| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
If we do not set a timeout on the SSL handshake, this can cause an infinite
hang if something happens during this point to the remote end - this
has been seen with AWS MQ RabbitMQ during cluster maintenance triggering
a reboot, and causing hangs of any connection that is in the handshake
phase.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Use AF_UNSPEC for name resolution
This reverts most of 1ad97fb14c0c3c57395ca525932f95a830e51a88, but
keeps tests which still have general applicability.
The reason the original change was made was to try and work around a
bug[1] in the eventlet library. Eventlet monkey-patches the
socket.getaddrinfo function and replaces it with its own async,
eventlet-aware implementation. The reason name resolution was broken
in the first place is because eventlet was consulting DNS first, and
then if that failed, falling back to /etc/hosts, which is just flat
out incorrect behavior.
It's important to note that this was *only* when running py-amqp under
eventlet, and *only* for specific versions of eventlet that have long
been fixed. So this workaround is not even needed anymore.
With "normal" (non-eventlet) use, socket.getaddrinfo instead calls
into the glibc getaddrinfo implementation, which ultimately uses
libnss to resolve hostnames.
However, there is an issue with the original workaround when using the
default (glibc) getaddrinfo. The workaround (current) implementation
explicitly forces resolution to use AF_INET (IPv4) and then only if
that does not succeed, it in turn will try with AF_INET6 (IPv6). This
generally works well for IPv4-only hosts, but can be unnecessarily
slow for dual-stack IPv4/IPv6 hosts.
Consider the following:
- We want to connect to example.org
- The /etc/hosts file contains an IPv6 entry:
example.org f00d::1
- The /etc/nsswitch.conf file contains typical (simplified) hosts
config:
hosts: files dns
In this case, the current code will involve nss iterating through the
modules:
- files (with AF_INET): fails, because there is no IPv4 address in
/etc/hosts
- dns (with AF_INET): may or may not succeed per-site, depending on
how DNS is configured. If DNS is slow/misconfigured, this may incur
a delay and block for a significant amount of time.
- files (with AF_INET6): succeeds, and getaddrinfo returns f00d::1.
Now in the same scenario as before, with this fix which reverts back
to using AF_UNSPEC instead:
- files (with AF_UNSPEC) succeeds, and getaddrinfo returns f00d::1.
There is no need to involve DNS at all. Even a well-configured,
quick-to-respond DNS server is going to be many orders of magnitude
slower than consulting with /etc/hosts which libnss keeps cached in
memory.
[1] https://bugs.launchpad.net/neutron/+bug/1696094/comments/22
* tests: ensure getaddrinfo is called with AF_UNSPEC
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* adding experimental __slots__ to some classes
* adding more experimental __slots__ to some classes
* remove redundant slots
* added more experimental slots to classes
* remove slots from buffer class
|
| |
|
|
|
|
|
| |
* document memory_view usage, refactor frame_writer.write_frame
* improve test for changing frame_max in write_frame
* add integration test for write_frame/send_heartbeat
|
| |
|
|
|
| |
* improve performance of _get_free_channel_id, fix channel max bug
* add integration tests for _get_free_channel_id performance improvement
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
failed connections. Fixes #378
|
| |
|
|
|
| |
* reduce memory usage of Connection
* allow ValueError on _used_channel_ids.remove
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
raise ValueError if cert_reqs=ssl.CERT_NONE.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\ |
|
| | |
| |
| | |
Fixes: #349
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Change the default value of ssl_version to None. When not set, the
proper value between ssl.PROTOCOL_TLS_CLIENT and ssl.PROTOCOL_TLS_SERVER
will be selected based on the param server_side in order to create
a TLS Context object with better defaults that fit the desired
connection side.
* Change the default value of cert_reqs to None. The default value
of ctx.verify_mode is ssl.CERT_NONE, but when ssl.PROTOCOL_TLS_CLIENT
is used, ctx.verify_mode defaults to ssl.CERT_REQUIRED.
* Fix context.check_hostname logic. Checking the hostname depends on
having support of the SNI TLS extension and being provided with a
server_hostname value. Another important thing to mention is that
enabling hostname checking automatically sets verify_mode from
ssl.CERT_NONE to ssl.CERT_REQUIRED in the stdlib ssl and it cannot
be set back to ssl.CERT_NONE as long as hostname checking is enabled.
* Refactor the SNI tests to test one thing at a time and removing some
tests that were being repeated over and over.
Signed-off-by: Moisés Guimarães de Medeiros <guimaraes@pm.me>
|
| | | |
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
| |
* Normalizes all params descriptions starting with a capitalized letter.
* Removes 'client' reference from key and cert, as the server_side param
states, this can be used by either side of the conversation.
* Enhances cert_reqs description covering all the possible values with a
more acurate behaviour explanation.
Signed-off-by: Moisés Guimarães de Medeiros <guimaraes@pm.me>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Reuse the timeout for publishing to wait for a response.
* Added the confirm_timeout keyword argument.
If a timeout was specified and confirm_timeout was not use the timeout.
Otherwise, use the confirm_timeout.
* Fix unit test.
* Add document for timeout and confirm_timeout in _basic_publish
Co-authored-by: Omer Katz <omer.drow@gmail.com>
Co-authored-by: Reza Shiri <rezashiri@cafebazaar.ir>
|
| |
|
|
|
| |
SSLTransport._wrap_socket_sni() (#344)
This fixes issue introduced in commit: 53d677754b4e820acf673711532c1a1dc8e57124
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`ssl.wrap_socket` is deprecated since python 3.7 and since python 3.2
and 2.7.9 (released in 2014) it is recommended to use the
SSLContext.wrap_socket() instead of wrap_socket(). The top-level
function is limited and creates an insecure client socket without server
name indication or hostname matching [1].
Python 2.7 is now officially unmaintained, latest version of
python 2.7 is 2.7.18, py-amqp only support python versions who are compatible
with these changes [2].
These changes move away from `ssl.wrap_socket` by using
now `ssl.SSLContext.wrap_socket` [3].
[1] https://docs.python.org/3/library/ssl.html#ssl.wrap_socket
[2] https://github.com/celery/py-amqp/blob/master/setup.py#L24,L29
[3] https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
See http://bugs.python.org/issue10272 for details.
|
| | |
|
| |
|
|
| |
Since we no longer support Python 2.7, this code can be removed.
|
