diff options
author | Mark Bishop <mbishop@duosecurity.com> | 2020-10-02 11:19:18 -0400 |
---|---|---|
committer | Mark Bishop <mbishop@duosecurity.com> | 2020-10-02 11:19:18 -0400 |
commit | 1a21d2d023345f655c901b1c946aa1bc05dabd87 (patch) | |
tree | 869d5d9f4fb4065e6ce6539a0497dc568d906e88 | |
parent | db35d5b41342ddb340045d90b65469acdae588bc (diff) | |
download | openvpn-duo-plugin-1a21d2d023345f655c901b1c946aa1bc05dabd87.tar.gz openvpn-duo-plugin-1a21d2d023345f655c901b1c946aa1bc05dabd87.zip |
Move away from deprecated TLS socket wrapping
-rw-r--r-- | https_wrapper.py | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/https_wrapper.py b/https_wrapper.py index e6bdc36..97c8f3c 100644 --- a/https_wrapper.py +++ b/https_wrapper.py @@ -113,10 +113,16 @@ class CertValidatingHTTPSConnection(http_client.HTTPConnection): self.timeout) if self._tunnel_host: self._tunnel() - self.sock = ssl.wrap_socket(self.sock, keyfile=self.key_file, - certfile=self.cert_file, - cert_reqs=self.cert_reqs, - ca_certs=self.ca_certs) + + context = ssl.create_default_context() + context.load_verify_locations(cafile=self.ca_certs) + + if self.cert_file: + context.load_cert_chain(self.cert_file, keyfile=self.key_file) + + context.options = self.cert_reqs + self.sock = context.wrap_socket(self.sock, server_hostname=self.host) + if self.cert_reqs & ssl.CERT_REQUIRED: cert = self.sock.getpeercert() cert_validation_host = self._tunnel_host or self.host |