Python 3.12: do not use ssl.wrap_socket

The ssl.wrap_socket method has been removed in 3.12. SSLContext.wrap_socket should now be used. Change-Id: Ic60476bf58ebb00632d25f089229e68efdf2b274
2024-07-03 22:37:58 +02:00
parent 7be3fdf2a7
commit 670cff39cf
1 changed files with 8 additions and 9 deletions
--- a/tacker/wsgi.py
+++ b/tacker/wsgi.py
@ -207,18 +207,17 @@ class Server(object):
                                     ": %s") % CONF.ssl_ca_file)

        def wrap_ssl(sock):
-            ssl_kwargs = {
-                'server_side': True,
-                'certfile': CONF.ssl_cert_file,
-                'keyfile': CONF.ssl_key_file,
-                'cert_reqs': ssl.CERT_NONE,
-            }
+            ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+            ssl_context.load_cert_chain(CONF.ssl_cert_file, CONF.ssl_key_file)

            if CONF.ssl_ca_file:
-                ssl_kwargs['ca_certs'] = CONF.ssl_ca_file
-                ssl_kwargs['cert_reqs'] = ssl.CERT_REQUIRED
+                ssl_context.verify_mode = ssl.CERT_REQUIRED
+                ssl_context.load_verify_locations(CONF.ssl_ca_file)
+            else:
+                ssl_context.check_hostname = False
+                ssl_context.verify_mode = ssl.CERT_NONE

-            return ssl.wrap_socket(sock, **ssl_kwargs)
+            return ssl_context.wrap_socket(sock, server_side=True)

        sock = None
        retry_until = time.time() + CONF.retry_until_window