def _wrap3k(self, sock, server_hostname):
context = _SSLContext(self.protocol)
if self.cert_reqs:
context.verify_mode = self.cert_reqs
if self.ca_certs:
try:
context.load_verify_locations(self.ca_certs)
# Py32 raises IOError
# Py33 raises FileNotFoundError
except Exception as e: # Re-raise as SSLError
raise SSLError(e)
if self.certfile:
# FIXME: This block needs a test.
context.load_cert_chain(self.certfile, self.keyfile)
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return partial(context.wrap_socket, sock,
server_hostname=server_hostname)
else: # pragma nocover
return partial(context.wrap_socket, sock)
def _wrap3k(self, sock, server_hostname):
context = _SSLContext(self.protocol)
if self.cert_reqs:
context.verify_mode = self.cert_reqs
if self.ca_certs:
try:
context.load_verify_locations(self.ca_certs)
# Py32 raises IOError
# Py33 raises FileNotFoundError
except Exception as e: # Re-raise as SSLError
raise SSLError(e)
if self.certfile:
# FIXME: This block needs a test.
context.load_cert_chain(self.certfile, self.keyfile)
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI
return partial(context.wrap_socket, sock,
server_hostname=server_hostname)
else: # pragma nocover
return partial(context.wrap_socket, sock)
def __init__(self,
pair,
max_size,
net_timeout,
conn_timeout,
use_ssl,
use_greenlets,
ssl_keyfile=None,
ssl_certfile=None,
ssl_cert_reqs=None,
ssl_ca_certs=None,
wait_queue_timeout=None,
wait_queue_multiple=None,
socket_keepalive=False,
ssl_match_hostname=True):
"""
:Parameters:
- `pair`: a (hostname, port) tuple
- `max_size`: The maximum number of open sockets. Calls to
`get_socket` will block if this is set, this pool has opened
`max_size` sockets, and there are none idle. Set to `None` to
disable.
- `net_timeout`: timeout in seconds for operations on open connection
- `conn_timeout`: timeout in seconds for establishing connection
- `use_ssl`: bool, if True use an encrypted connection
- `use_greenlets`: bool, if True then start_request() assigns a
socket to the current greenlet - otherwise it is assigned to the
current thread
- `ssl_keyfile`: The private keyfile used to identify the local
connection against mongod. If included with the ``certfile` then
only the ``ssl_certfile`` is needed. Implies ``ssl=True``.
- `ssl_certfile`: The certificate file used to identify the local
connection against mongod. Implies ``ssl=True``.
- `ssl_cert_reqs`: Specifies whether a certificate is required from
the other side of the connection, and whether it will be validated
if provided. It must be one of the three values ``ssl.CERT_NONE``
(certificates ignored), ``ssl.CERT_OPTIONAL``
(not required, but validated if provided), or ``ssl.CERT_REQUIRED``
(required and validated). If the value of this parameter is not
``ssl.CERT_NONE``, then the ``ssl_ca_certs`` parameter must point
to a file of CA certificates. Implies ``ssl=True``.
- `ssl_ca_certs`: The ca_certs file contains a set of concatenated
"certification authority" certificates, which are used to validate
certificates passed from the other end of the connection.
Implies ``ssl=True``.
- `wait_queue_timeout`: (integer) How long (in seconds) a
thread will wait for a socket from the pool if the pool has no
free sockets.
- `wait_queue_multiple`: (integer) Multiplied by max_pool_size to give
the number of threads allowed to wait for a socket at one time.
- `socket_keepalive`: (boolean) Whether to send periodic keep-alive
packets on connected sockets. Defaults to ``False`` (do not send
keep-alive packets).
- `ssl_match_hostname`: If ``True`` (the default), and
`ssl_cert_reqs` is not ``ssl.CERT_NONE``, enables hostname
verification using the :func:`~ssl.match_hostname` function from
python's :mod:`~ssl` module. Think very carefully before setting
this to ``False`` as that could make your application vulnerable to
man-in-the-middle attacks.
"""
# Only check a socket's health with _closed() every once in a while.
# Can override for testing: 0 to always check, None to never check.
self._check_interval_seconds = 1
self.sockets = set()
self.lock = threading.Lock()
# Keep track of resets, so we notice sockets created before the most
# recent reset and close them.
self.pool_id = 0
self.pid = os.getpid()
self.pair = pair
self.max_size = max_size
self.net_timeout = net_timeout
self.conn_timeout = conn_timeout
self.wait_queue_timeout = wait_queue_timeout
self.wait_queue_multiple = wait_queue_multiple
self.socket_keepalive = socket_keepalive
self.ssl_ctx = None
self.ssl_match_hostname = ssl_match_hostname
if HAS_SSL and use_ssl:
# PROTOCOL_TLS_CLIENT added and PROTOCOL_SSLv23
# deprecated in CPython 3.6
self.ssl_ctx = _SSLContext(
getattr(ssl, 'PROTOCOL_TLS_CLIENT', ssl.PROTOCOL_SSLv23))
# SSLContext.check_hostname was added in 2.7.9 and 3.4. Using it
# forces the use of SNI, which PyMongo 2.x doesn't support.
# PROTOCOL_TLS_CLIENT enables this by default. Since we call
# match_hostname directly disable this explicitly.
if hasattr(self.ssl_ctx, "check_hostname"):
self.ssl_ctx.check_hostname = False
# load_cert_chain and load_verify_locations can fail
# if the file contents are invalid.
if ssl_certfile is not None:
try:
self.ssl_ctx.load_cert_chain(ssl_certfile, ssl_keyfile)
except ssl.SSLError:
pass
if ssl_ca_certs is not None:
try:
self.ssl_ctx.load_verify_locations(ssl_ca_certs)
except ssl.SSLError:
pass
# PROTOCOL_TLS_CLIENT sets verify_mode to CERT_REQUIRED so
# we always have to set this explicitly.
if ssl_cert_reqs is not None:
self.ssl_ctx.verify_mode = ssl_cert_reqs
else:
self.ssl_ctx.verify_mode = ssl.CERT_NONE
# Map self._ident.get() -> request socket
self._tid_to_sock = {}
if use_greenlets and not thread_util.have_gevent:
raise ConfigurationError("The Gevent module is not available. "
"Install the gevent package from PyPI.")
self._ident = thread_util.create_ident(use_greenlets)
# Count the number of calls to start_request() per thread or greenlet
self._request_counter = thread_util.Counter(use_greenlets)
if self.wait_queue_multiple is None or self.max_size is None:
max_waiters = None
else:
max_waiters = self.max_size * self.wait_queue_multiple
self._socket_semaphore = thread_util.create_semaphore(
self.max_size, max_waiters, use_greenlets)
def __init__(self, sock, keyfile=None, certfile=None,
server_side=False, cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23, ca_certs=None,
do_handshake_on_connect=True,
suppress_ragged_eofs=True,
ciphers=None, server_hostname=None, _context=None):
socket.__init__(self, _sock=sock)
if certfile and not keyfile:
keyfile = certfile
# see if it's connected
try:
socket.getpeername(self)
except socket_error as e:
if e.args[0] != errno.ENOTCONN:
raise
# no, no connection yet
self._sslobj = None
else:
# yes, create the SSL object
if six.PY3:
self._sslobj = None
if _context:
self.context = _context
else:
if server_side and not certfile:
raise ValueError("certfile must be specified for server-side operations")
if keyfile and not certfile:
raise ValueError("certfile must be specified")
if certfile and not keyfile:
keyfile = certfile
self.context = __ssl__._SSLContext(ssl_version)
self.context.verify_mode = cert_reqs
if ca_certs:
self.context.load_verify_locations(ca_certs)
if certfile:
self.context.load_cert_chain(certfile, keyfile)
if ciphers:
self.context.set_ciphers(ciphers)
if server_side and server_hostname:
raise ValueError("server_hostname can only be specified in client mode")
self.server_hostname = server_hostname
try:
self._sslobj = self.context._wrap_socket(self._sock, server_side, server_hostname)
except socket_error:
self.close()
raise
else:
if ciphers is None:
self._sslobj = _ssl.sslwrap(self._sock, server_side,
keyfile, certfile,
cert_reqs, ssl_version, ca_certs)
else:
self._sslobj = _ssl.sslwrap(self._sock, server_side,
keyfile, certfile,
cert_reqs, ssl_version, ca_certs,
ciphers)
if do_handshake_on_connect:
self.do_handshake()
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.ciphers = ciphers
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
self._makefile_refs = 0
def __init__(self,
sock,
keyfile=None,
certfile=None,
server_side=False,
cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23,
ca_certs=None,
do_handshake_on_connect=True,
suppress_ragged_eofs=True,
ciphers=None,
server_hostname=None,
_context=None):
socket.__init__(self, _sock=sock)
if certfile and not keyfile:
keyfile = certfile
# see if it's connected
try:
socket.getpeername(self)
except socket_error as e:
if e.args[0] != errno.ENOTCONN:
raise
# no, no connection yet
self._sslobj = None
else:
# yes, create the SSL object
if six.PY3:
self._sslobj = None
if _context:
self.context = _context
else:
if server_side and not certfile:
raise ValueError(
"certfile must be specified for server-side operations"
)
if keyfile and not certfile:
raise ValueError("certfile must be specified")
if certfile and not keyfile:
keyfile = certfile
self.context = __ssl__._SSLContext(ssl_version)
self.context.verify_mode = cert_reqs
if ca_certs:
self.context.load_verify_locations(ca_certs)
if certfile:
self.context.load_cert_chain(certfile, keyfile)
if ciphers:
self.context.set_ciphers(ciphers)
if server_side and server_hostname:
raise ValueError(
"server_hostname can only be specified in client mode")
self.server_hostname = server_hostname
try:
self._sslobj = self.context._wrap_socket(
self._sock, server_side, server_hostname)
except socket_error:
self.close()
raise
else:
if ciphers is None:
self._sslobj = _ssl.sslwrap(self._sock, server_side,
keyfile, certfile, cert_reqs,
ssl_version, ca_certs)
else:
self._sslobj = _ssl.sslwrap(self._sock, server_side,
keyfile, certfile, cert_reqs,
ssl_version, ca_certs, ciphers)
if do_handshake_on_connect:
self.do_handshake()
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.ciphers = ciphers
self.do_handshake_on_connect = do_handshake_on_connect
self.suppress_ragged_eofs = suppress_ragged_eofs
self._makefile_refs = 0