Add support for server name indication
According to the python docs [1] it is recommended to use SSLContext.wrap_socket to create an ssl connection since Python 3.2 and 2.7.9. This enables us to also leverage server name indication (SNI). One use case where SNI is beneficial is an easy and standard way to route traffic into an Openshift cluster. The most common way to get traffic into an Openshift cluster is using a routes. The routes in an openshift cluster work with either HTTP, HTTPS with SNI or TLS with SNI [2]. TLS with SNI in this case also works with non-http connections like gearman is using. [1] https://docs.python.org/3/library/ssl.html#socket-creation [2] https://docs.okd.io/3.11/dev_guide/expose_service/expose_internal_ip_router.html#overview Change-Id: I19c1edc4a14a303d2a91894e0065c8d31f89ce24
This commit is contained in:
parent
88b2c09878
commit
58b2f277b7
|
@ -205,11 +205,12 @@ class Connection(object):
|
|||
|
||||
if self.use_ssl:
|
||||
self.log.debug("Using SSL")
|
||||
s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1,
|
||||
cert_reqs=ssl.CERT_REQUIRED,
|
||||
keyfile=self.ssl_key,
|
||||
certfile=self.ssl_cert,
|
||||
ca_certs=self.ssl_ca)
|
||||
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
||||
context.verify_mode = ssl.CERT_REQUIRED
|
||||
context.check_hostname = False
|
||||
context.load_cert_chain(self.ssl_cert, self.ssl_key)
|
||||
context.load_verify_locations(self.ssl_ca)
|
||||
s = context.wrap_socket(s, server_hostname=self.host)
|
||||
|
||||
try:
|
||||
s.connect(sa)
|
||||
|
@ -2851,12 +2852,11 @@ class Server(BaseClientServer):
|
|||
self.log.debug("Accepting new connection")
|
||||
c, addr = self.socket.accept()
|
||||
if self.use_ssl:
|
||||
c = ssl.wrap_socket(c, server_side=True,
|
||||
keyfile=self.ssl_key,
|
||||
certfile=self.ssl_cert,
|
||||
ca_certs=self.ssl_ca,
|
||||
cert_reqs=ssl.CERT_REQUIRED,
|
||||
ssl_version=ssl.PROTOCOL_TLSv1)
|
||||
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
||||
context.verify_mode = ssl.CERT_REQUIRED
|
||||
context.load_cert_chain(self.ssl_cert, self.ssl_key)
|
||||
context.load_verify_locations(self.ssl_ca)
|
||||
c = context.wrap_socket(c, server_side=True)
|
||||
conn = ServerConnection(addr, c, self.use_ssl,
|
||||
self.client_id)
|
||||
self.log.info("Accepted connection %s" % (conn,))
|
||||
|
|
Loading…
Reference in New Issue