From 1a21d2d023345f655c901b1c946aa1bc05dabd87 Mon Sep 17 00:00:00 2001 From: Mark Bishop Date: Fri, 2 Oct 2020 11:19:18 -0400 Subject: Move away from deprecated TLS socket wrapping --- https_wrapper.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/https_wrapper.py b/https_wrapper.py index e6bdc36..97c8f3c 100644 --- a/https_wrapper.py +++ b/https_wrapper.py @@ -113,10 +113,16 @@ class CertValidatingHTTPSConnection(http_client.HTTPConnection): self.timeout) if self._tunnel_host: self._tunnel() - self.sock = ssl.wrap_socket(self.sock, keyfile=self.key_file, - certfile=self.cert_file, - cert_reqs=self.cert_reqs, - ca_certs=self.ca_certs) + + context = ssl.create_default_context() + context.load_verify_locations(cafile=self.ca_certs) + + if self.cert_file: + context.load_cert_chain(self.cert_file, keyfile=self.key_file) + + context.options = self.cert_reqs + self.sock = context.wrap_socket(self.sock, server_hostname=self.host) + if self.cert_reqs & ssl.CERT_REQUIRED: cert = self.sock.getpeercert() cert_validation_host = self._tunnel_host or self.host -- cgit v1.2.3 From e422658ad5e4a011f6a4cf16a6828b367e9ae69c Mon Sep 17 00:00:00 2001 From: Mark Bishop Date: Fri, 2 Oct 2020 13:16:43 -0400 Subject: Disallow SSLv2 and SSLv3 --- https_wrapper.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/https_wrapper.py b/https_wrapper.py index 97c8f3c..2679aba 100644 --- a/https_wrapper.py +++ b/https_wrapper.py @@ -120,7 +120,7 @@ class CertValidatingHTTPSConnection(http_client.HTTPConnection): if self.cert_file: context.load_cert_chain(self.cert_file, keyfile=self.key_file) - context.options = self.cert_reqs + context.options = self.cert_reqs | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 self.sock = context.wrap_socket(self.sock, server_hostname=self.host) if self.cert_reqs & ssl.CERT_REQUIRED: -- cgit v1.2.3