def connect(self): # Yup, copied in VerifiedHTTPSConnection.connect just to change the # default cipher list. # Add certificate verification conn = self._new_conn() resolved_cert_reqs = ssl_.resolve_cert_reqs(self.cert_reqs) resolved_ssl_version = ssl_.resolve_ssl_version(self.ssl_version) hostname = self.host if getattr(self, '_tunnel_host', None): # _tunnel_host was added in Python 2.6.3 # (See: http://hg.python.org/cpython/rev/0f57b30a152f) self.sock = conn # Calls self._set_hostport(), so self.host is # self._tunnel_host below. self._tunnel() # Mark this connection as not reusable self.auto_open = 0 # Override the host with the one we're requesting data from. hostname = self._tunnel_host is_time_off = datetime.date.today() < urllib3.connection.RECENT_DATE if is_time_off: warnings.warn(( 'System time is way off (before {0}). This will probably ' 'lead to SSL verification errors').format( urllib3.connection.RECENT_DATE), SystemTimeWarning ) # Wrap socket using verification with the root certs in # trusted_root_certs self.sock = ssl_.ssl_wrap_socket(conn, self.key_file, self.cert_file, cert_reqs=resolved_cert_reqs, ca_certs=self.ca_certs, server_hostname=hostname, ssl_version=resolved_ssl_version, ciphers=self.ciphers) if self.assert_fingerprint: ssl_.assert_fingerprint(self.sock.getpeercert(binary_form=True), self.assert_fingerprint) elif resolved_cert_reqs != ssl.CERT_NONE \ and self.assert_hostname is not False: cert = self.sock.getpeercert() if not cert.get('subjectAltName', ()): warnings.warn(( 'Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. ' 'This feature is being removed by major browsers and deprecated by RFC 2818. ' '(See https://github.com/shazow/urllib3/issues/497 for details.)'), SecurityWarning ) match_hostname(cert, self.assert_hostname or hostname) self.is_verified = (resolved_cert_reqs == ssl.CERT_REQUIRED or self.assert_fingerprint is not None)
def connect(self): # Yup, copied in VerifiedHTTPSConnection.connect just to change the # default cipher list. # Add certificate verification conn = self._new_conn() resolved_cert_reqs = ssl_.resolve_cert_reqs(self.cert_reqs) resolved_ssl_version = ssl_.resolve_ssl_version(self.ssl_version) hostname = self.host if getattr(self, '_tunnel_host', None): # _tunnel_host was added in Python 2.6.3 # (See: http://hg.python.org/cpython/rev/0f57b30a152f) self.sock = conn # Calls self._set_hostport(), so self.host is # self._tunnel_host below. self._tunnel() # Mark this connection as not reusable self.auto_open = 0 # Override the host with the one we're requesting data from. hostname = self._tunnel_host is_time_off = datetime.date.today() < urllib3.connection.RECENT_DATE if is_time_off: warnings.warn(( 'System time is way off (before {0}). This will probably ' 'lead to SSL verification errors').format( urllib3.connection.RECENT_DATE), SystemTimeWarning ) # Wrap socket using verification with the root certs in # trusted_root_certs self.sock = ssl_.ssl_wrap_socket(conn, self.key_file, self.cert_file, cert_reqs=resolved_cert_reqs, ca_certs=self.ca_certs, server_hostname=hostname, ssl_version=resolved_ssl_version, ciphers=self.ciphers) if self.assert_fingerprint: ssl_.assert_fingerprint(self.sock.getpeercert(binary_form=True), self.assert_fingerprint) elif resolved_cert_reqs != ssl.CERT_NONE \ and self.assert_hostname is not False: cert = self.sock.getpeercert() if not cert.get('subjectAltName', ()): warnings.warn(( 'Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. ' 'This feature is being removed by major browsers and deprecated by RFC 2818. ' '(See https://github.com/shazow/urllib3/issues/497 for details.)'), SecurityWarning ) match_hostname(cert, self.assert_hostname or hostname) self.is_verified = (resolved_cert_reqs == ssl.CERT_REQUIRED or self.assert_fingerprint is not None)
def ssl_wrap_socket_with_ocsp(*args, **kwargs): # Extract host_name hostname_index = get_args( ssl_.ssl_wrap_socket).args.index('server_hostname') server_hostname = args[hostname_index] if len( args) > hostname_index else kwargs.get('server_hostname', None) # Remove context if present ssl_context_index = get_args( ssl_.ssl_wrap_socket).args.index('ssl_context') context_in_args = len(args) > ssl_context_index ssl_context = args[hostname_index] if context_in_args else kwargs.get( 'ssl_context', None) if not isinstance(ssl_context, PyOpenSSLContext): # Create new default context if context_in_args: new_args = list(args) new_args[ssl_context_index] = None args = tuple(new_args) else: del kwargs['ssl_context'] # Fix ca certs location ca_certs_index = get_args(ssl_.ssl_wrap_socket).args.index('ca_certs') ca_certs_in_args = len(args) > ca_certs_index if not ca_certs_in_args and not kwargs.get('ca_certs'): kwargs['ca_certs'] = certifi.where() ret = ssl_.ssl_wrap_socket(*args, **kwargs) global FEATURE_OCSP_MODE global FEATURE_OCSP_RESPONSE_CACHE_FILE_NAME if PY2: # Python 2 uses pyasn1 for workaround. For some reason, asn1crypto # fails to parse OCSP response in Python 2. from .ocsp_pyasn1 import SnowflakeOCSPPyasn1 as SFOCSP else: from .ocsp_asn1crypto import SnowflakeOCSPAsn1Crypto as SFOCSP log.debug(u'OCSP Mode: %s, ' u'OCSP response cache file name: %s', FEATURE_OCSP_MODE.name, FEATURE_OCSP_RESPONSE_CACHE_FILE_NAME) if FEATURE_OCSP_MODE != OCSPMode.INSECURE: v = SFOCSP( ocsp_response_cache_uri=FEATURE_OCSP_RESPONSE_CACHE_FILE_NAME, use_fail_open=FEATURE_OCSP_MODE == OCSPMode.FAIL_OPEN).validate( server_hostname, ret.connection) if not v: raise OperationalError( msg=(u'The certificate is revoked or ' u'could not be validated: hostname={0}'.format( server_hostname)), errno=ER_SERVER_CERTIFICATE_REVOKED) else: log.info(u'THIS CONNECTION IS IN INSECURE ' u'MODE. IT MEANS THE CERTIFICATE WILL BE ' u'VALIDATED BUT THE CERTIFICATE REVOCATION ' u'STATUS WILL NOT BE CHECKED.') return ret
def _ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, ca_certs=None, server_hostname=None, ssl_version=None, ciphers=None, ssl_context=None, ca_cert_dir=None): return ssl_.ssl_wrap_socket(sock, keyfile=keyfile, certfile=certfile, cert_reqs=cert_reqs, ca_certs=ca_certs, server_hostname=_target_host, ssl_version=ssl_version, ciphers=ciphers, ssl_context=ssl_context, ca_cert_dir=ca_cert_dir)
def new_connect(self, **httplib_request_kw): # Add certificate verification conn = self._new_conn() import datetime hostname = self.host if getattr(self, '_tunnel_host', None): # _tunnel_host was added in Python 2.6.3 # (See: http://hg.python.org/cpython/rev/0f57b30a152f) self.sock = conn # Calls self._set_hostport(), so self.host is # self._tunnel_host below. self._tunnel() # Mark this connection as not reusable self.auto_open = 0 # Override the host with the one we're requesting data from. hostname = self._tunnel_host if 'Host' in httplib_request_kw['headers']: hostname = httplib_request_kw['headers']['Host'] # Wrap socket using verification with the root certs in # trusted_root_certs if self.ssl_context is None: self.ssl_context = create_urllib3_context( ssl_version=resolve_ssl_version(self.ssl_version), cert_reqs=resolve_cert_reqs(self.cert_reqs), ) context = self.ssl_context context.verify_mode = resolve_cert_reqs(self.cert_reqs) self.sock = ssl_wrap_socket(sock=conn, keyfile=self.key_file, certfile=self.cert_file, ca_certs=self.ca_certs, ca_cert_dir=self.ca_cert_dir, server_hostname=hostname, ssl_context=context) if self.assert_fingerprint: assert_fingerprint(self.sock.getpeercert(binary_form=True), self.assert_fingerprint) elif context.verify_mode != ssl.CERT_NONE \ and self.assert_hostname is not False: cert = self.sock.getpeercert() if not cert.get('subjectAltName', ()): warnings.warn(( 'Certificate for {0} has no `subjectAltName`, falling back to check for a ' '`commonName` for now. This feature is being removed by major browsers and ' 'deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 ' 'for details.)'.format(hostname)), SubjectAltNameWarning) _match_hostname(cert, self.assert_hostname or hostname) self.is_verified = (context.verify_mode == ssl.CERT_REQUIRED or self.assert_fingerprint is not None)
def connect(self): # Add certificate verification conn = self._new_conn() resolved_cert_reqs = ssl_.resolve_cert_reqs(self.cert_reqs) resolved_ssl_version = ssl_.resolve_ssl_version(self.ssl_version) hostname = self.host if getattr(self, "_tunnel_host", None): # _tunnel_host was added in Python 2.6.3 # (See: # http://hg.python.org/cpython/rev/0f57b30a152f) # # However this check is still necessary in 2.7.x self.sock = conn # Calls self._set_hostport(), so self.host is # self._tunnel_host below. self._tunnel() # Mark this connection as not reusable self.auto_open = 0 # Override the host with the one we're requesting data from. hostname = self._tunnel_host # Wrap socket using verification with the root certs in trusted_root_certs self.sock = ssl_.ssl_wrap_socket( conn, self.key_file, self.cert_file, cert_reqs=resolved_cert_reqs, ca_certs=self.ca_certs, server_hostname=hostname, ssl_version=resolved_ssl_version, ciphers=self.ciphers, ) if self.assert_fingerprint: ssl_.assert_fingerprint(self.sock.getpeercert(binary_form=True), self.assert_fingerprint) elif resolved_cert_reqs != ssl.CERT_NONE and self.assert_hostname is not False: cert = self.sock.getpeercert() if not cert.get("subjectAltName", ()): warnings.warn( ( "Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. " "This feature is being removed by major browsers and deprecated by RFC 2818. " "(See https://github.com/shazow/urllib3/issues/497 for details.)" ), SecurityWarning, ) match_hostname(cert, self.assert_hostname or hostname) self.is_verified = resolved_cert_reqs == ssl.CERT_REQUIRED or self.assert_fingerprint is not None
def connect(self): # Add certificate verification conn = self._new_conn() resolved_cert_reqs = ssl_.resolve_cert_reqs(self.cert_reqs) resolved_ssl_version = ssl_.resolve_ssl_version(self.ssl_version) hostname = self.host if getattr(self, '_tunnel_host', None): # _tunnel_host was added in Python 2.6.3 # (See: # http://hg.python.org/cpython/rev/0f57b30a152f) # # However this check is still necessary in 2.7.x self.sock = conn # Calls self._set_hostport(), so self.host is # self._tunnel_host below. self._tunnel() # Mark this connection as not reusable self.auto_open = 0 # Override the host with the one we're requesting data from. hostname = self._tunnel_host # Wrap socket using verification with the root certs in trusted_root_certs self.sock = ssl_.ssl_wrap_socket(conn, self.key_file, self.cert_file, cert_reqs=resolved_cert_reqs, ca_certs=self.ca_certs, server_hostname=hostname, ssl_version=resolved_ssl_version, ciphers=self.ciphers) if self.assert_fingerprint: ssl_.assert_fingerprint(self.sock.getpeercert(binary_form=True), self.assert_fingerprint) elif resolved_cert_reqs != ssl.CERT_NONE \ and self.assert_hostname is not False: cert = self.sock.getpeercert() if not cert.get('subjectAltName', ()): warnings.warn(( 'Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. ' 'This feature is being removed by major browsers and deprecated by RFC 2818. ' '(See https://github.com/shazow/urllib3/issues/497 for details.)' ), SecurityWarning) match_hostname(cert, self.assert_hostname or hostname) self.is_verified = (resolved_cert_reqs == ssl.CERT_REQUIRED or self.assert_fingerprint is not None)
def ssl_wrap_socket_with_ocsp(sock, keyfile=None, certfile=None, ca_certs=None, ca_cert_dir=None, server_hostname=None, ssl_context=None): ret = ssl_.ssl_wrap_socket(sock, keyfile=keyfile, certfile=certfile, ca_certs=ca_certs, ca_cert_dir=ca_cert_dir, server_hostname=server_hostname) global FEATURE_OCSP_MODE global FEATURE_OCSP_RESPONSE_CACHE_FILE_NAME if PY2: # Python 2 uses pyasn1 for workaround. For some reason, asn1crypto # fails to parse OCSP response in Python 2. from .ocsp_pyasn1 import SnowflakeOCSPPyasn1 as SFOCSP else: from .ocsp_asn1crypto import SnowflakeOCSPAsn1Crypto as SFOCSP log.debug(u'OCSP Mode: %s, ' u'OCSP response cache file name: %s', FEATURE_OCSP_MODE.name, FEATURE_OCSP_RESPONSE_CACHE_FILE_NAME) if FEATURE_OCSP_MODE != OCSPMode.INSECURE: v = SFOCSP( ocsp_response_cache_uri=FEATURE_OCSP_RESPONSE_CACHE_FILE_NAME, use_fail_open=FEATURE_OCSP_MODE == OCSPMode.FAIL_OPEN).validate( server_hostname, ret.connection) if not v: raise OperationalError( msg=(u'The certificate is revoked or ' u'could not be validated: hostname={0}'.format( server_hostname)), errno=ER_SERVER_CERTIFICATE_REVOKED) else: log.info(u'THIS CONNECTION IS IN INSECURE ' u'MODE. IT MEANS THE CERTIFICATE WILL BE ' u'VALIDATED BUT THE CERTIFICATE REVOCATION ' u'STATUS WILL NOT BE CHECKED.') return ret
def connect(self): # Add certificate verification conn = self._new_conn() resolved_cert_reqs = ssl_.resolve_cert_reqs(self.cert_reqs) resolved_ssl_version = ssl_.resolve_ssl_version(self.ssl_version) hostname = self.host self.sock = conn # Calls self._set_hostport(), so self.host is # self._tunnel_host below. self._tunnel() # Mark this connection as not reusable self.auto_open = 0 # Override the host with the one we're requesting data from. hostname = self._tunnel_host # Wrap socket using verification with the root certs in trusted_root_certs self.sock = ssl_.ssl_wrap_socket(conn, self.key_file, self.cert_file, cert_reqs=resolved_cert_reqs, ca_certs=self.ca_certs, server_hostname=hostname, ssl_version=resolved_ssl_version, ciphers=self.ciphers) if self.assert_fingerprint: ssl_.assert_fingerprint(self.sock.getpeercert(binary_form=True), self.assert_fingerprint) elif resolved_cert_reqs != ssl.CERT_NONE \ and self.assert_hostname is not False: cert = self.sock.getpeercert() if not cert.get('subjectAltName', ()): warnings.warn(( 'Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. ' 'This feature is being removed by major browsers and deprecated by RFC 2818. ' '(See https://github.com/shazow/urllib3/issues/497 for details.)'), SecurityWarning ) match_hostname(cert, self.assert_hostname or hostname) self.is_verified = (resolved_cert_reqs == ssl.CERT_REQUIRED or self.assert_fingerprint is not None)
def connect(self): conn = self._new_conn() resolved_cert_reqs = ssl_.resolve_cert_reqs(self.cert_reqs) resolved_ssl_version = ssl_.resolve_ssl_version(self.ssl_version) hostname = self.host if getattr(self, '_tunnel_host', None): self.sock = conn self._tunnel() self.auto_open = 0 hostname = self._tunnel_host self.sock = ssl_.ssl_wrap_socket(conn, self.key_file, self.cert_file, cert_reqs=resolved_cert_reqs, ca_certs=self.ca_certs, server_hostname=hostname, ssl_version=resolved_ssl_version, ciphers=self.ciphers) if self.assert_fingerprint: ssl_.assert_fingerprint(self.sock.getpeercert(binary_form=True), self.assert_fingerprint) elif resolved_cert_reqs != ssl.CERT_NONE \ and self.assert_hostname is not False: cert = self.sock.getpeercert() if not cert.get('subjectAltName', ()): warnings.warn(( 'Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. ' 'This feature is being removed by major browsers and deprecated by RFC 2818. ' '(See https://github.com/shazow/urllib3/issues/497 for details.)' ), SecurityWarning) match_hostname(cert, self.assert_hostname or hostname) self.is_verified = (resolved_cert_reqs == ssl.CERT_REQUIRED or self.assert_fingerprint is not None)