def _build_ssl_options(self):
'''Create the SSL options.
The options must be accepted by the `ssl` module.
Returns:
dict
'''
ssl_options = {}
if self._args.check_certificate:
ssl_options['cert_reqs'] = ssl.CERT_REQUIRED
ssl_options['ca_certs'] = self._load_ca_certs()
else:
ssl_options['cert_reqs'] = ssl.CERT_NONE
ssl_options['ssl_version'] = self._args.secure_protocol
if self._args.certificate:
ssl_options['certfile'] = self._args.certificate
ssl_options['keyfile'] = self._args.private_key
if self._args.edg_file:
ssl.RAND_egd(self._args.edg_file)
if self._args.random_file:
with open(self._args.random_file, 'rb') as in_file:
# Use 16KB because Wget
ssl.RAND_add(in_file.read(15360), 0.0)
return ssl_options
def testRAND(self):
v = ssl.RAND_status()
if support.verbose:
sys.stdout.write("\n RAND_status is %d (%s)\n"
% (v, (v and "sufficient randomness") or
"insufficient randomness"))
try:
ssl.RAND_egd(1)
except TypeError:
pass
else:
print("didn't raise TypeError")
ssl.RAND_add("this is a random string", 75.0)
def _build_ssl_context(cls, session: AppSession) -> ssl.SSLContext:
'''Create the SSL options.
The options must be accepted by the `ssl` module.
'''
args = session.args
# Logic is based on tornado.netutil.ssl_options_to_context
ssl_context = ssl.SSLContext(args.secure_protocol)
if args.check_certificate:
ssl_context.verify_mode = ssl.CERT_REQUIRED
cls._load_ca_certs(session)
ssl_context.load_verify_locations(session.ca_certs_filename)
else:
ssl_context.verify_mode = ssl.CERT_NONE
if args.strong_crypto:
ssl_context.options |= ssl.OP_NO_SSLv2
ssl_context.options |= ssl.OP_NO_SSLv3 # POODLE
if hasattr(ssl, 'OP_NO_COMPRESSION'):
ssl_context.options |= ssl.OP_NO_COMPRESSION # CRIME
else:
_logger.warning(_('Unable to disable TLS compression.'))
if args.certificate:
ssl_context.load_cert_chain(args.certificate, args.private_key)
if args.edg_file:
ssl.RAND_egd(args.edg_file)
if args.random_file:
with open(args.random_file, 'rb') as in_file:
# Use 16KB because Wget
ssl.RAND_add(in_file.read(15360), 0.0)
return ssl_context