def _request(self, request_type, method, info=None): handler = self.apihandler + method context = SSL.Context("tlsv1") if self.insecure: # allow clients to work insecure mode if required.. context.post_connection_check = NoOpChecker() else: context.set_verify(SSL.verify_fail_if_no_peer_cert, self.ssl_verify_depth) if self.ca_dir is not None: log.debug('Loading CA PEM certificates from: %s', self.ca_dir) self._load_ca_certificates(context) if self.cert_file and os.path.exists(self.cert_file): context.load_cert(self.cert_file, keyfile=self.key_file) if self.proxy_hostname and self.proxy_port: log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port)) conn = RhsmProxyHTTPSConnection(self.proxy_hostname, self.proxy_port, username=self.proxy_user, password=self.proxy_password, ssl_context=context) # this connection class wants the full url handler = "https://%s:%s%s" % (self.host, self.ssl_port, handler) else: conn = httpslib.HTTPSConnection(self.host, self.ssl_port, ssl_context=context) if info is not None: body = json.dumps(info) else: body = None log.debug("Making request: %s %s" % (request_type, handler)) headers = self.headers if body is None: headers = dict(self.headers.items() + {"Content-Length": "0"}.items()) try: conn.request(request_type, handler, body=body, headers=headers) except SSLError, e: if self.cert_file: id_cert = certificate.create_from_file(self.cert_file) if not id_cert.is_valid(): raise ExpiredIdentityCertException() raise e
def _request(self, request_type, method, info=None): handler = self.apihandler + method context = SSL.Context("tlsv1") if self.insecure: # allow clients to work insecure mode if required.. context.post_connection_check = NoOpChecker() else: context.set_verify(SSL.verify_fail_if_no_peer_cert, self.ssl_verify_depth) if self.ca_dir is not None: self._load_ca_certificates(context) if self.cert_file and os.path.exists(self.cert_file): context.load_cert(self.cert_file, keyfile=self.key_file) if self.proxy_hostname and self.proxy_port: log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port)) conn = RhsmProxyHTTPSConnection(self.proxy_hostname, self.proxy_port, username=self.proxy_user, password=self.proxy_password, ssl_context=context) # this connection class wants the full url handler = "https://%s:%s%s" % (self.host, self.ssl_port, handler) else: conn = httpslib.HTTPSConnection(self.host, self.ssl_port, ssl_context=context) if info is not None: body = json.dumps(info) else: body = None log.debug("Making request: %s %s" % (request_type, handler)) headers = self.headers if body is None: headers = dict(self.headers.items() + {"Content-Length": "0"}.items()) try: conn.request(request_type, handler, body=body, headers=headers) except SSLError: if self.cert_file: id_cert = certificate.create_from_file(self.cert_file) if not id_cert.is_valid(): raise ExpiredIdentityCertException() raise response = conn.getresponse() result = { "content": response.read(), "status": response.status, } response_log = 'Response: status=' + str(result['status']) if response.getheader('x-candlepin-request-uuid'): response_log = "%s, requestUuid=%s" % (response_log, response.getheader('x-candlepin-request-uuid')) log.debug(response_log) # Look for server drift, and log a warning if drift_check(response.getheader('date')): log.warn("Clock skew detected, please check your system time") # FIXME: we should probably do this in a wrapper method # so we can use the request method for normal http self.validateResponse(result, request_type, handler) # handle empty, but succesful responses, ala 204 if not len(result['content']): return None return json.loads(result['content'], object_hook=self._decode_dict)
def _request(self, request_type, method, info=None): handler = self.apihandler + method # See M2Crypto/SSL/Context.py in m2crypto source and # https://www.openssl.org/docs/ssl/SSL_CTX_new.html # This ends up invoking SSLv23_method, which is the catch all # "be compatible" protocol, even though it explicitly is not # using sslv2. This will by default potentially include sslv3 # if not used with post-poodle openssl. If however, the server # intends to not offer sslv3, it's workable. # # So this supports tls1.2, 1.1, 1.0, and/or sslv3 if supported. context = SSL.Context("sslv23") # Disable SSLv2 and SSLv3 support to avoid poodles. context.set_options(m2.SSL_OP_NO_SSLv2 | m2.SSL_OP_NO_SSLv3) if self.insecure: # allow clients to work insecure mode if required.. context.post_connection_check = NoOpChecker() else: # Proper peer verification is essential to prevent MITM attacks. context.set_verify( SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, self.ssl_verify_depth) if self.ca_dir is not None: self._load_ca_certificates(context) if self.cert_file and os.path.exists(self.cert_file): context.load_cert(self.cert_file, keyfile=self.key_file) if self.proxy_hostname and self.proxy_port: log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port)) conn = RhsmProxyHTTPSConnection(self.proxy_hostname, self.proxy_port, username=self.proxy_user, password=self.proxy_password, ssl_context=context) # this connection class wants the full url handler = "https://%s:%s%s" % (self.host, self.ssl_port, handler) else: conn = httpslib.HTTPSConnection(self.host, self.ssl_port, ssl_context=context) if info is not None: body = json.dumps(info, default=json.encode) else: body = None log.debug("Making request: %s %s" % (request_type, handler)) if self.user_agent: self.headers['User-Agent'] = self.user_agent headers = self.headers if body is None: headers = dict(self.headers.items() + {"Content-Length": "0"}.items()) # NOTE: alters global timeout_altered (and socket timeout) set_default_socket_timeout_if_python_2_3() try: conn.request(request_type, handler, body=body, headers=headers) except SSLError: if self.cert_file: id_cert = certificate.create_from_file(self.cert_file) if not id_cert.is_valid(): raise ExpiredIdentityCertException() raise response = conn.getresponse() result = { "content": response.read(), "status": response.status, "headers": dict(response.getheaders()) } response_log = 'Response: status=' + str(result['status']) if response.getheader('x-candlepin-request-uuid'): response_log = "%s, requestUuid=%s" % (response_log, response.getheader('x-candlepin-request-uuid')) log.debug(response_log) # Look for server drift, and log a warning if drift_check(response.getheader('date')): log.warn("Clock skew detected, please check your system time") # FIXME: we should probably do this in a wrapper method # so we can use the request method for normal http self.validateResponse(result, request_type, handler) # handle empty, but succesful responses, ala 204 if not len(result['content']): return None return json.loads(result['content'], object_hook=self._decode_dict)
def _request(self, request_type, method, info=None): handler = self.apihandler + method # See M2Crypto/SSL/Context.py in m2crypto source and # https://www.openssl.org/docs/ssl/SSL_CTX_new.html # This ends up invoking SSLv23_method, which is the catch all # "be compatible" protocol, even though it explicitly is not # using sslv2. This will by default potentially include sslv3 # if not used with post-poodle openssl. If however, the server # intends to not offer sslv3, it's workable. # # So this supports tls1.2, 1.1, 1.0, and/or sslv3 if supported. context = SSL.Context("sslv23") # Disable SSLv2 and SSLv3 support to avoid poodles. context.set_options(m2.SSL_OP_NO_SSLv2 | m2.SSL_OP_NO_SSLv3) if self.insecure: # allow clients to work insecure mode if required.. context.post_connection_check = NoOpChecker() else: # Proper peer verification is essential to prevent MITM attacks. context.set_verify( SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, self.ssl_verify_depth) if self.ca_dir is not None: self._load_ca_certificates(context) if self.cert_file and os.path.exists(self.cert_file): context.load_cert(self.cert_file, keyfile=self.key_file) if self.proxy_hostname and self.proxy_port: log.debug("Using proxy: %s:%s" % (self.proxy_hostname, self.proxy_port)) conn = RhsmProxyHTTPSConnection(self.proxy_hostname, self.proxy_port, username=self.proxy_user, password=self.proxy_password, ssl_context=context) # this connection class wants the full url handler = "https://%s:%s%s" % (self.host, self.ssl_port, handler) else: conn = httpslib.HTTPSConnection(self.host, self.ssl_port, ssl_context=context) if info is not None: body = json.dumps(info, default=json.encode) else: body = None log.debug("Making request: %s %s" % (request_type, handler)) headers = self.headers if body is None: headers = dict(self.headers.items() + {"Content-Length": "0"}.items()) # NOTE: alters global timeout_altered (and socket timeout) set_default_socket_timeout_if_python_2_3() try: conn.request(request_type, handler, body=body, headers=headers) except SSLError: if self.cert_file: id_cert = certificate.create_from_file(self.cert_file) if not id_cert.is_valid(): raise ExpiredIdentityCertException() raise response = conn.getresponse() result = { "content": response.read(), "status": response.status, } response_log = 'Response: status=' + str(result['status']) if response.getheader('x-candlepin-request-uuid'): response_log = "%s, requestUuid=%s" % (response_log, response.getheader('x-candlepin-request-uuid')) log.debug(response_log) # Look for server drift, and log a warning if drift_check(response.getheader('date')): log.warn("Clock skew detected, please check your system time") # FIXME: we should probably do this in a wrapper method # so we can use the request method for normal http self.validateResponse(result, request_type, handler) # handle empty, but succesful responses, ala 204 if not len(result['content']): return None return json.loads(result['content'], object_hook=self._decode_dict)