Merge "Python3.12: do not use ssl.wrap_socket"

os_ken/controller/controller.py

@@ -166,9 +166,8 @@ class OpenFlowController(object):
 
     def server_loop(self, ofp_tcp_listen_port, ofp_ssl_listen_port):
         if CONF.ctl_privkey is not None and CONF.ctl_cert is not None:
-            p = 'PROTOCOL_TLS'
+            ssl_args = {'ssl_ctx': ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)}
 
-            ssl_args = {'ssl_ctx': ssl.SSLContext(getattr(ssl, p))}
             # Restrict non-safe versions
             ssl_args['ssl_ctx'].options |= ssl.OP_NO_SSLv3 | ssl.OP_NO_SSLv2
 

os_ken/lib/hub.py

@@ -137,24 +137,20 @@ if HUB_TYPE == 'eventlet':
 
             if ssl_args:
                 ssl_args.setdefault('server_side', True)
-                if 'ssl_ctx' in ssl_args:
-                    ctx = ssl_args.pop('ssl_ctx')
-                    ctx.load_cert_chain(ssl_args.pop('certfile'),
-                                        ssl_args.pop('keyfile'))
-                    if 'cert_reqs' in ssl_args:
-                        ctx.verify_mode = ssl_args.pop('cert_reqs')
-                    if 'ca_certs' in ssl_args:
-                        ctx.load_verify_locations(ssl_args.pop('ca_certs'))
+                if 'ssl_ctx' not in ssl_args:
+                    raise RuntimeError("no SSLContext ssl_ctx in ssl_args")
+                ctx = ssl_args.pop('ssl_ctx')
+                ctx.load_cert_chain(ssl_args.pop('certfile'),
+                                    ssl_args.pop('keyfile'))
+                if 'cert_reqs' in ssl_args:
+                    ctx.verify_mode = ssl_args.pop('cert_reqs')
+                if 'ca_certs' in ssl_args:
+                    ctx.load_verify_locations(ssl_args.pop('ca_certs'))
 
-                    def wrap_and_handle_ctx(sock, addr):
-                        handle(ctx.wrap_socket(sock, **ssl_args), addr)
+                def wrap_and_handle_ctx(sock, addr):
+                    handle(ctx.wrap_socket(sock, **ssl_args), addr)
 
-                    self.handle = wrap_and_handle_ctx
-                else:
-                    def wrap_and_handle_ssl(sock, addr):
-                        handle(ssl.wrap_socket(sock, **ssl_args), addr)
-
-                    self.handle = wrap_and_handle_ssl
+                self.handle = wrap_and_handle_ctx
             else:
                 self.handle = handle
 
@@ -182,7 +178,14 @@ if HUB_TYPE == 'eventlet':
                 return None
 
             if self.ssl_args:
-                client = ssl.wrap_socket(client, **self.ssl_args)
+                ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+                ctx.load_cert_chain(self.ssl_args.pop('certfile'),
+                                    self.ssl_args.pop('keyfile'))
+                if 'cert_reqs' in self.ssl_args:
+                    ctx.verify_mode = self.ssl_args.pop('cert_reqs')
+                if 'ca_certs' in self.ssl_args:
+                    ctx.load_verify_location(self.ssl_args.pop('ca_certs'))
+                client = ctx.wrap_socket(client, **self.ssl_args)
 
             return client
 

os_ken/services/protocols/ovsdb/manager.py

@@ -173,13 +173,14 @@ class OVSDB(app_manager.OSKenApp):
         cert = self.CONF.ovsdb.mngr_cert or self.CONF.ctl_cert
 
         if key is not None and cert is not None:
-            ssl_kwargs = dict(keyfile=key, certfile=cert, server_side=True)
+            ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+            ctx.load_cert_chain(cert, key)
 
             if self.CONF.ca_certs is not None:
-                ssl_kwargs['cert_reqs'] = ssl.CERT_REQUIRED
-                ssl_kwargs['ca_certs'] = self.CONF.ca_certs
+                ctx.verify_mode = ssl.CERT_REQUIRED
+                ctx.load_verify_locations(self.CONF.ca_certs)
 
-            server = ssl.wrap_socket(server, **ssl_kwargs)
+            server = ctx.wrap_socket(server, server_side=True)
 
         self._server = server