From 79fe6b8feeec327c7d5ee19de7d6d6931ad5fce2 Mon Sep 17 00:00:00 2001 From: Cyril Roelandt Date: Wed, 3 Jul 2024 17:11:12 +0200 Subject: [PATCH] Python 3.12: do not use ssl.wrap_socket The ssl.wrap_socket method has been removed in 3.12. SSLContext.wrap_socket should now be used. Change-Id: I6e4f6848c07f7f9c1937ebde433a85ccfde7ba6a --- watcherclient/common/httpclient.py | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/watcherclient/common/httpclient.py b/watcherclient/common/httpclient.py index ce838d6..90f1beb 100644 --- a/watcherclient/common/httpclient.py +++ b/watcherclient/common/httpclient.py @@ -434,11 +434,6 @@ class VerifiedHTTPSConnection(http.client.HTTPSConnection): """Connect to a host on a given (SSL) port. If ca_file is pointing somewhere, use it to check Server Certificate. - - Redefined/copied and extended from httplib.py:1105 (Python 2.6.x). - This is needed to pass cert_reqs=ssl.CERT_REQUIRED as parameter to - ssl.wrap_socket(), which forces SSL to check server certificate against - our client certificate. """ sock = socket.create_connection((self.host, self.port), self.timeout) @@ -446,17 +441,21 @@ class VerifiedHTTPSConnection(http.client.HTTPSConnection): self.sock = sock self._tunnel() + context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + if self.insecure is True: - kwargs = {'cert_reqs': ssl.CERT_NONE} + context.check_hostname = False + context.verify_mode = ssl.CERT_NONE else: - kwargs = {'cert_reqs': ssl.CERT_REQUIRED, 'ca_certs': self.ca_file} + context.load_verify_locations(self.ca_file) if self.cert_file: - kwargs['certfile'] = self.cert_file if self.key_file: - kwargs['keyfile'] = self.key_file + context.load_cert_chain(self.cert_file, self.key_file) + else: + context.load_cert_chain(self.cert_file) - self.sock = ssl.wrap_socket(sock, **kwargs) + self.sock = context.wrap_socket(sock) @staticmethod def get_system_ca_file():