1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
Description: fix ssl_wrap removed from python 3.12's ssl.py
Author: Rene Luria <rene.luria@infomaniak.ch>
Forwarded: no
Bug-Debian: https://bugs.debian.org/1058411
Last-Update: 2023-12-19
Index: python-pykmip/kmip/services/kmip_client.py
===================================================================
--- python-pykmip.orig/kmip/services/kmip_client.py
+++ python-pykmip/kmip/services/kmip_client.py
@@ -285,13 +285,20 @@ class KMIPProxy(object):
six.reraise(*last_error)
def _create_socket(self, sock):
- self.socket = ssl.wrap_socket(
+ context = ssl.SSLContext(self.ssl_version)
+
+ if self.certfile or self.keyfile:
+ context.load_cert_chain(
+ certfile=self.certfile,
+ keyfile=self.keyfile,
+ )
+ if self.ca_certs:
+ context.load_verify_locations(self.ca_certs)
+
+ context.options |= self.cert_reqs
+
+ self.socket = context.wrap_socket(
sock,
- keyfile=self.keyfile,
- certfile=self.certfile,
- cert_reqs=self.cert_reqs,
- ssl_version=self.ssl_version,
- ca_certs=self.ca_certs,
do_handshake_on_connect=self.do_handshake_on_connect,
suppress_ragged_eofs=self.suppress_ragged_eofs)
self.socket.settimeout(self.timeout)
Index: python-pykmip/kmip/services/server/server.py
===================================================================
--- python-pykmip.orig/kmip/services/server/server.py
+++ python-pykmip/kmip/services/server/server.py
@@ -287,17 +287,22 @@ class KmipServer(object):
for cipher in auth_suite_ciphers:
self._logger.debug(cipher)
- self._socket = ssl.wrap_socket(
+ context = ssl.SSLContext(self.auth_suite.protocol if self.auth_suite.protocol else ssl.PROTOCOL_TLS_SERVER)
+ if self.config.settings.get('key_path') or self.config.settings.get('certificate_path'):
+ context.load_cert_chain(
+ certfile=self.config.settings.get('key_path'),
+ keyfile=self.config.settings.get('certificate_path'),
+ )
+ if self.config.settings.get('ca_path'):
+ context.load_verify_locations(self.config.settings.get('ca_path'))
+ context.set_ciphers(self.auth_suite.ciphers)
+ context.verify_mode = ssl.CERT_REQUIRED
+
+ self._socket = context.wrap_socket(
self._socket,
- keyfile=self.config.settings.get('key_path'),
- certfile=self.config.settings.get('certificate_path'),
server_side=True,
- cert_reqs=ssl.CERT_REQUIRED,
- ssl_version=self.auth_suite.protocol,
- ca_certs=self.config.settings.get('ca_path'),
do_handshake_on_connect=False,
suppress_ragged_eofs=True,
- ciphers=self.auth_suite.ciphers
)
try:
Index: python-pykmip/kmip/tests/unit/services/server/test_server.py
===================================================================
--- python-pykmip.orig/kmip/tests/unit/services/server/test_server.py
+++ python-pykmip/kmip/tests/unit/services/server/test_server.py
@@ -168,7 +168,7 @@ class TestKmipServer(testtools.TestCase)
# Test that in ideal cases no errors are generated and the right
# log messages are.
with mock.patch('socket.socket') as socket_mock:
- with mock.patch('ssl.wrap_socket') as ssl_mock:
+ with mock.patch('ssl.SSLContext.wrap_socket') as ssl_mock:
socket_mock.return_value = a_mock
ssl_mock.return_value = b_mock
@@ -229,7 +229,7 @@ class TestKmipServer(testtools.TestCase)
# Test that a NetworkingError is generated if the socket bind fails.
with mock.patch('socket.socket') as socket_mock:
- with mock.patch('ssl.wrap_socket') as ssl_mock:
+ with mock.patch('ssl.SSLContext.wrap_socket') as ssl_mock:
socket_mock.return_value = a_mock
ssl_mock.return_value = b_mock
|
