Add support for server name indication

According to the python docs [1] it is recommended to use SSLContext.wrap_socket to create an ssl connection since Python 3.2 and 2.7.9. This enables us to also leverage server name indication (SNI). One use case where SNI is beneficial is an easy and standard way to route traffic into an Openshift cluster. The most common way to get traffic into an Openshift cluster is using a routes. The routes in an openshift cluster work with either HTTP, HTTPS with SNI or TLS with SNI [2]. TLS with SNI in this case also works with non-http connections like gearman is using. [1] https://docs.python.org/3/library/ssl.html#socket-creation [2] https://docs.okd.io/3.11/dev_guide/expose_service/expose_internal_ip_router.html#overview Change-Id: I19c1edc4a14a303d2a91894e0065c8d31f89ce24
2019-05-04 12:11:41 +02:00 · 2019-05-04 12:11:41 +02:00 · 58b2f277b7
parent 88b2c09878
commit 58b2f277b7
1 changed files with 11 additions and 11 deletions
--- a/gear/init.py
+++ b/gear/init.py
@ -205,11 +205,12 @@ class Connection(object):

            if self.use_ssl:
                self.log.debug("Using SSL")
-                s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1,
-                                    cert_reqs=ssl.CERT_REQUIRED,
-                                    keyfile=self.ssl_key,
-                                    certfile=self.ssl_cert,
-                                    ca_certs=self.ssl_ca)
+                context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+                context.verify_mode = ssl.CERT_REQUIRED
+                context.check_hostname = False
+                context.load_cert_chain(self.ssl_cert, self.ssl_key)
+                context.load_verify_locations(self.ssl_ca)
+                s = context.wrap_socket(s, server_hostname=self.host)

            try:
                s.connect(sa)
@ -2851,12 +2852,11 @@ class Server(BaseClientServer):
                    self.log.debug("Accepting new connection")
                    c, addr = self.socket.accept()
                    if self.use_ssl:
-                        c = ssl.wrap_socket(c, server_side=True,
-                                            keyfile=self.ssl_key,
-                                            certfile=self.ssl_cert,
-                                            ca_certs=self.ssl_ca,
-                                            cert_reqs=ssl.CERT_REQUIRED,
-                                            ssl_version=ssl.PROTOCOL_TLSv1)
+                        context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+                        context.verify_mode = ssl.CERT_REQUIRED
+                        context.load_cert_chain(self.ssl_cert, self.ssl_key)
+                        context.load_verify_locations(self.ssl_ca)
+                        c = context.wrap_socket(c, server_side=True)
                    conn = ServerConnection(addr, c, self.use_ssl,
                                            self.client_id)
                    self.log.info("Accepted connection %s" % (conn,))