def get_brew_build(nvr, product_version='', session=None): """5.2.2.1. GET /api/v1/build/{id_or_nvr} Get Brew build details. https://errata.devel.redhat.com/developer-guide/api-http-api.html#api-get-apiv1buildid_or_nvr :param str nvr: A name-version-release string of a brew rpm/image build :param str product_version: The product version tag as given to ET when attaching a build :param requests.Session session: A python-requests Session object, used for for connection pooling. Providing `session` object can yield a significant reduction in total query time when looking up many builds. http://docs.python-requests.org/en/master/user/advanced/#session-objects :return: An initialized Build object with the build details :raises exceptions.BrewBuildException: When build not found """ if session is not None: res = session.get(constants.errata_get_build_url.format(id=nvr), verify=ssl.get_default_verify_paths().openssl_cafile, auth=HTTPKerberosAuth()) else: res = requests.get( constants.errata_get_build_url.format(id=nvr), verify=ssl.get_default_verify_paths().openssl_cafile, auth=HTTPKerberosAuth()) if res.status_code == 200: return Build(nvr=nvr, body=res.json(), product_version=product_version) else: raise exceptions.BrewBuildException("{build}: {msg}".format( build=nvr, msg=res.text))
def testManualHeaders(self): websock3 = ws.WebSocket(sslopt={"ca_certs": ssl.get_default_verify_paths().cafile, "ca_cert_path": ssl.get_default_verify_paths().capath}) self.assertRaises(ws._exceptions.WebSocketBadStatusException, websock3.connect, "wss://api.bitfinex.com/ws/2", cookie="chocolate", origin="testing_websockets.com", host="echo.websocket.org/websocket-client-test", subprotocols=["testproto"], connection="Upgrade", header={"CustomHeader1":"123", "Cookie":"TestValue", "Sec-WebSocket-Key":"k9kFAUWNAMmf5OEMfTlOEA==", "Sec-WebSocket-Protocol":"newprotocol"})
def _connect(self): """Creates a websocket connection. :return: """ self.log.debug("_connect(): Initializing Connection..") self.socket = websocket.WebSocketApp(self.url, on_open=self._on_open, on_message=self._on_message, on_error=self._on_error, on_close=self._on_close) if 'ca_certs' not in self.sslopt.keys(): ssl_defaults = ssl.get_default_verify_paths() self.sslopt['ca_certs'] = ssl_defaults.cafile self.log.debug("_connect(): Starting Connection..") self.socket.run_forever(sslopt=self.sslopt) while self.reconnect_required.is_set(): if not self.disconnect_called.is_set(): self.log.info("Attempting to connect again in %s seconds." % self.reconnect_interval) self.state = "unavailable" time.sleep(self.reconnect_interval) # We need to set this flag since closing the socket will # set it to False self.socket.keep_running = True self.socket.run_forever(sslopt=self.sslopt)
def connect(self): screepsConnection = API(u=self.user,p=self.password,ptr=self.ptr,host=self.host,secure=self.secure, token=self.atoken) me = screepsConnection.me() self.user_id = me['_id'] self.token = screepsConnection.token if self.logging: logging.getLogger('websocket').addHandler(logging.StreamHandler()) websocket.enableTrace(True) else: logging.getLogger('websocket').addHandler(logging.NullHandler()) websocket.enableTrace(False) if self.host: url = 'wss://' if self.secure else 'ws://' url += self.host + '/socket/websocket' elif not self.ptr: url = 'wss://screeps.com/socket/websocket' else: url = 'wss://screeps.com/ptr/socket/websocket' self.ws = websocket.WebSocketApp(url=url, on_message=self.on_message, on_error=self.on_error, on_close=self.on_close, on_open=self.on_open) ssl_defaults = ssl.get_default_verify_paths() sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile} if 'http_proxy' in self.settings and self.settings['http_proxy'] is not None: http_proxy_port = self.settings['http_proxy_port'] if 'http_proxy_port' in self.settings else 8080 self.ws.run_forever(http_proxy_host=self.settings['http_proxy'], http_proxy_port=http_proxy_port, ping_interval=1, sslopt=sslopt_ca_certs) else: self.ws.run_forever(ping_interval=1, sslopt=sslopt_ca_certs)
def __connect(self, wsURL): '''Connect to the websocket in a thread.''' self.logger.debug("Starting thread") ssl_defaults = ssl.get_default_verify_paths() sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile} self.ws = websocket.WebSocketApp(wsURL, on_message=self.__on_message, on_close=self.__on_close, on_open=self.__on_open, on_error=self.__on_error, header=self.__get_auth() ) setup_custom_logger('websocket', log_level=settings.LOG_LEVEL) self.wst = threading.Thread(target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs)) self.wst.daemon = True self.wst.start() self.logger.info("Started thread") # Wait for connect before continuing conn_timeout = 5 while (not self.ws.sock or not self.ws.sock.connected) and conn_timeout and not self._error: sleep(1) conn_timeout -= 1 if not conn_timeout or self._error: self.logger.error("Couldn't connect to WS! Exiting.") self.exit() sys.exit(1)
def __connect(self): '''Connect to the websocket in a thread.''' print("启动websocket线程.") ssl_defaults = ssl.get_default_verify_paths() sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile} self.ws = websocket.WebSocketApp(self.wsUrl, on_message=self.__on_message, on_close=self.__on_close, on_open=self.__on_open, on_error=self.__on_error, header=self.__get_auth()) setup_custom_logger('websocket', log_level=LOG_LEVEL) self.wst = threading.Thread( target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs)) self.wst.daemon = True self.wst.start() print("websocket线程已启动.") conn_timeout = 5 while (not self.ws.sock or not self.ws.sock.connected ) and conn_timeout and not self._error: sleep(1) conn_timeout -= 1 if not conn_timeout or self._error: print("无法连接websocket服务器,准备退出..") self.exit() self.isconnected = False else: self.isconnected = True self.__start_ping_thread()
def initialize_ssl_cert_dir(): """Initialize OpenSSL's CA certificates file. Makes it so certificates can be verified. """ global _ssl_init_done if _ssl_init_done: return _ssl_init_done = True if not sys.platform.startswith('linux'): return import os import ssl dvp = ssl.get_default_verify_paths() # from https://golang.org/src/crypto/x509/root_linux.go cert_files = [ "/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu/Gentoo etc. "/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL 6 "/etc/ssl/ca-bundle.pem", # OpenSUSE "/etc/pki/tls/cacert.pem", # OpenELEC "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", # CentOS/RHEL 7 ] for fn in cert_files: if os.path.exists(fn): os.environ[dvp.openssl_cafile_env] = fn # os.environ[dvp.openssl_capath_env] = os.path.dirname(fn) return
def __connect(self, wsURL): '''Connect to the websocket in a thread.''' self.logger.info("Starting thread") # Return paths to default cafile and capath. ssl_defaults = ssl.get_default_verify_paths() # dictionary holding defaults cafile = '/Users/jeroenderyck/anaconda/ssl/cert.pem' sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile} self.ws = websocket.WebSocketApp(wsURL, on_message=self.__on_message, on_close=self.__on_close, on_open=self.__on_open, on_error=self.__on_error, header=self.__get_auth() ) self.__setup_logger() self.wst = threading.Thread(target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs)) self.wst.daemon = True self.wst.start() self.logger.info("Started thread") # Wait for connect before continuing conn_timeout = 5 while (not self.ws.sock or not self.ws.sock.connected) and conn_timeout and not self._error: sleep(1) conn_timeout -= 1 if not conn_timeout or self._error: self.logger.error("Couldn't connect to WS! Exiting.") self.exit() sys.exit(1)
def __connect(self, wsURL): '''Connect to the websocket in a thread.''' ssl_defaults = ssl.get_default_verify_paths() sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile} self.ws = websocket.WebSocketApp(wsURL, on_message=self.__on_message, on_close=self.__on_close, on_open=self.__on_open, on_error=self.__on_error, header=[], cookie='__jsluid=a3718fd232c1901c0400e3a9a63ea216; USER_UNI=e7ef627cd9bb4c1f41611cce71b3675c; PHPSESSID=34f3eea0ac392475f8f5faf651a504dc; COINTYPE=btc2ckusd; lang=us_EN; UNIQUEID=f4c56f83ff9427fa3f173bebbd5afa4e' ) self.lastConnect = datetime.utcnow() self.wst = threading.Thread(target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs)) self.wst.daemon = True self.wst.start() # Wait for connect before continuing conn_timeout = 5 while (not self.ws.sock or not self.ws.sock.connected) and conn_timeout and not self._error: sleep(2) conn_timeout -= 1 if not conn_timeout or self._error: print("Couldn't connect to WS! Exiting.") self.exit() sys.exit(1)
def test_openssl(self): import ssl ssl.PROTOCOL_TLSv1_2 if isosx: cafile = ssl.get_default_verify_paths().cafile if not cafile or not cafile.endswith('/mozilla-ca-certs.pem') or not os.access(cafile, os.R_OK): self.assert_('Mozilla CA certs not loaded')
def __connect(self, wsURL): '''Connect to the websocket in a thread.''' self.logger.debug("Starting thread") ssl_defaults = ssl.get_default_verify_paths() sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile} self.ws = websocket.WebSocketApp(wsURL, on_message=self.__on_message, on_close=self.__on_close, on_open=self.__on_open, on_error=self.__on_error, header=self.__get_auth() ) setup_custom_logger('websocket', log_level=settings.LOG_LEVEL) self.wst = threading.Thread(target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs)) self.wst.daemon = True self.wst.start() self.logger.info("Started thread") # Wait for connect before continuing conn_timeout = 5 while (not self.ws.sock or not self.ws.sock.connected) and conn_timeout and not self._error: sleep(1) conn_timeout -= 1 if not conn_timeout or self._error: self.logger.error("Couldn't connect to WS! Exiting.") self.exit()
def main(): openssl_dir, openssl_cafile = os.path.split( ssl.get_default_verify_paths().openssl_cafile) print(" -- pip install --upgrade certifi") subprocess.check_call([ sys.executable, "-E", "-s", "-m", "pip", "install", "--upgrade", "certifi" ]) import certifi # change working directory to the default SSL directory os.chdir(openssl_dir) relpath_to_certifi_cafile = os.path.relpath(certifi.where()) print(" -- removing any existing file or link") try: os.remove(openssl_cafile) except FileNotFoundError: pass print(" -- creating symlink to certifi certificate bundle") os.symlink(relpath_to_certifi_cafile, openssl_cafile) print(" -- setting permissions") os.chmod(openssl_cafile, STAT_0o775) print(" -- update complete")
def get_https_context_factory(): if not hasattr(ssl, 'Purpose'): return lambda *_, **__: None if not hasattr(ssl, '_create_default_https_context') or \ hasattr(ssl, 'get_default_verify_paths') and \ ssl.get_default_verify_paths()[0] is None: m = re.match(r'(Open|Libre)SSL (\d+)\.(\d+)\.(\d+)', ssl.OPENSSL_VERSION) openssl_version = int(m.group(2)), int(m.group(3)), int(m.group(4)) if openssl_version < (1, 0, 2) and hasattr(certifi, 'old_where'): # https://github.com/certifi/python-certifi/issues/26 where = certifi.old_where else: where = certifi.where def get_https_context(purpose=ssl.Purpose.SERVER_AUTH, cafile=None, capath=None, cadata=None): return ssl.create_default_context( purpose=purpose, cafile=cafile or where(), capath=capath, cadata=cadata ) return get_https_context if hasattr(ssl, '_create_default_https_context'): return ssl._create_default_https_context if hasattr(ssl, 'create_default_context'): return ssl.create_default_context return lambda *_, **__: None
def test_http_SSL(self): websock1 = ws.WebSocket(sslopt={"cert_chain": ssl.get_default_verify_paths().capath}, enable_multithread=False) self.assertRaises(ValueError, websock1.connect, "wss://api.bitfinex.com/ws/2") websock2 = ws.WebSocket(sslopt={"certfile": "myNonexistentCertFile"}) self.assertRaises(FileNotFoundError, websock2.connect, "wss://api.bitfinex.com/ws/2")
def _connect(self, wsURL): '''Connect to the websocket in a thread.''' self.logger.debug("Starting thread") ssl_defaults = ssl.get_default_verify_paths() sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile} self.ws = websocket.WebSocketApp( wsURL, on_message=lambda ws, msg: self._on_message(ws, msg), on_close=lambda ws: self._on_close(ws), on_open=lambda ws: self._on_open(ws), on_error=lambda ws, msg: self._on_error(ws, msg), header=self.__get_auth()) #self.wst = threading.Thread(target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs)) self.wst = threading.Thread(target=lambda: self.ws.run_forever()) self.wst.daemon = True self.wst.start() # Wait for connect before continuing conn_timeout = 5 while (not self.ws.sock or not self.ws.sock.connected ) and conn_timeout and not self._error: sleep(1) conn_timeout -= 1 if not conn_timeout or self._error: self.logger.error("Couldn't connect to Account WS! Exiting.") self.exit() sys.exit(1)
def get_https_context_factory(): if not hasattr(ssl, 'Purpose'): return lambda *_, **__: None if not hasattr(ssl, '_create_default_https_context') or \ hasattr(ssl, 'get_default_verify_paths') and \ ssl.get_default_verify_paths()[0] is None: m = re.match(r'OpenSSL (\d+)\.(\d+)\.(\d+)', ssl.OPENSSL_VERSION) openssl_version = int(m.group(1)), int(m.group(2)), int(m.group(3)) if openssl_version < (1, 0, 2) and hasattr(certifi, 'old_where'): # https://github.com/certifi/python-certifi/issues/26 where = certifi.old_where else: where = certifi.where def get_https_context(purpose=ssl.Purpose.SERVER_AUTH, cafile=None, capath=None, cadata=None): return ssl.create_default_context( purpose=purpose, cafile=cafile or where(), capath=capath, cadata=cadata ) return get_https_context if hasattr(ssl, '_create_default_https_context'): return ssl._create_default_https_context if hasattr(ssl, 'create_default_context'): return ssl.create_default_context return lambda *_, **__: None
def __init__(self, url=None, username=None, password=None, verify=None, cache=False): # Basic URL and authentication settings self.url = url or self.url self.username = username or self.username self.password = password or self.password self._session = Session() self._session.verify = verify or get_default_verify_paths().capath self.auth = HTTPBasicAuth(self.username, self.password) self.parser = makeparser(huge_tree=True) # API endpoints self.build = Build(osc_obj=self) self.comments = Comment(osc_obj=self) self.groups = Group(osc_obj=self) self.packages = Package(osc_obj=self) self.projects = Project(osc_obj=self) self.requests = BsRequest(osc_obj=self) self.search = Search(osc_obj=self) self.users = Person(osc_obj=self) # Cache if cache: # pylint: disable=broad-except try: self.session = CacheControl(self._session) except Exception as error: self.session = self._session warnings.warn("Cannot use the cache: {}".format(error), RuntimeWarning) else: self.session = self._session
def _connect(self): # websocket开启日志跟踪 # websocket.enableTrace(True) self._ws = websocket.WebSocketApp(self.host, on_message=self.__on_message, on_close=self.__on_close, on_open=self.__on_open, on_error=self.__on_error, keep_running=True, header=self.on_header()) _kwargs = { 'ping_interval': self.ping_interval, 'ping_timeout': self.ping_timeout } if self.proxy_host and self.proxy_port: ssl_defaults = ssl.get_default_verify_paths() sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile} _kwargs = { 'ping_interval': self.ping_interval, 'ping_timeout': self.ping_timeout, 'sslopt': sslopt_ca_certs } _kwargs['http_proxy_host'] = self.proxy_host _kwargs['http_proxy_port'] = self.proxy_port # daemon进程模式 程序执行完退出 # self._ws.daemon = True self._ws.run_forever(**_kwargs) if not self._ws.sock or not self._ws.sock.connected: logging.error('Could not connect to WS! Exiting')
def __connect(self, url): """ WebSocket Thread connect """ self.logger.debug("Starting thread") ssl_defaults = ssl.get_default_verify_paths() sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile} self.ws = websocket.WebSocketApp(url, on_message=self.__on_message, on_open=self.__on_open, on_close=self.__on_close, on_error=self.__on_error, header=self.__get_auth()) self.wst = threading.Thread( target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs)) self.wst.daemon = True self.wst.start() self.logger.info("Started thread") conn_timeout = 5 while (not self.ws.sock or not self.ws.sock.connected ) and conn_timeout and not self._error: time.sleep(1) conn_timeout -= 1 if not conn_timeout or self._error: self.logger.error("Couldn't connect to WS! Exiting.") self.exit() sys.exit(1)
def test_openssl(self): import ssl ssl.PROTOCOL_TLSv1_2 if ismacos: cafile = ssl.get_default_verify_paths().cafile if not cafile or not cafile.endswith('/mozilla-ca-certs.pem') or not os.access(cafile, os.R_OK): raise AssertionError('Mozilla CA certs not loaded')
def __init__(self, host, port, has_ssl=False): self.host = host self.port = port self.sock = None self.socket_handler = None self.ssl_context = None self.socket_connected = False self.cert_file = ssl.get_default_verify_paths().cafile try: self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except Exception as e: print("socket failed - Exception:" + str(e)) sys.exit(1) if has_ssl: self.ssl_context = ssl.create_default_context( purpose=ssl.Purpose.CLIENT_AUTH) self.ssl_context.options &= ~ssl.OP_NO_SSLv3 self.ssl_context.load_verify_locations(cafile=self.cert_path) self.socket_handler = self.ssl_context.wrap_socket(self.sock) else: self.socket_handler = self.sock self.sock.setblocking(False) self.sock.settimeout(2)
def verify_certs_chain(certs_chain: List[crypto.X509], amazon_cert: crypto.X509) -> bool: """Verifies if Amazon and additional certificates creates chain of trust to a root CA. Args: certs_chain: List of pycrypto X509 intermediate certificates from signature chain URL. amazon_cert: Pycrypto X509 Amazon certificate. Returns: result: True if verification was successful, False if not. """ store = crypto.X509Store() # add certificates from Amazon provided certs chain for cert in certs_chain: store.add_cert(cert) # add CA certificates default_verify_paths = ssl.get_default_verify_paths() default_verify_file = default_verify_paths.cafile default_verify_file = Path( default_verify_file).resolve() if default_verify_file else None default_verify_path = default_verify_paths.capath default_verify_path = Path( default_verify_path).resolve() if default_verify_path else None ca_files = [ca_file for ca_file in default_verify_path.iterdir() ] if default_verify_path else [] if default_verify_file: ca_files.append(default_verify_file) for ca_file in ca_files: ca_file: Path if ca_file.is_file(): with ca_file.open('r', encoding='ascii') as crt_f: ca_certs_txt = crt_f.read() ca_certs = extract_certs(ca_certs_txt) for cert in ca_certs: store.add_cert(cert) # add CA certificates (Windows) ssl_context = ssl.create_default_context() der_certs = ssl_context.get_ca_certs(binary_form=True) pem_certs = '\n'.join( [ssl.DER_cert_to_PEM_cert(der_cert) for der_cert in der_certs]) ca_certs = extract_certs(pem_certs) for ca_cert in ca_certs: store.add_cert(ca_cert) store_context = crypto.X509StoreContext(store, amazon_cert) try: store_context.verify_certificate() result = True except crypto.X509StoreContextError: result = False return result
def __connect(self, wsURL): """Connect to the websocket in a thread.""" ssl_defaults = ssl.get_default_verify_paths() sslopt_ca_certs = {"ca_certs": ssl_defaults.cafile} self.ws = websocket.WebSocketApp( wsURL, on_message=self.__on_message, on_close=self.__on_close, on_error=self.__on_error, header=self.__get_auth(), ) self.wst = threading.Thread( target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs) ) self.wst.daemon = True self.wst.start() # Wait for connect before continuing conn_timeout = 5 while ( (not self.ws.sock or not self.ws.sock.connected) and conn_timeout and not self._error ): sleep(1) conn_timeout -= 1 if not conn_timeout or self._error: self.logger.warning( f"Ending the connexion because not conn_timeout={not conn_timeout} or self._error={self._error}" ) self.exit() sys.exit(1)
def _connect(self): """Create a websocket connection. Automatically reconnects connection if it was severed unintentionally. """ self.conn = websocket.WebSocketApp( self.url, on_open=self._on_open, on_message=self._on_message, on_error=self._on_error, on_close=self._on_close ) ssl_defaults = ssl.get_default_verify_paths() sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile} self.conn.run_forever(sslopt=sslopt_ca_certs) while self.reconnect_required: if not self.disconnect_called: self.log.info("Attempting to connect again in %s seconds.", self.reconnect_interval) time.sleep(self.reconnect_interval) # We need to set this flag since closing the socket will # set it to False self.conn.keep_running = True self.conn.run_forever(sslopt=sslopt_ca_certs)
def get_comments(advisory_id): """5.2.10.2. GET /api/v1/comments?filter[key]=value Retrieve all advisory comments Example request body: {"filter": {"errata_id": 11112, "type": "AutomatedComment"}} Returns an array of comments ordered in descending order (newest first). The array may be empty depending on the filters used. The meaning of each attribute is documented under GET /api/v1/comments/{id} (see Erratum.get_comment()) Included for reference: 5.2.10.2.1. Filtering The list of comments can be filtered by applying filter[key]=value as a query parameter. All attributes of a comment - except advisory_state - can be used as a filter. This is a paginated API. Reference documentation: https://errata.devel.redhat.com/developer-guide/api-http-api.html#api-pagination """ body = {"filter": {"errata_id": advisory_id, "type": "Comment"}} res = requests.get(constants.errata_get_comments_url, verify=ssl.get_default_verify_paths().openssl_cafile, auth=HTTPKerberosAuth(), json=body) if res.status_code == 200: return res.json().get('data', []) elif res.status_code == 401: raise exceptions.ErrataToolUnauthorizedException(res.text) else: return False
def get_appdir(): # setup appdir if hasattr(sys, 'frozen') and sys.frozen: if hasattr(sys, '_MEIPASS'): # PyInstaller appdir = sys._MEIPASS # WORKAROUND: Bug that always raise the SSLCertVerificationError from urlopen() # when CPython is not installed. # Use certificate from certifi only if cafile could not find by ssl. # See https://github.com/pyinstaller/pyinstaller/pull/3952 import ssl if ssl.get_default_verify_paths().cafile is None: import certifi os.environ['SSL_CERT_FILE'] = certifi.core.where() else: # py2exe appdir, _ = os.path.split(sys.executable) else: dirname, _ = os.path.split(os.path.realpath(__file__)) if dirname and dirname != os.curdir: appdir = dirname else: appdir = os.getcwd() # make sure it's the full path appdir_full_path = os.path.abspath(appdir) return appdir_full_path
def check(cmd, mf): m = mf.findNode("ssl") if m is None or m.filename is None: return None import ssl datafiles = [] paths = ssl.get_default_verify_paths() if paths.cafile is not None: datafiles.append(paths.cafile) cafile_path = os.path.basename(paths.cafile) else: cafile_path = "no-such-file" if paths.capath is not None: datafiles.append(paths.capath) capath_path = os.path.basename(paths.capath) else: capath_path = "no-such-file" prescript = PRESCRIPT % { "openssl_cafile_env": paths.openssl_cafile_env, "openssl_capath_env": paths.openssl_capath_env, "cafile_path": cafile_path, "capath_path": capath_path, } return { "resources": [("openssl.ca", datafiles)], "prescripts": [io.StringIO(prescript)], }
def get_brew_builds(errata_id, session=None): """5.2.2.1. GET /api/v1/erratum/{id}/builds Get Errata list of builds. https://errata.devel.redhat.com/developer-guide/api-http-api.html#api-get-apiv1erratumidbuilds :param str errata_id: the errata id :param requests.Session session: A python-requests Session object, used for for connection pooling. Providing `session` object can yield a significant reduction in total query time when looking up many builds. http://docs.python-requests.org/en/master/user/advanced/#session-objects :return: A List of initialized Build object with the build details :raises exceptions.BrewBuildException: When erratum return errors """ if session is None: session = requests.session() res = session.get(constants.errata_get_builds_url.format(id=errata_id), verify=ssl.get_default_verify_paths().openssl_cafile, auth=HTTPKerberosAuth()) brew_list = [] if res.status_code == 200: jlist = res.json() for key in jlist.keys(): for obj in jlist[key]['builds']: brew_list.append( brew.Build(nvr=list(obj.keys())[0], product_version=key)) return brew_list else: raise exceptions.BrewBuildException( "fetch builds from {id}: {msg}".format(id=errata_id, msg=res.text))
def main(cert_path=script_loc, set_env={}, prepend_env={}, do_pip=False, do_aws=False, do_requests=False): ''' This is the main script. ''' if not do_requests and not do_pip and not prepend_env and not set_env and not do_aws: print("Please specify at least one of the following: --requests, --pip, --prepend-env, --set_env, --aws (windows only).") # Automated inputs: if do_requests or do_pip or do_aws: loc_certs = [glob.glob(os.path.join(cert_path, x)) for x in ['*.pem', '*.crt']] loc_certs = [_path_update(cert) for sublist in loc_certs for cert in sublist] # Update requests certificates - for Conda install: if do_requests: if ('requests' in sys.modules) and ('certifi' in sys.modules) and len(loc_certs)>0: print("Requests SSL configuration started...") req_status = update_certs(requests.certs.where(), loc_certs) # Location of Python's requests cert file print(" ".join(["Requests Config:", req_status])) print("Requests SSL configuration complete.") elif 'requests' not in sys.modules: print("Python requests library not installed, skipping requests update. Is conda installed?") elif 'certifi' not in sys.modules: print("Python certifi library not installed, skipping certifi update. Is conda installed?") elif len(loc_certs) < 1: print("No certificate *.pem or *.crt' files found at {}, skipping certificate update.".format(os.path.abspath(loc_certs))) # Update environment variables: if (prepend_env) or (set_env): print("Environment variables configuration started...") set_prepend_envs(set_env, prepend_env) print("Environment variables configuration complete.") # Update pip config: if do_pip: print("Pip SSL configuration started...") if do_requests and ('requests' in sys.modules) and ('certifi' in sys.modules): pip_cert_loc = requests.certs.where() else: pip_cert_loc = ssl.get_default_verify_paths().cafile pip_status = update_certs(pip_cert_loc, loc_certs) print(" ".join(["Pip Config:", pip_status])) pip_status = ssl_pip(pth_cert=pip_cert_loc, pth_prepend="cert=") print(" ".join(["Pip Config:", pip_status])) print("Pip SSL configuration complete.") # Update AWS config (if present). Requires admin priviledges. if do_aws: if platform.system() == 'Windows': aws_cert_win = "C:\\Program Files\\Amazon\\AWSCLI\\botocore\\vendored\\requests\\cacert.pem" aws_cert_win = _path_update(aws_cert_win) print(aws_cert_win) if os.path.isfile(aws_cert_win): print("AWS CLI SSL configuration started...") aws_cert_status = update_certs(aws_cert_win, loc_certs) print(" ".join(["AWS CLI SSL config:", aws_cert_status])) print("AWS CLI SSL configuration complete.") else: print("The --aws flag only applies to windows. Skipping...")
def __init__(self, web_interface_url, user_pwd, svn_branch='trunk', svn_revision='HEAD', thread_count=1, result_poll_interval=2, user_agent=None, version=None): """ Creates a new WebInterface object. The given svn revision is resolved (e.g. 'HEAD' -> 17495). @param web_interface_url: the base URL of the VerifierCloud's web interface @param user_pwd: user name and password in the format '<user_name>:<password>' or none if no authentification is required @param svn_branch: the svn branch name or 'trunk', defaults to 'trunk' @param svn_revision: the svn revision number or 'HEAD', defaults to 'HEAD' @param thread_count: the number of threads for fetching results in parallel @param result_poll_interval: the number of seconds to wait between polling results """ if not (1 <= thread_count <= MAX_SUBMISSION_THREADS): sys.exit("Invalid number {} of client threads, needs to be between 1 and {}.".format(thread_count, MAX_SUBMISSION_THREADS)) if not 1 <= result_poll_interval: sys.exit("Poll interval {} is too small, needs to be at least 1s.".format(result_poll_interval)) if not web_interface_url[-1] == '/': web_interface_url += '/' default_headers = {'Connection': 'Keep-Alive'} if user_agent: default_headers['User-Agent'] = \ '{}/{} (Python/{} {}/{})'.format(user_agent, version, platform.python_version(), platform.system(), platform.release()) urllib.parse.urlparse(web_interface_url) # sanity check self._web_interface_url = web_interface_url logging.info('Using VerifierCloud at %s', web_interface_url) self._connection = requests.Session() self._connection.headers.update(default_headers) try: cert_paths = ssl.get_default_verify_paths() cert_path = cert_paths.cafile or cert_paths.capath # both might be None except AttributeError: # not available on old Python cert_path = None self._connection.verify = cert_path or True # make sure that verification is enabled if user_pwd: self._connection.auth = (user_pwd.split(":")[0], user_pwd.split(":")[1]) self._base64_user_pwd = base64.b64encode(user_pwd.encode("utf-8")).decode("utf-8") else: self._base64_user_pwd = None self._unfinished_runs = {} self._unfinished_runs_lock = threading.Lock() self._downloading_result_futures = {} self._download_attempts = {} self.thread_count = thread_count self._executor = ThreadPoolExecutor(thread_count) self._thread_local = threading.local() self._hash_code_cache = {} self._group_id = str(random.randint(0, 1000000)) self._read_hash_code_cache() self._resolved_tool_revision(svn_branch, svn_revision) self._tool_name = self._request_tool_name() try: self._result_downloader = SseResultDownloader(self, result_poll_interval) except: self._result_downloader = PollingResultDownloader(self, result_poll_interval)
def test_openssl(): import ssl ssl.PROTOCOL_TLSv1_2 if isosx: cafile = ssl.get_default_verify_paths().cafile if not cafile or not cafile.endswith('/mozilla-ca-certs.pem') or not os.access(cafile, os.R_OK): raise ValueError('Mozilla CA certs not loaded') fprint('SSL OK!')
def main(): openssl_dir, openssl_cafile = os.path.split( ssl.get_default_verify_paths().openssl_cafile) # no content in this folder os.listdir(openssl_dir) # non existent file print(os.path.exists(openssl_cafile)) print(platform.system().lower())
def test_openssl(): import ssl ssl.PROTOCOL_TLSv1_2 if isosx: cafile = ssl.get_default_verify_paths().cafile if not cafile or not cafile.endswith( '/mozilla-ca-certs.pem') or not os.access(cafile, os.R_OK): raise ValueError('Mozilla CA certs not loaded') fprint('SSL OK!')
def init_app(self, app): ssl_defaults = ssl.get_default_verify_paths() # Default config app.config.setdefault("LDAP_SERVER", "localhost") app.config.setdefault("LDAP_PORT", 389) app.config.setdefault("LDAP_BINDDN", None) app.config.setdefault("LDAP_SECRET", None) app.config.setdefault("LDAP_CONNECT_TIMEOUT", 10) app.config.setdefault("LDAP_READ_ONLY", False) app.config.setdefault("LDAP_VALID_NAMES", None) app.config.setdefault("LDAP_PRIVATE_KEY_PASSWORD", None) app.config.setdefault("LDAP_RAISE_EXCEPTIONS", False) app.config.setdefault("LDAP_CONNECTION_STRATEGY", SYNC) app.config.setdefault("LDAP_USE_SSL", False) app.config.setdefault("LDAP_USE_TLS", True) app.config.setdefault("LDAP_TLS_VERSION", ssl.PROTOCOL_TLSv1_2) app.config.setdefault("LDAP_REQUIRE_CERT", ssl.CERT_REQUIRED) app.config.setdefault("LDAP_CLIENT_PRIVATE_KEY", None) app.config.setdefault("LDAP_CLIENT_CERT", None) app.config.setdefault("LDAP_CA_CERTS_FILE", ssl_defaults.cafile) app.config.setdefault("LDAP_CA_CERTS_PATH", ssl_defaults.capath) app.config.setdefault("LDAP_CA_CERTS_DATA", None) app.config.setdefault("FORCE_ATTRIBUTE_VALUE_AS_LIST", False) self.tls = Tls( local_private_key_file=app.config["LDAP_CLIENT_PRIVATE_KEY"], local_certificate_file=app.config["LDAP_CLIENT_CERT"], validate=app.config["LDAP_REQUIRE_CERT"] if app.config.get("LDAP_CLIENT_CERT") else ssl.CERT_NONE, version=app.config["LDAP_TLS_VERSION"], ca_certs_file=app.config["LDAP_CA_CERTS_FILE"], valid_names=app.config["LDAP_VALID_NAMES"], ca_certs_path=app.config["LDAP_CA_CERTS_PATH"], ca_certs_data=app.config["LDAP_CA_CERTS_DATA"], local_private_key_password=app.config["LDAP_PRIVATE_KEY_PASSWORD"], ) self.ldap_server = Server( host=app.config.get("LDAP_HOST") or app.config.get("LDAP_SERVER"), port=app.config["LDAP_PORT"], use_ssl=app.config["LDAP_USE_SSL"], connect_timeout=app.config["LDAP_CONNECT_TIMEOUT"], tls=self.tls, get_info=ALL, ) # Store ldap_conn object to extensions app.extensions["ldap_conn"] = self # Teardown appcontext app.teardown_appcontext(self.teardown)
def verify_certs_chain(certs_chain: List[crypto.X509], amazon_cert: crypto.X509) -> bool: """Verifies if Amazon and additional certificates creates chain of trust to a root CA. Args: certs_chain: List of pycrypto X509 intermediate certificates from signature chain URL. amazon_cert: Pycrypto X509 Amazon certificate. Returns: result: True if verification was successful, False if not. """ store = crypto.X509Store() # add certificates from Amazon provided certs chain for cert in certs_chain: store.add_cert(cert) # add CA certificates default_verify_paths = ssl.get_default_verify_paths() default_verify_file = default_verify_paths.cafile default_verify_file = Path(default_verify_file).resolve() if default_verify_file else None default_verify_path = default_verify_paths.capath default_verify_path = Path(default_verify_path).resolve() if default_verify_path else None ca_files = [ca_file for ca_file in default_verify_path.iterdir()] if default_verify_path else [] if default_verify_file: ca_files.append(default_verify_file) for ca_file in ca_files: ca_file: Path if ca_file.is_file(): with ca_file.open('r', encoding='ascii') as crt_f: ca_certs_txt = crt_f.read() ca_certs = extract_certs(ca_certs_txt) for cert in ca_certs: store.add_cert(cert) # add CA certificates (Windows) ssl_context = ssl.create_default_context() der_certs = ssl_context.get_ca_certs(binary_form=True) pem_certs = '\n'.join([ssl.DER_cert_to_PEM_cert(der_cert) for der_cert in der_certs]) ca_certs = extract_certs(pem_certs) for ca_cert in ca_certs: store.add_cert(ca_cert) store_context = crypto.X509StoreContext(store, amazon_cert) try: store_context.verify_certificate() result = True except crypto.X509StoreContextError: result = False return result
def _configure_ssl(self, properties): if (not properties or not self._SSL_PROPS.intersection(set(iter(properties)))): return None mode = proton.SSLDomain.MODE_CLIENT if properties.get('x-ssl-server', properties.get('x-server')): mode = proton.SSLDomain.MODE_SERVER identity = properties.get('x-ssl-identity') ca_file = properties.get('x-ssl-ca-file') if (not ca_file and properties.get('x-ssl') and hasattr(ssl, 'get_default_verify_paths')): ca_file = ssl.get_default_verify_paths().cafile hostname = properties.get('x-ssl-peer-name', properties.get('hostname')) # default to most secure level of certificate validation if not ca_file: vdefault = 'no-verify' elif not hostname: vdefault = 'verify-cert' else: vdefault = 'verify-peer' vmode = properties.get('x-ssl-verify-mode', vdefault) try: vmode = self._VERIFY_MODES[vmode] except KeyError: raise proton.SSLException("bad value for x-ssl-verify-mode: '%s'" % vmode) if vmode == proton.SSLDomain.VERIFY_PEER_NAME: if not hostname or not ca_file: raise proton.SSLException("verify-peer needs x-ssl-peer-name" " and x-ssl-ca-file") elif vmode == proton.SSLDomain.VERIFY_PEER: if not ca_file: raise proton.SSLException("verify-cert needs x-ssl-ca-file") # This will throw proton.SSLUnavailable if SSL support is not installed domain = proton.SSLDomain(mode) if identity: # our identity: domain.set_credentials(identity[0], identity[1], identity[2]) if ca_file: # how we verify peers: domain.set_trusted_ca_db(ca_file) domain.set_peer_authentication(vmode, ca_file) if mode == proton.SSLDomain.MODE_SERVER: if properties.get('x-ssl-allow-cleartext'): domain.allow_unsecured_client() pn_ssl = proton.SSL(self._pn_transport, domain) if hostname: pn_ssl.peer_hostname = hostname LOG.debug("SSL configured for connection %s", self._name) return pn_ssl
def init_app(self, app): ssl_defaults = ssl.get_default_verify_paths() # Default config app.config.setdefault('LDAP_SERVER', 'localhost') app.config.setdefault('LDAP_PORT', 389) app.config.setdefault('LDAP_BINDDN', None) app.config.setdefault('LDAP_SECRET', None) app.config.setdefault('LDAP_TIMEOUT', 10) app.config.setdefault('LDAP_READ_ONLY', False) app.config.setdefault('LDAP_VALID_NAMES', None) app.config.setdefault('LDAP_PRIVATE_KEY_PASSWORD', None) app.config.setdefault('LDAP_CONNECTION_STRATEGY', SYNC) app.config.setdefault('LDAP_USE_SSL', False) app.config.setdefault('LDAP_USE_TLS', True) app.config.setdefault('LDAP_TLS_VERSION', ssl.PROTOCOL_TLSv1) app.config.setdefault('LDAP_REQUIRE_CERT', ssl.CERT_REQUIRED) app.config.setdefault('LDAP_CLIENT_PRIVATE_KEY', None) app.config.setdefault('LDAP_CLIENT_CERT', None) app.config.setdefault('LDAP_CA_CERTS_FILE', ssl_defaults.cafile) app.config.setdefault('LDAP_CA_CERTS_PATH', ssl_defaults.capath) app.config.setdefault('LDAP_CA_CERTS_DATA', None) self.tls = Tls( local_private_key_file=app.config['LDAP_CLIENT_PRIVATE_KEY'], local_certificate_file=app.config['LDAP_CLIENT_CERT'], validate=app.config['LDAP_REQUIRE_CERT'], version=app.config['LDAP_TLS_VERSION'], ca_certs_file=app.config['LDAP_CA_CERTS_FILE'], valid_names=app.config['LDAP_VALID_NAMES'], ca_certs_path=app.config['LDAP_CA_CERTS_PATH'], ca_certs_data=app.config['LDAP_CA_CERTS_DATA'], local_private_key_password=app.config['LDAP_PRIVATE_KEY_PASSWORD'] ) self.ldap_server = Server( host=app.config['LDAP_SERVER'], port=app.config['LDAP_PORT'], use_ssl=app.config['LDAP_USE_SSL'], tls=self.tls, get_info=GET_ALL_INFO ) # Store ldap_conn object to extensions app.extensions['ldap_conn'] = self # Teardown appcontext app.teardown_appcontext(self.teardown)
def _wrap_sni_socket(sock, sslopt, hostname): context = ssl.SSLContext(sslopt.get('ssl_version', ssl.PROTOCOL_SSLv23)) if sslopt.get('cert_reqs', ssl.CERT_NONE) != ssl.CERT_NONE: capath = ssl.get_default_verify_paths().capath context.load_verify_locations(cafile=sslopt.get('ca_certs', None), capath=sslopt.get('ca_cert_path', capath)) return context.wrap_socket( sock, do_handshake_on_connect=sslopt.get('do_handshake_on_connect', True), suppress_ragged_eofs=sslopt.get('suppress_ragged_eofs', True), server_hostname=hostname, )
def patch_certs(cert_path=None): """ Patch http certificates or ignore_ssl() if no certificates ca be found :param cert_path: Path to the certificate file """ if not defaults.CACERTS_DEFAULT_PATH: if cert_path: https.patch_with_certs(cert_path) else: try: from ssl import get_default_verify_paths cert_path = get_default_verify_paths().cafile or \ get_default_verify_paths().openssl_cafile except: pass if cert_path: https.patch_with_certs(cert_path) else: logger.warn("COULD NOT FIND ANY CERTIFICATES, PLEASE SET THEM IN YOUR " ".kamakirc global section, option ca_certs") https.patch_ignore_ssl()
def _initialize_tls_certificate_locations(self): """Set up initial TLS file and directory lookup locations.""" self._default_tls_verify_paths = get_default_verify_paths() try: self.set_ssl_cert_locations( self._default_tls_verify_paths.cafile, self._default_tls_verify_paths.capath, ) except GitError as git_err: valid_msg = "TLS backend doesn't support certificate locations" if str(git_err) != valid_msg: raise self._default_tls_verify_paths = None self._ssl_cert_file = None self._ssl_cert_dir = None
def __init__(self, state, *args, **kwargs): cafile = ssl.get_default_verify_paths().openssl_cafile # For some system / distribution, python can not detect system cafile path. # In such case we fallback to the default path. if not os.path.exists(cafile): cafile = '/etc/ssl/certs/ca-certificates.crt' if state.ssl_self_signed: cafile = GetTLSCertPath(state.host) ssl_options = { 'cert_reqs': ssl.CERT_REQUIRED, 'ca_certs': cafile } # ws4py does not allow you to specify SSLContext, but rather passing in the # argument of ssl.wrap_socket super(SSLEnabledWebSocketBaseClient, self).__init__( ssl_options=ssl_options, *args, **kwargs)
def test_peer_certificate_verify(self): import _ssl, ssl, gc paths = ssl.get_default_verify_paths() if not paths.capath and not paths.cafile: skip("ssl.get_default_verify_paths() failed to return any path") ctx = _ssl._SSLContext(_ssl.PROTOCOL_TLS) ctx.verify_mode = _ssl.CERT_REQUIRED ctx.load_verify_locations(capath=paths.capath, cafile=paths.cafile) ss = ctx._wrap_socket(self.s._sock, False) try: ss.do_handshake() except _ssl.SSLError as e: if e.reason == 'CERTIFICATE_VERIFY_FAILED': skip("Certificate verification failed. " "Most likely we just don't have any CA certificates.") assert ss.peer_certificate() self.s.close() del ss; gc.collect()
import gevent.queue import gevent.socket import os import six _CA_CERTS = None try: from ssl import get_default_verify_paths except ImportError: _CA_CERTS = None else: _certs = get_default_verify_paths() _CA_CERTS = _certs.cafile or _certs.capath if not _CA_CERTS or os.path.isdir(_CA_CERTS): import certifi _CA_CERTS = certifi.where() try: from ssl import _DEFAULT_CIPHERS except ImportError: # ssl._DEFAULT_CIPHERS in python2.7 branch. _DEFAULT_CIPHERS = ( 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:' 'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:ECDH+RC4:' 'DH+RC4:RSA+RC4:!aNULL:!eNULL:!MD5') try: from gevent import lock except ImportError:
def default_paths(self): """ https://docs.python.org/2/library/ssl.html#ssl.get_default_verify_paths """ return ssl.get_default_verify_paths()
import ssl import sys print(ssl.get_default_verify_paths()) context = ssl.create_default_context() import socket conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname="www.python.org") conn.connect(("www.python.org", 443)) print('OK https://www.python.org [Verified]') conn.close() conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname="untrusted-root.badssl.com") try: conn.connect(("untrusted-root.badssl.com", 443)) except ssl.SSLError: print('OK https://untrusted-root.badssl.com [Unverified]') else: print('FAIL https://untrusted-root.badssl.com [Verified]') sys.exit(1) finally: conn.close()
import sys from distutils import sysconfig from distutils.command.install import install, SCHEME_KEYS # noqa from pip.compat import WINDOWS, expanduser from pip.utils import appdirs # if the Python we're running on is new enough to have the needed API then # we'll ask OpenSSL to give us the path to the default CA Bundle. If this API # doesn't exist or we cannot resolve the path to an existing file, then we will # simply set this to None. Setting this to None will have requests fall back # and use it's default CA Bundle logic. if getattr(ssl, "get_default_verify_paths", None): CA_BUNDLE_PATH = ssl.get_default_verify_paths().cafile else: CA_BUNDLE_PATH = None # Application Directories USER_CACHE_DIR = appdirs.user_cache_dir("pip") DELETE_MARKER_MESSAGE = '''\ This file is placed here by pip to indicate the source was put here by pip. Once this package is successfully installed this source code will be deleted (unless you remove this file). '''
def default_paths(self): return ssl.get_default_verify_paths()
from distutils.command.install import install, SCHEME_KEYS # noqa from pip.compat import WINDOWS, expanduser from pip.utils import appdirs # if the Python we're running on is new enough to have the needed API then # we'll ask OpenSSL to give us the path to the default CA Bundle. If this API # doesn't exist or we cannot resolve the path to an existing file, then we will # simply set this to None. Setting this to None will have requests fall back # and use it's default CA Bundle logic. # Ever since requests 2.9.0, requests has supported a CAPath in addition to a # CAFile, because some systems (such as Debian) have a broken CAFile currently # we'll go ahead and support both, prefering CAPath over CAfile. if getattr(ssl, "get_default_verify_paths", None): _ssl_paths = ssl.get_default_verify_paths() # Ok, this is a little hairy because system trust stores are randomly # broken in different and exciting ways and this should help fix that. # Ideally we'd just not trust the system store, however that leads end # users to be confused on systems like Debian that patch python-pip, even # inside of a virtual environment, to support the system store. This would # lead to pip trusting the system store when creating the virtual # environment, but then switching to not doing that when upgraded to a # version from PyPI. However, we can't *only* rely on the system store # because not all systems actually have one, so at the end of the day we # still need to fall back to trusting the bundled copy. # # Resolution Method: # # 1. We prefer a CAPath, however we will *only* prefer a CAPath if the
def tls_configure(sock, context, args, kwargs): # FIXME: We should convert positional arguments to named ones, to # make sure everything Just Works. # # Pop off any positional arguments that just want defaults args = list(args) while args and args[-1] is None: args.pop(-1) kwargs = copy.copy(kwargs) if (not hasattr(ssl, 'OP_NO_SSLv3')) and not context: # This build/version of Python is insecure! # Force the protocol version to TLSv1. kwargs['ssl_version'] = kwargs.get('ssl_version', ssl.PROTOCOL_TLSv1) # Per-site configuration, SNI and TOFU! hostname = None accept_certs = [] if 'server_hostname' in kwargs: hostname = '%s:%s' % (kwargs['server_hostname'], sock.getpeername()[1]) tls_settings = KNOWN_TLS_HOSTS.get(md5_hex(hostname)) # These defaults allow us to do certificate TOFU if tls_settings is not None: accept_certs = [c for c in tls_settings.accept_certs] kwargs['cert_reqs'] = ssl.CERT_NONE if context: context.check_hostname = False context.verify_mode = ssl.CERT_NONE # Attempt to configure for Certificate Authorities use_web_ca = kwargs.get('use_web_ca', tls_settings is None or tls_settings.use_web_ca) if use_web_ca: try: if context: context.load_default_certs() context.verify_mode = ssl.CERT_REQUIRED context.check_hostname = True accept_certs = None elif 'ca_certs' in kwargs: kwargs['cert_reqs'] = ssl.CERT_REQUIRED accept_certs = None elif hasattr(ssl, 'get_default_verify_paths'): kwargs['cert_reqs'] = ssl.CERT_REQUIRED kwargs['ca_certs'] = ssl.get_default_verify_paths().cafile accept_certs = None else: # Fall back to TOFU. pass except (NameError, AttributeError): # Old Python: Fall back to TOFU pass if context: del kwargs['cert_reqs'] else: # The context-less ssl.wrap_socket() doesn't understand this # argument, so get rid of it. del kwargs['server_hostname'] if 'use_web_ca' in kwargs: del kwargs['use_web_ca'] return tuple(args), kwargs, hostname, accept_certs