def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
ca_certs=None, server_hostname=None,
ssl_version=None):
ctx = OpenSSL.SSL.Context(_openssl_versions[ssl_version])
if certfile:
ctx.use_certificate_file(certfile)
if keyfile:
ctx.use_privatekey_file(keyfile)
if cert_reqs != ssl.CERT_NONE:
ctx.set_verify(_openssl_verify[cert_reqs], _verify_callback)
if ca_certs:
try:
ctx.load_verify_locations(ca_certs, None)
except OpenSSL.SSL.Error as e:
raise ssl.SSLError('bad ca_certs: %r' % ca_certs, e)
cnx = OpenSSL.SSL.Connection(ctx, sock)
cnx.set_tlsext_host_name(server_hostname)
cnx.set_connect_state()
try:
cnx.do_handshake()
except OpenSSL.SSL.Error as e:
raise ssl.SSLError('bad handshake', e)
return WrappedSocket(cnx, sock)
def test_str(self):
# The str() of a SSLError doesn't include the errno
import _ssl
e = _ssl.SSLError(1, "foo")
assert str(e) == "foo"
assert e.errno == 1
# Same for a subclass
e = _ssl.SSLZeroReturnError(1, "foo")
assert str(e) == "foo"
assert e.errno == 1
def wrap_errors(self, name, call, args):
try:
return call(*args)
except socket.timeout:
if self.sock.gettimeout() == 0.0:
return None if name=="read" else 0 #signal EWOULDBLOCK
#create the exact same error as the _ssl module would
raise _ssl.SSLError("The %s operation timed out" % (name,))
except socket.error as e:
#signal EWOULDBLOCK
if e.errno == errno.EWOULDBLOCK:
return None if name=="read" else 0
raise
def getpeercert(self, binary_form=False):
x509 = self.connection.get_peer_certificate()
if not x509:
raise ssl.SSLError('')
if binary_form:
return OpenSSL.crypto.dump_certificate(
OpenSSL.crypto.FILETYPE_ASN1,
x509)
return {
'subject': (
(('commonName', x509.get_subject().CN),),
),
'subjectAltName': [
('DNS', value)
for value in get_subj_alt_name(x509)
]
}