diff options
author | Aaron <amcconnell@duosecurity.com> | 2020-10-02 13:30:56 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-10-02 13:30:56 -0400 |
commit | 3f0b9383b4717e63946e4fbb2daec7c8033bfcf8 (patch) | |
tree | a7e73c2e86b1a6d3c9b66bc5e064dec9fc3d7038 | |
parent | db35d5b41342ddb340045d90b65469acdae588bc (diff) | |
parent | e422658ad5e4a011f6a4cf16a6828b367e9ae69c (diff) | |
download | openvpn-duo-plugin-3f0b9383b4717e63946e4fbb2daec7c8033bfcf8.tar.gz openvpn-duo-plugin-3f0b9383b4717e63946e4fbb2daec7c8033bfcf8.zip |
Merge pull request #35 from mbish/master
Move away from deprecated TLS socket wrapping
-rw-r--r-- | https_wrapper.py | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/https_wrapper.py b/https_wrapper.py index e6bdc36..2679aba 100644 --- a/https_wrapper.py +++ b/https_wrapper.py @@ -113,10 +113,16 @@ class CertValidatingHTTPSConnection(http_client.HTTPConnection): self.timeout) if self._tunnel_host: self._tunnel() - self.sock = ssl.wrap_socket(self.sock, keyfile=self.key_file, - certfile=self.cert_file, - cert_reqs=self.cert_reqs, - ca_certs=self.ca_certs) + + context = ssl.create_default_context() + context.load_verify_locations(cafile=self.ca_certs) + + if self.cert_file: + context.load_cert_chain(self.cert_file, keyfile=self.key_file) + + context.options = self.cert_reqs | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 + self.sock = context.wrap_socket(self.sock, server_hostname=self.host) + if self.cert_reqs & ssl.CERT_REQUIRED: cert = self.sock.getpeercert() cert_validation_host = self._tunnel_host or self.host |