def connect(self):
# pylint: disable=too-many-branches
"""Connect to a host on a given (SSL) port."""
# Connect for M2Crypto ssl package
if _HAVE_M2CRYPTO:
# Calling httplib.HTTPSConnection.connect(self) does not work
# because of its ssl.wrap_socket() call. So we copy the code of
# that connect() method modulo the ssl.wrap_socket() call.
# Another change is that we do not pass the timeout value
# on to the socket call, because that does not work with
# M2Crypto.
if sys.version_info[0:2] >= (2, 7):
# the source_address parameter was added in Python 2.7
self.sock = socket.create_connection(
(self.host, self.port), None, self.source_address)
else:
self.sock = socket.create_connection(
(self.host, self.port), None)
# Removed code for tunneling support.
# End of code from httplib.HTTPSConnection.connect(self).
ctx = SSL.Context('sslv23')
if self.cert_file:
ctx.load_cert(self.cert_file, keyfile=self.key_file)
if self.ca_certs:
ctx.set_verify(SSL.verify_peer
| SSL.verify_fail_if_no_peer_cert,
depth=9,
callback=verify_callback)
if os.path.isdir(self.ca_certs):
ctx.load_verify_locations(capath=self.ca_certs)
else:
ctx.load_verify_locations(cafile=self.ca_certs)
try:
self.sock = SSL.Connection(ctx, self.sock)
# Below is a body of SSL.Connection.connect() method
# except for the first line (socket connection).
# Removed code for tunneling support.
# Setting the timeout on the input socket does not work
# with M2Crypto, with such a timeout set it calls a
# different low level function (nbio instead of bio)
# that does not work. The symptom is that reading the
# response returns None.
# Therefore, we set the timeout at the level of the outer
# M2Crypto socket object.
# pylint: disable=using-constant-test
if self.timeout is not None:
self.sock.set_socket_read_timeout(
SSL.timeout(self.timeout))
self.sock.set_socket_write_timeout(
SSL.timeout(self.timeout))
self.sock.addr = (self.host, self.port)
self.sock.setup_ssl()
self.sock.set_connect_state()
ret = self.sock.connect_ssl()
if self.ca_certs:
check = getattr(self.sock, 'postConnectionCheck',
self.sock.clientPostConnectionCheck)
if check is not None:
if not check(self.sock.get_peer_cert(), self.host):
raise ConnectionError(
'SSL error: post connection check failed')
return ret
except (SSLError, SSL.SSLError,
SSL.Checker.SSLVerificationError) as arg:
raise ConnectionError("SSL error %s: %s" %
(arg.__class__, arg))
# Connect using Python SSL module
else:
# Setup the socket context
# Note: PROTOCOL_SSLv23 allows talking to servers with TLS but
# not with SSL. For details, see the table in
# https://docs.python.org/3/library/ssl.html#ssl.wrap_socket
# Within the defined set of protocol versions, SSLv23 selects
# the highest protocol version that both client and server
# support.
# TODO #893: Consider the use of default_context()
ctx = SSL.SSLContext(SSL.PROTOCOL_SSLv23)
if self.cert_file:
ctx.load_cert(self.cert_file, keyfile=self.key_file)
if self.ca_certs:
# We need to use CERT_REQUIRED to require that the server
# certificate is being validated by the client (against the
# certificates in ca_certs).
ctx.verify_mode = SSL.CERT_REQUIRED
if os.path.isdir(self.ca_certs):
ctx.load_verify_locations(capath=self.ca_certs)
else:
ctx.load_verify_locations(cafile=self.ca_certs)
ctx.check_hostname = True
else:
ctx.check_hostname = False
ctx.verify_mode = SSL.CERT_NONE
# setup the socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(self.timeout)
try:
self.sock = ctx.wrap_socket(sock,
server_hostname=self.host)
return self.sock.connect((self.host, self.port))
except SSLError as arg:
raise ConnectionError("SSL error %s: %s" %
(arg.__class__, arg))
except CertificateError as arg:
raise ConnectionError("SSL certificate error %s: %s" %
(arg.__class__, arg))
def connect(self):
self.sock = SSL.Connection(self.ssl_ctx)
self.sock.connect((self.host, self.port))
tlsa_rdata_set = get_tlsa(port, "tcp", hostname)
for (iptype, ipaddr) in get_addresses(hostname):
print "Connecting to %s at address %s ..." % (hostname, ipaddr)
ctx = SSL.Context()
if iptype == "IPv4":
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
elif iptype == "IPv6":
sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
else:
raise ValueError, "Unknown address type: %s" % iptype
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
connection = SSL.Connection(ctx, sock=sock)
# set TLS SNI extension if available in M2Crypto on this platform
# Note: the official M2Crypto release does not yet (as of late 2014)
# have support for SNI, sigh, but patches exist.
try:
connection.set_tlsext_host_name(hostname)
except AttributeError:
pass
# Per https://tools.ietf.org/html/draft-ietf-dane-ops, for DANE-EE
# usage, certificate identity checks are based solely on the TLSA
# record, so we ignore name mismatch conditions in the certificate.
try:
connection.connect((ipaddr, port))
except SSL.Checker.WrongHost:
def test_set_ssl(self): # XXX leaks 64/1312 bytes
ctx = SSL.Context()
conn = SSL.Connection(ctx)
self.sslbio.set_ssl(conn)
def connect(self, addr):
self.sock = SSL.Connection(self.ctx)
checker = PostConnectionChecker()
self.sock.set_post_connection_check_callback(checker)
self.sock.setblocking(1)
self.sock.connect(addr)
def wrapSocket(self, sock):
context = self.context
return SSLSocket(SSL.Connection(context, sock=sock))
def _start_ssl(self):
""" Make this connection's socket SSL-aware. """
self.sock = SSL.Connection(self.ssl_ctx, self.sock)
self.sock.setup_ssl()
self.sock.set_connect_state()
self.sock.connect_ssl()
def test_no_connection(self):
ctx = SSL.Context()
s = SSL.Connection(ctx)
def _start_ssl(self):
self.sock = SSL.Connection(self.ssl_ctx, self.sock)
self.sock.settimeout(self.rhsm_timeout)
self.sock.setup_ssl()
self.sock.set_connect_state()
self.sock.connect_ssl()
