive 'selector': selectors.DefaultSelector, 'state_change_callback': lambda conn: True, @@ -468,6 +474,9 @@ class BrokerConnection(object): self._ssl_context.load_verify_locations(self.config['ssl_crlfile']) # pylint: disable=no-member self._ssl_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF + if self.config['ssl_ciphers']: + log.info('%s: Setting SSL Ciphers: %s', self, self.config['ssl_ciphers']) + self._ssl_context.set_ciphers(self.config['ssl_ciphers']) log.debug('%s: wrapping socket in ssl context', self) try: self._sock = self._ssl_context.wrap_socket( diff --git a/kafka/consumer/group.py b/kafka/consumer/group.py index f521891..c107f5a 100644 --- a/kafka/consumer/group.py +++ b/kafka/consumer/group.py @@ -187,6 +187,11 @@ class KafkaConsumer(six.Iterator): providing a file, only the leaf certificate will be checked against this CRL. The CRL can only be checked with Python 3.4+ or 2.7.9+. Default: None. + ssl_ciphers (str): optionally set the available ciphers for ssl + connections. It should be a string in the OpenSSL cipher list + format. If no cipher can be selected (because compile-time options + or other configuration forbids use of all the specified ciphers), + an ssl.SSLError will be raised. See ssl.SSLContext.set_ciphers api_version (tuple): Specify which Kafka API version to use. If set to None, the client will attempt to infer the broker version by probing various APIs. Different versions enable different functionality. @@ -280,6 +285,7 @@ class KafkaConsumer(six.Iterator): 'ssl_keyfile': None, 'ssl_crlfile': None, 'ssl_password': None, + 'ssl_ciphers': None, 'api_version': None, 'api_version_auto_timeout_ms': 2000, 'connections_max_idle_ms': 9 * 60 * 1000, diff --git a/kafka/producer/kafka.py b/kafka/producer/kafka.py index ccdd91a..e4d5929 100644 --- a/kafka/producer/kafka.py +++ b/kafka/producer/kafka.py @@ -245,6 +245,11 @@ class KafkaProducer(object): providing a file, only the leaf certificate will be checked against this CRL. The CRL can only be checked with Python 3.4+ or 2.7.9+. default: none. + ssl_ciphers (str): optionally set the available ciphers for ssl + connections. It should be a string in the OpenSSL cipher list + format. If no cipher can be selected (because compile-time options + or other configuration forbids use of all the specified ciphers), + an ssl.SSLError will be raised. See ssl.SSLContext.set_ciphers api_version (tuple): Specify which Kafka API version to use. If set to None, the client will attempt to infer the broker version by probing various APIs. Example: (0, 10, 2). Default: None @@ -312,6 +317,7 @@ class KafkaProducer(object): 'ssl_keyfile': None, 'ssl_crlfile': None, 'ssl_password': None, + 'ssl_ciphers': None, 'api_version': None, 'api_version_auto_timeout_ms': 2000, 'metric_reporters': [], |