Skip to content

Commit

Permalink
Add client support for python 3.5+
Browse files Browse the repository at this point in the history 
Starting with python 3.7 ssl.SSLSocket was removed. Simply calling wrap_socket is the proposed fix here.
Starting with python 3.5 ssl.PROTOCOL_TLSv1 was removed, so we switch to PROTOCOL_TLS, which should result in the highest possible TLS connection. Modern OSes do no longer support SSLv2/3 so it is okayish to ignore those.

This should fix Bcfg2#415
  • Loading branch information
@xschlef @michaellass
xschlef authored and michaellass committed Jan 2, 2024
1 parent 8f1f9b9 commit cfc324d
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion src/lib/Bcfg2/Client/Proxy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,9 @@ def connect(self):
ssl_protocol_ver = ssl.PROTOCOL_SSLv23
elif self.protocol == 'xmlrpc/tlsv1':
ssl_protocol_ver = ssl.PROTOCOL_TLSv1
elif self.protocol == 'xmlrpc/tls':
# needed for python 3.5+ support
ssl_protocol_ver = ssl.PROTOCOL_TLS
else:
self.logger.error("Unknown protocol %s" % (self.protocol))
raise Exception("unknown protocol %s" % self.protocol)
Expand All @@ -219,7 +222,7 @@ def connect(self):
self.key = None

rawsock.settimeout(self.timeout)
self.sock = ssl.SSLSocket(rawsock, cert_reqs=other_side_required,
self.sock = ssl.wrap_socket(rawsock, cert_reqs=other_side_required,
ca_certs=self.ca, suppress_ragged_eofs=True,
keyfile=self.key, certfile=self.cert,
ssl_version=ssl_protocol_ver)
Expand Down

0 comments on commit cfc324d

Please sign in to comment.