Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(67081)

Side by Side Diff: Lib/ssl.py

Issue 22417: PEP 476: verify HTTPS certificates by default
Patch Set: Created 4 years, 9 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
OLDNEW
1 # Wrapper module for _ssl, providing some additional facilities 1 # Wrapper module for _ssl, providing some additional facilities
2 # implemented in Python. Written by Bill Janssen. 2 # implemented in Python. Written by Bill Janssen.
3 3
4 """This module provides some more Pythonic support for SSL. 4 """This module provides some more Pythonic support for SSL.
5 5
6 Object types: 6 Object types:
7 7
8 SSLSocket -- subtype of socket.socket which does SSL over the socket 8 SSLSocket -- subtype of socket.socket which does SSL over the socket
9 9
10 Exceptions: 10 Exceptions:
(...skipping 424 matching lines...) Expand 10 before | Expand all | Expand 10 after
435 435
436 if cafile or capath or cadata: 436 if cafile or capath or cadata:
437 context.load_verify_locations(cafile, capath, cadata) 437 context.load_verify_locations(cafile, capath, cadata)
438 elif context.verify_mode != CERT_NONE: 438 elif context.verify_mode != CERT_NONE:
439 # no explicit cafile, capath or cadata but the verify mode is 439 # no explicit cafile, capath or cadata but the verify mode is
440 # CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system 440 # CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system
441 # root CA certificates for the given purpose. This may fail silently. 441 # root CA certificates for the given purpose. This may fail silently.
442 context.load_default_certs(purpose) 442 context.load_default_certs(purpose)
443 return context 443 return context
444 444
445 445 def _create_unverified_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None,
446 def _create_stdlib_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None,
447 check_hostname=False, purpose=Purpose.SERVER_AUTH, 446 check_hostname=False, purpose=Purpose.SERVER_AUTH,
448 certfile=None, keyfile=None, 447 certfile=None, keyfile=None,
449 cafile=None, capath=None, cadata=None): 448 cafile=None, capath=None, cadata=None):
450 """Create a SSLContext object for Python stdlib modules 449 """Create a SSLContext object for Python stdlib modules
451 450
452 All Python stdlib modules shall use this function to create SSLContext 451 All Python stdlib modules shall use this function to create SSLContext
453 objects in order to keep common settings in one place. The configuration 452 objects in order to keep common settings in one place. The configuration
454 is less restrict than create_default_context()'s to increase backward 453 is less restrict than create_default_context()'s to increase backward
455 compatibility. 454 compatibility.
456 """ 455 """
(...skipping 16 matching lines...) Expand all
473 # load CA root certs 472 # load CA root certs
474 if cafile or capath or cadata: 473 if cafile or capath or cadata:
475 context.load_verify_locations(cafile, capath, cadata) 474 context.load_verify_locations(cafile, capath, cadata)
476 elif context.verify_mode != CERT_NONE: 475 elif context.verify_mode != CERT_NONE:
477 # no explicit cafile, capath or cadata but the verify mode is 476 # no explicit cafile, capath or cadata but the verify mode is
478 # CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system 477 # CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system
479 # root CA certificates for the given purpose. This may fail silently. 478 # root CA certificates for the given purpose. This may fail silently.
480 context.load_default_certs(purpose) 479 context.load_default_certs(purpose)
481 480
482 return context 481 return context
482
483 # PEP 476 target for monkeypatching hack that reverts to old behaviour
484 _create_default_https_context = create_default_context
AntoinePitrou 2014/09/18 15:41:59 Compared to _create_stdlib_context, this changes o
485 # To revert back to the old behaviour, monkeypatch the ssl module:
486 # ssl._create_default_https_context = ssl._create_unverified_context
487
488
489 # Minimise impact of PEP 476 patch on other modules in 3.4 and 2.7
490 # by providing a backwards compatibility alias for the old private name
491 _create_stdlib_context = _create_unverified_context
492
483 493
484 class SSLSocket(socket): 494 class SSLSocket(socket):
485 """This class implements a subtype of socket.socket that wraps 495 """This class implements a subtype of socket.socket that wraps
486 the underlying OS socket in an SSL context when necessary, and 496 the underlying OS socket in an SSL context when necessary, and
487 provides read and write methods over that channel.""" 497 provides read and write methods over that channel."""
488 498
489 def __init__(self, sock=None, keyfile=None, certfile=None, 499 def __init__(self, sock=None, keyfile=None, certfile=None,
490 server_side=False, cert_reqs=CERT_NONE, 500 server_side=False, cert_reqs=CERT_NONE,
491 ssl_version=PROTOCOL_SSLv23, ca_certs=None, 501 ssl_version=PROTOCOL_SSLv23, ca_certs=None,
492 do_handshake_on_connect=True, 502 do_handshake_on_connect=True,
(...skipping 443 matching lines...) Expand 10 before | Expand all | Expand 10 after
936 context = _create_stdlib_context(ssl_version, 946 context = _create_stdlib_context(ssl_version,
937 cert_reqs=cert_reqs, 947 cert_reqs=cert_reqs,
938 cafile=ca_certs) 948 cafile=ca_certs)
939 with create_connection(addr) as sock: 949 with create_connection(addr) as sock:
940 with context.wrap_socket(sock) as sslsock: 950 with context.wrap_socket(sock) as sslsock:
941 dercert = sslsock.getpeercert(True) 951 dercert = sslsock.getpeercert(True)
942 return DER_cert_to_PEM_cert(dercert) 952 return DER_cert_to_PEM_cert(dercert)
943 953
944 def get_protocol_name(protocol_code): 954 def get_protocol_name(protocol_code):
945 return _PROTOCOL_NAMES.get(protocol_code, '<unknown>') 955 return _PROTOCOL_NAMES.get(protocol_code, '<unknown>')
OLDNEW
« no previous file with comments | « Lib/http/client.py ('k') | Lib/test/test_httplib.py » ('j') | Lib/test/test_httplib.py » ('J')

RSS Feeds Recent Issues | This issue
This is Rietveld 894c83f36cb7+