From 2747ea6f56137bf675acb15614041c654375a7b5 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Tue, 7 Feb 2023 16:37:20 -0800 Subject: [PATCH] Fix DeprecationWarning: ssl.PROTOCOL_TLS is deprecated Since python 3.10 ssl.PROTOCOL_TLS has been deprecated. We are expected to use ssl.PROTOCOL_TLS_CLIENT and ssl.PROTOCOL_TLS_SERVER depending on how the sockets are to be used. Switch over to these new constants to avoid the DeprecationWarning. One thing to note is that PROTOCOL_TLS_CLIENT has default behaviors around cert verification and hostname checking. Zuul is already explicitly setting those options the way it wants to and I've left that alone to avoid trouble if the defaults change later. Finally, this doesn't fix the occurence of this error that happens within kazoo. A separate PR has been made upstream to kazoo and this should be fixed in the next kazoo release. Change-Id: Ib41640f1d33d60503066464c8c98f865a74f003a --- tests/unit/test_streaming.py | 2 +- zuul/lib/fingergw.py | 2 +- zuul/lib/streamer_utils.py | 2 +- zuul/web/__init__.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/unit/test_streaming.py b/tests/unit/test_streaming.py index 12b33e5c60..7e6a2e6356 100644 --- a/tests/unit/test_streaming.py +++ b/tests/unit/test_streaming.py @@ -165,7 +165,7 @@ class TestStreamingBase(tests.base.AnsibleZuulTestCase): self.streaming_data[name] = '' with socket.create_connection(gateway_address) as s: if self.fingergw_use_ssl: - context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) context.verify_mode = ssl.CERT_REQUIRED context.check_hostname = False context.load_cert_chain( diff --git a/zuul/lib/fingergw.py b/zuul/lib/fingergw.py index bd947f1130..184c9762d3 100644 --- a/zuul/lib/fingergw.py +++ b/zuul/lib/fingergw.py @@ -71,7 +71,7 @@ class RequestHandler(streamer_utils.BaseFingerRequestHandler): ''' with socket.create_connection((server, port), timeout=10) as s: if use_ssl: - context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) context.verify_mode = ssl.CERT_REQUIRED context.check_hostname = self.fingergw.tls_verify_hostnames context.load_cert_chain(self.fingergw.tls_cert, diff --git a/zuul/lib/streamer_utils.py b/zuul/lib/streamer_utils.py index 04de4b8cb9..a50fb41424 100644 --- a/zuul/lib/streamer_utils.py +++ b/zuul/lib/streamer_utils.py @@ -168,7 +168,7 @@ class CustomThreadingTCPServer(socketserver.ThreadingTCPServer): if all([self.server_ssl_key, self.server_ssl_cert, self.server_ssl_ca]): - context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) context.load_cert_chain(self.server_ssl_cert, self.server_ssl_key) context.load_verify_locations(self.server_ssl_ca) context.verify_mode = ssl.CERT_REQUIRED diff --git a/zuul/web/__init__.py b/zuul/web/__init__.py index 7f27cd9701..47226fd7da 100755 --- a/zuul/web/__init__.py +++ b/zuul/web/__init__.py @@ -395,7 +395,7 @@ class LogStreamer(object): self.finger_socket = socket.create_connection( (server, port), timeout=10) if use_ssl: - context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) context.verify_mode = ssl.CERT_REQUIRED context.check_hostname = self.zuulweb.finger_tls_verify_hostnames context.load_cert_chain(