Edit File by line
/home/barbar84/www/wp-conte.../plugins/sujqvwi/AnonR/smanonr..../lib64/python3....
File: ssl.py
# Wrapper module for _ssl, providing some additional facilities
[0] Fix | Delete
# implemented in Python. Written by Bill Janssen.
[1] Fix | Delete
[2] Fix | Delete
"""This module provides some more Pythonic support for SSL.
[3] Fix | Delete
[4] Fix | Delete
Object types:
[5] Fix | Delete
[6] Fix | Delete
SSLSocket -- subtype of socket.socket which does SSL over the socket
[7] Fix | Delete
[8] Fix | Delete
Exceptions:
[9] Fix | Delete
[10] Fix | Delete
SSLError -- exception raised for I/O errors
[11] Fix | Delete
[12] Fix | Delete
Functions:
[13] Fix | Delete
[14] Fix | Delete
cert_time_to_seconds -- convert time string used for certificate
[15] Fix | Delete
notBefore and notAfter functions to integer
[16] Fix | Delete
seconds past the Epoch (the time values
[17] Fix | Delete
returned from time.time())
[18] Fix | Delete
[19] Fix | Delete
fetch_server_certificate (HOST, PORT) -- fetch the certificate provided
[20] Fix | Delete
by the server running on HOST at port PORT. No
[21] Fix | Delete
validation of the certificate is performed.
[22] Fix | Delete
[23] Fix | Delete
Integer constants:
[24] Fix | Delete
[25] Fix | Delete
SSL_ERROR_ZERO_RETURN
[26] Fix | Delete
SSL_ERROR_WANT_READ
[27] Fix | Delete
SSL_ERROR_WANT_WRITE
[28] Fix | Delete
SSL_ERROR_WANT_X509_LOOKUP
[29] Fix | Delete
SSL_ERROR_SYSCALL
[30] Fix | Delete
SSL_ERROR_SSL
[31] Fix | Delete
SSL_ERROR_WANT_CONNECT
[32] Fix | Delete
[33] Fix | Delete
SSL_ERROR_EOF
[34] Fix | Delete
SSL_ERROR_INVALID_ERROR_CODE
[35] Fix | Delete
[36] Fix | Delete
The following group define certificate requirements that one side is
[37] Fix | Delete
allowing/requiring from the other side:
[38] Fix | Delete
[39] Fix | Delete
CERT_NONE - no certificates from the other side are required (or will
[40] Fix | Delete
be looked at if provided)
[41] Fix | Delete
CERT_OPTIONAL - certificates are not required, but if provided will be
[42] Fix | Delete
validated, and if validation fails, the connection will
[43] Fix | Delete
also fail
[44] Fix | Delete
CERT_REQUIRED - certificates are required, and will be validated, and
[45] Fix | Delete
if validation fails, the connection will also fail
[46] Fix | Delete
[47] Fix | Delete
The following constants identify various SSL protocol variants:
[48] Fix | Delete
[49] Fix | Delete
PROTOCOL_SSLv2
[50] Fix | Delete
PROTOCOL_SSLv3
[51] Fix | Delete
PROTOCOL_SSLv23
[52] Fix | Delete
PROTOCOL_TLS
[53] Fix | Delete
PROTOCOL_TLS_CLIENT
[54] Fix | Delete
PROTOCOL_TLS_SERVER
[55] Fix | Delete
PROTOCOL_TLSv1
[56] Fix | Delete
PROTOCOL_TLSv1_1
[57] Fix | Delete
PROTOCOL_TLSv1_2
[58] Fix | Delete
[59] Fix | Delete
The following constants identify various SSL alert message descriptions as per
[60] Fix | Delete
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
[61] Fix | Delete
[62] Fix | Delete
ALERT_DESCRIPTION_CLOSE_NOTIFY
[63] Fix | Delete
ALERT_DESCRIPTION_UNEXPECTED_MESSAGE
[64] Fix | Delete
ALERT_DESCRIPTION_BAD_RECORD_MAC
[65] Fix | Delete
ALERT_DESCRIPTION_RECORD_OVERFLOW
[66] Fix | Delete
ALERT_DESCRIPTION_DECOMPRESSION_FAILURE
[67] Fix | Delete
ALERT_DESCRIPTION_HANDSHAKE_FAILURE
[68] Fix | Delete
ALERT_DESCRIPTION_BAD_CERTIFICATE
[69] Fix | Delete
ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE
[70] Fix | Delete
ALERT_DESCRIPTION_CERTIFICATE_REVOKED
[71] Fix | Delete
ALERT_DESCRIPTION_CERTIFICATE_EXPIRED
[72] Fix | Delete
ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN
[73] Fix | Delete
ALERT_DESCRIPTION_ILLEGAL_PARAMETER
[74] Fix | Delete
ALERT_DESCRIPTION_UNKNOWN_CA
[75] Fix | Delete
ALERT_DESCRIPTION_ACCESS_DENIED
[76] Fix | Delete
ALERT_DESCRIPTION_DECODE_ERROR
[77] Fix | Delete
ALERT_DESCRIPTION_DECRYPT_ERROR
[78] Fix | Delete
ALERT_DESCRIPTION_PROTOCOL_VERSION
[79] Fix | Delete
ALERT_DESCRIPTION_INSUFFICIENT_SECURITY
[80] Fix | Delete
ALERT_DESCRIPTION_INTERNAL_ERROR
[81] Fix | Delete
ALERT_DESCRIPTION_USER_CANCELLED
[82] Fix | Delete
ALERT_DESCRIPTION_NO_RENEGOTIATION
[83] Fix | Delete
ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION
[84] Fix | Delete
ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE
[85] Fix | Delete
ALERT_DESCRIPTION_UNRECOGNIZED_NAME
[86] Fix | Delete
ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE
[87] Fix | Delete
ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE
[88] Fix | Delete
ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY
[89] Fix | Delete
"""
[90] Fix | Delete
[91] Fix | Delete
import ipaddress
[92] Fix | Delete
import textwrap
[93] Fix | Delete
import re
[94] Fix | Delete
import sys
[95] Fix | Delete
import os
[96] Fix | Delete
from collections import namedtuple
[97] Fix | Delete
from enum import Enum as _Enum, IntEnum as _IntEnum, IntFlag as _IntFlag
[98] Fix | Delete
[99] Fix | Delete
import _ssl # if we can't import it, let the error propagate
[100] Fix | Delete
[101] Fix | Delete
from _ssl import OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_INFO, OPENSSL_VERSION
[102] Fix | Delete
from _ssl import _SSLContext, MemoryBIO, SSLSession
[103] Fix | Delete
from _ssl import (
[104] Fix | Delete
SSLError, SSLZeroReturnError, SSLWantReadError, SSLWantWriteError,
[105] Fix | Delete
SSLSyscallError, SSLEOFError,
[106] Fix | Delete
)
[107] Fix | Delete
from _ssl import txt2obj as _txt2obj, nid2obj as _nid2obj
[108] Fix | Delete
from _ssl import RAND_status, RAND_add, RAND_bytes, RAND_pseudo_bytes
[109] Fix | Delete
try:
[110] Fix | Delete
from _ssl import RAND_egd
[111] Fix | Delete
except ImportError:
[112] Fix | Delete
# LibreSSL does not provide RAND_egd
[113] Fix | Delete
pass
[114] Fix | Delete
[115] Fix | Delete
[116] Fix | Delete
from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_TLSv1_3
[117] Fix | Delete
from _ssl import _DEFAULT_CIPHERS
[118] Fix | Delete
from _ssl import _OPENSSL_API_VERSION
[119] Fix | Delete
[120] Fix | Delete
[121] Fix | Delete
_IntEnum._convert(
[122] Fix | Delete
'_SSLMethod', __name__,
[123] Fix | Delete
lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
[124] Fix | Delete
source=_ssl)
[125] Fix | Delete
[126] Fix | Delete
_IntFlag._convert(
[127] Fix | Delete
'Options', __name__,
[128] Fix | Delete
lambda name: name.startswith('OP_'),
[129] Fix | Delete
source=_ssl)
[130] Fix | Delete
[131] Fix | Delete
_IntEnum._convert(
[132] Fix | Delete
'AlertDescription', __name__,
[133] Fix | Delete
lambda name: name.startswith('ALERT_DESCRIPTION_'),
[134] Fix | Delete
source=_ssl)
[135] Fix | Delete
[136] Fix | Delete
_IntEnum._convert(
[137] Fix | Delete
'SSLErrorNumber', __name__,
[138] Fix | Delete
lambda name: name.startswith('SSL_ERROR_'),
[139] Fix | Delete
source=_ssl)
[140] Fix | Delete
[141] Fix | Delete
_IntFlag._convert(
[142] Fix | Delete
'VerifyFlags', __name__,
[143] Fix | Delete
lambda name: name.startswith('VERIFY_'),
[144] Fix | Delete
source=_ssl)
[145] Fix | Delete
[146] Fix | Delete
_IntEnum._convert(
[147] Fix | Delete
'VerifyMode', __name__,
[148] Fix | Delete
lambda name: name.startswith('CERT_'),
[149] Fix | Delete
source=_ssl)
[150] Fix | Delete
[151] Fix | Delete
[152] Fix | Delete
PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_TLS
[153] Fix | Delete
_PROTOCOL_NAMES = {value: name for name, value in _SSLMethod.__members__.items()}
[154] Fix | Delete
[155] Fix | Delete
_SSLv2_IF_EXISTS = getattr(_SSLMethod, 'PROTOCOL_SSLv2', None)
[156] Fix | Delete
[157] Fix | Delete
[158] Fix | Delete
if sys.platform == "win32":
[159] Fix | Delete
from _ssl import enum_certificates, enum_crls
[160] Fix | Delete
[161] Fix | Delete
from socket import socket, AF_INET, SOCK_STREAM, create_connection
[162] Fix | Delete
from socket import SOL_SOCKET, SO_TYPE
[163] Fix | Delete
import base64 # for DER-to-PEM translation
[164] Fix | Delete
import errno
[165] Fix | Delete
import warnings
[166] Fix | Delete
[167] Fix | Delete
[168] Fix | Delete
socket_error = OSError # keep that public name in module namespace
[169] Fix | Delete
[170] Fix | Delete
if _ssl.HAS_TLS_UNIQUE:
[171] Fix | Delete
CHANNEL_BINDING_TYPES = ['tls-unique']
[172] Fix | Delete
else:
[173] Fix | Delete
CHANNEL_BINDING_TYPES = []
[174] Fix | Delete
[175] Fix | Delete
[176] Fix | Delete
_RESTRICTED_SERVER_CIPHERS = _DEFAULT_CIPHERS
[177] Fix | Delete
[178] Fix | Delete
[179] Fix | Delete
class CertificateError(ValueError):
[180] Fix | Delete
pass
[181] Fix | Delete
[182] Fix | Delete
[183] Fix | Delete
def _dnsname_match(dn, hostname, max_wildcards=1):
[184] Fix | Delete
"""Matching according to RFC 6125, section 6.4.3
[185] Fix | Delete
[186] Fix | Delete
http://tools.ietf.org/html/rfc6125#section-6.4.3
[187] Fix | Delete
"""
[188] Fix | Delete
pats = []
[189] Fix | Delete
if not dn:
[190] Fix | Delete
return False
[191] Fix | Delete
[192] Fix | Delete
leftmost, *remainder = dn.split(r'.')
[193] Fix | Delete
[194] Fix | Delete
wildcards = leftmost.count('*')
[195] Fix | Delete
if wildcards > max_wildcards:
[196] Fix | Delete
# Issue #17980: avoid denials of service by refusing more
[197] Fix | Delete
# than one wildcard per fragment. A survey of established
[198] Fix | Delete
# policy among SSL implementations showed it to be a
[199] Fix | Delete
# reasonable choice.
[200] Fix | Delete
raise CertificateError(
[201] Fix | Delete
"too many wildcards in certificate DNS name: " + repr(dn))
[202] Fix | Delete
[203] Fix | Delete
# speed up common case w/o wildcards
[204] Fix | Delete
if not wildcards:
[205] Fix | Delete
return dn.lower() == hostname.lower()
[206] Fix | Delete
[207] Fix | Delete
# RFC 6125, section 6.4.3, subitem 1.
[208] Fix | Delete
# The client SHOULD NOT attempt to match a presented identifier in which
[209] Fix | Delete
# the wildcard character comprises a label other than the left-most label.
[210] Fix | Delete
if leftmost == '*':
[211] Fix | Delete
# When '*' is a fragment by itself, it matches a non-empty dotless
[212] Fix | Delete
# fragment.
[213] Fix | Delete
pats.append('[^.]+')
[214] Fix | Delete
elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
[215] Fix | Delete
# RFC 6125, section 6.4.3, subitem 3.
[216] Fix | Delete
# The client SHOULD NOT attempt to match a presented identifier
[217] Fix | Delete
# where the wildcard character is embedded within an A-label or
[218] Fix | Delete
# U-label of an internationalized domain name.
[219] Fix | Delete
pats.append(re.escape(leftmost))
[220] Fix | Delete
else:
[221] Fix | Delete
# Otherwise, '*' matches any dotless string, e.g. www*
[222] Fix | Delete
pats.append(re.escape(leftmost).replace(r'\*', '[^.]*'))
[223] Fix | Delete
[224] Fix | Delete
# add the remaining fragments, ignore any wildcards
[225] Fix | Delete
for frag in remainder:
[226] Fix | Delete
pats.append(re.escape(frag))
[227] Fix | Delete
[228] Fix | Delete
pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
[229] Fix | Delete
return pat.match(hostname)
[230] Fix | Delete
[231] Fix | Delete
[232] Fix | Delete
def _ipaddress_match(ipname, host_ip):
[233] Fix | Delete
"""Exact matching of IP addresses.
[234] Fix | Delete
[235] Fix | Delete
RFC 6125 explicitly doesn't define an algorithm for this
[236] Fix | Delete
(section 1.7.2 - "Out of Scope").
[237] Fix | Delete
"""
[238] Fix | Delete
# OpenSSL may add a trailing newline to a subjectAltName's IP address
[239] Fix | Delete
ip = ipaddress.ip_address(ipname.rstrip())
[240] Fix | Delete
return ip == host_ip
[241] Fix | Delete
[242] Fix | Delete
[243] Fix | Delete
def match_hostname(cert, hostname):
[244] Fix | Delete
"""Verify that *cert* (in decoded format as returned by
[245] Fix | Delete
SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125
[246] Fix | Delete
rules are followed, but IP addresses are not accepted for *hostname*.
[247] Fix | Delete
[248] Fix | Delete
CertificateError is raised on failure. On success, the function
[249] Fix | Delete
returns nothing.
[250] Fix | Delete
"""
[251] Fix | Delete
if not cert:
[252] Fix | Delete
raise ValueError("empty or no certificate, match_hostname needs a "
[253] Fix | Delete
"SSL socket or SSL context with either "
[254] Fix | Delete
"CERT_OPTIONAL or CERT_REQUIRED")
[255] Fix | Delete
try:
[256] Fix | Delete
host_ip = ipaddress.ip_address(hostname)
[257] Fix | Delete
except ValueError:
[258] Fix | Delete
# Not an IP address (common case)
[259] Fix | Delete
host_ip = None
[260] Fix | Delete
dnsnames = []
[261] Fix | Delete
san = cert.get('subjectAltName', ())
[262] Fix | Delete
for key, value in san:
[263] Fix | Delete
if key == 'DNS':
[264] Fix | Delete
if host_ip is None and _dnsname_match(value, hostname):
[265] Fix | Delete
return
[266] Fix | Delete
dnsnames.append(value)
[267] Fix | Delete
elif key == 'IP Address':
[268] Fix | Delete
if host_ip is not None and _ipaddress_match(value, host_ip):
[269] Fix | Delete
return
[270] Fix | Delete
dnsnames.append(value)
[271] Fix | Delete
if not dnsnames:
[272] Fix | Delete
# The subject is only checked when there is no dNSName entry
[273] Fix | Delete
# in subjectAltName
[274] Fix | Delete
for sub in cert.get('subject', ()):
[275] Fix | Delete
for key, value in sub:
[276] Fix | Delete
# XXX according to RFC 2818, the most specific Common Name
[277] Fix | Delete
# must be used.
[278] Fix | Delete
if key == 'commonName':
[279] Fix | Delete
if _dnsname_match(value, hostname):
[280] Fix | Delete
return
[281] Fix | Delete
dnsnames.append(value)
[282] Fix | Delete
if len(dnsnames) > 1:
[283] Fix | Delete
raise CertificateError("hostname %r "
[284] Fix | Delete
"doesn't match either of %s"
[285] Fix | Delete
% (hostname, ', '.join(map(repr, dnsnames))))
[286] Fix | Delete
elif len(dnsnames) == 1:
[287] Fix | Delete
raise CertificateError("hostname %r "
[288] Fix | Delete
"doesn't match %r"
[289] Fix | Delete
% (hostname, dnsnames[0]))
[290] Fix | Delete
else:
[291] Fix | Delete
raise CertificateError("no appropriate commonName or "
[292] Fix | Delete
"subjectAltName fields were found")
[293] Fix | Delete
[294] Fix | Delete
[295] Fix | Delete
DefaultVerifyPaths = namedtuple("DefaultVerifyPaths",
[296] Fix | Delete
"cafile capath openssl_cafile_env openssl_cafile openssl_capath_env "
[297] Fix | Delete
"openssl_capath")
[298] Fix | Delete
[299] Fix | Delete
def get_default_verify_paths():
[300] Fix | Delete
"""Return paths to default cafile and capath.
[301] Fix | Delete
"""
[302] Fix | Delete
parts = _ssl.get_default_verify_paths()
[303] Fix | Delete
[304] Fix | Delete
# environment vars shadow paths
[305] Fix | Delete
cafile = os.environ.get(parts[0], parts[1])
[306] Fix | Delete
capath = os.environ.get(parts[2], parts[3])
[307] Fix | Delete
[308] Fix | Delete
return DefaultVerifyPaths(cafile if os.path.isfile(cafile) else None,
[309] Fix | Delete
capath if os.path.isdir(capath) else None,
[310] Fix | Delete
*parts)
[311] Fix | Delete
[312] Fix | Delete
[313] Fix | Delete
class _ASN1Object(namedtuple("_ASN1Object", "nid shortname longname oid")):
[314] Fix | Delete
"""ASN.1 object identifier lookup
[315] Fix | Delete
"""
[316] Fix | Delete
__slots__ = ()
[317] Fix | Delete
[318] Fix | Delete
def __new__(cls, oid):
[319] Fix | Delete
return super().__new__(cls, *_txt2obj(oid, name=False))
[320] Fix | Delete
[321] Fix | Delete
@classmethod
[322] Fix | Delete
def fromnid(cls, nid):
[323] Fix | Delete
"""Create _ASN1Object from OpenSSL numeric ID
[324] Fix | Delete
"""
[325] Fix | Delete
return super().__new__(cls, *_nid2obj(nid))
[326] Fix | Delete
[327] Fix | Delete
@classmethod
[328] Fix | Delete
def fromname(cls, name):
[329] Fix | Delete
"""Create _ASN1Object from short name, long name or OID
[330] Fix | Delete
"""
[331] Fix | Delete
return super().__new__(cls, *_txt2obj(name, name=True))
[332] Fix | Delete
[333] Fix | Delete
[334] Fix | Delete
class Purpose(_ASN1Object, _Enum):
[335] Fix | Delete
"""SSLContext purpose flags with X509v3 Extended Key Usage objects
[336] Fix | Delete
"""
[337] Fix | Delete
SERVER_AUTH = '1.3.6.1.5.5.7.3.1'
[338] Fix | Delete
CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'
[339] Fix | Delete
[340] Fix | Delete
[341] Fix | Delete
class SSLContext(_SSLContext):
[342] Fix | Delete
"""An SSLContext holds various SSL-related configuration options and
[343] Fix | Delete
data, such as certificates and possibly a private key."""
[344] Fix | Delete
[345] Fix | Delete
__slots__ = ('protocol', '__weakref__')
[346] Fix | Delete
_windows_cert_stores = ("CA", "ROOT")
[347] Fix | Delete
[348] Fix | Delete
def __new__(cls, protocol=PROTOCOL_TLS, *args, **kwargs):
[349] Fix | Delete
self = _SSLContext.__new__(cls, protocol)
[350] Fix | Delete
return self
[351] Fix | Delete
[352] Fix | Delete
def __init__(self, protocol=PROTOCOL_TLS):
[353] Fix | Delete
self.protocol = protocol
[354] Fix | Delete
[355] Fix | Delete
def wrap_socket(self, sock, server_side=False,
[356] Fix | Delete
do_handshake_on_connect=True,
[357] Fix | Delete
suppress_ragged_eofs=True,
[358] Fix | Delete
server_hostname=None, session=None):
[359] Fix | Delete
return SSLSocket(sock=sock, server_side=server_side,
[360] Fix | Delete
do_handshake_on_connect=do_handshake_on_connect,
[361] Fix | Delete
suppress_ragged_eofs=suppress_ragged_eofs,
[362] Fix | Delete
server_hostname=server_hostname,
[363] Fix | Delete
_context=self, _session=session)
[364] Fix | Delete
[365] Fix | Delete
def wrap_bio(self, incoming, outgoing, server_side=False,
[366] Fix | Delete
server_hostname=None, session=None):
[367] Fix | Delete
sslobj = self._wrap_bio(incoming, outgoing, server_side=server_side,
[368] Fix | Delete
server_hostname=server_hostname)
[369] Fix | Delete
return SSLObject(sslobj, session=session)
[370] Fix | Delete
[371] Fix | Delete
def set_npn_protocols(self, npn_protocols):
[372] Fix | Delete
protos = bytearray()
[373] Fix | Delete
for protocol in npn_protocols:
[374] Fix | Delete
b = bytes(protocol, 'ascii')
[375] Fix | Delete
if len(b) == 0 or len(b) > 255:
[376] Fix | Delete
raise SSLError('NPN protocols must be 1 to 255 in length')
[377] Fix | Delete
protos.append(len(b))
[378] Fix | Delete
protos.extend(b)
[379] Fix | Delete
[380] Fix | Delete
self._set_npn_protocols(protos)
[381] Fix | Delete
[382] Fix | Delete
def set_alpn_protocols(self, alpn_protocols):
[383] Fix | Delete
protos = bytearray()
[384] Fix | Delete
for protocol in alpn_protocols:
[385] Fix | Delete
b = bytes(protocol, 'ascii')
[386] Fix | Delete
if len(b) == 0 or len(b) > 255:
[387] Fix | Delete
raise SSLError('ALPN protocols must be 1 to 255 in length')
[388] Fix | Delete
protos.append(len(b))
[389] Fix | Delete
protos.extend(b)
[390] Fix | Delete
[391] Fix | Delete
self._set_alpn_protocols(protos)
[392] Fix | Delete
[393] Fix | Delete
def _load_windows_store_certs(self, storename, purpose):
[394] Fix | Delete
certs = bytearray()
[395] Fix | Delete
try:
[396] Fix | Delete
for cert, encoding, trust in enum_certificates(storename):
[397] Fix | Delete
# CA certs are never PKCS#7 encoded
[398] Fix | Delete
if encoding == "x509_asn":
[399] Fix | Delete
if trust is True or purpose.oid in trust:
[400] Fix | Delete
certs.extend(cert)
[401] Fix | Delete
except PermissionError:
[402] Fix | Delete
warnings.warn("unable to enumerate Windows certificate store")
[403] Fix | Delete
if certs:
[404] Fix | Delete
self.load_verify_locations(cadata=certs)
[405] Fix | Delete
return certs
[406] Fix | Delete
[407] Fix | Delete
def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
[408] Fix | Delete
if not isinstance(purpose, _ASN1Object):
[409] Fix | Delete
raise TypeError(purpose)
[410] Fix | Delete
if sys.platform == "win32":
[411] Fix | Delete
for storename in self._windows_cert_stores:
[412] Fix | Delete
self._load_windows_store_certs(storename, purpose)
[413] Fix | Delete
self.set_default_verify_paths()
[414] Fix | Delete
[415] Fix | Delete
@property
[416] Fix | Delete
def options(self):
[417] Fix | Delete
return Options(super().options)
[418] Fix | Delete
[419] Fix | Delete
@options.setter
[420] Fix | Delete
def options(self, value):
[421] Fix | Delete
super(SSLContext, SSLContext).options.__set__(self, value)
[422] Fix | Delete
[423] Fix | Delete
@property
[424] Fix | Delete
def verify_flags(self):
[425] Fix | Delete
return VerifyFlags(super().verify_flags)
[426] Fix | Delete
[427] Fix | Delete
@verify_flags.setter
[428] Fix | Delete
def verify_flags(self, value):
[429] Fix | Delete
super(SSLContext, SSLContext).verify_flags.__set__(self, value)
[430] Fix | Delete
[431] Fix | Delete
@property
[432] Fix | Delete
def verify_mode(self):
[433] Fix | Delete
value = super().verify_mode
[434] Fix | Delete
try:
[435] Fix | Delete
return VerifyMode(value)
[436] Fix | Delete
except ValueError:
[437] Fix | Delete
return value
[438] Fix | Delete
[439] Fix | Delete
@verify_mode.setter
[440] Fix | Delete
def verify_mode(self, value):
[441] Fix | Delete
super(SSLContext, SSLContext).verify_mode.__set__(self, value)
[442] Fix | Delete
[443] Fix | Delete
[444] Fix | Delete
def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
[445] Fix | Delete
capath=None, cadata=None):
[446] Fix | Delete
"""Create a SSLContext object with default settings.
[447] Fix | Delete
[448] Fix | Delete
NOTE: The protocol and settings may change anytime without prior
[449] Fix | Delete
deprecation. The values represent a fair balance between maximum
[450] Fix | Delete
compatibility and security.
[451] Fix | Delete
"""
[452] Fix | Delete
if not isinstance(purpose, _ASN1Object):
[453] Fix | Delete
raise TypeError(purpose)
[454] Fix | Delete
[455] Fix | Delete
# SSLContext sets OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION,
[456] Fix | Delete
# OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE
[457] Fix | Delete
# by default.
[458] Fix | Delete
context = SSLContext(PROTOCOL_TLS)
[459] Fix | Delete
[460] Fix | Delete
if purpose == Purpose.SERVER_AUTH:
[461] Fix | Delete
# verify certs and host name in client mode
[462] Fix | Delete
context.verify_mode = CERT_REQUIRED
[463] Fix | Delete
context.check_hostname = True
[464] Fix | Delete
[465] Fix | Delete
if cafile or capath or cadata:
[466] Fix | Delete
context.load_verify_locations(cafile, capath, cadata)
[467] Fix | Delete
elif context.verify_mode != CERT_NONE:
[468] Fix | Delete
# no explicit cafile, capath or cadata but the verify mode is
[469] Fix | Delete
# CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system
[470] Fix | Delete
# root CA certificates for the given purpose. This may fail silently.
[471] Fix | Delete
context.load_default_certs(purpose)
[472] Fix | Delete
return context
[473] Fix | Delete
[474] Fix | Delete
def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=CERT_NONE,
[475] Fix | Delete
check_hostname=False, purpose=Purpose.SERVER_AUTH,
[476] Fix | Delete
certfile=None, keyfile=None,
[477] Fix | Delete
cafile=None, capath=None, cadata=None):
[478] Fix | Delete
"""Create a SSLContext object for Python stdlib modules
[479] Fix | Delete
[480] Fix | Delete
All Python stdlib modules shall use this function to create SSLContext
[481] Fix | Delete
objects in order to keep common settings in one place. The configuration
[482] Fix | Delete
is less restrict than create_default_context()'s to increase backward
[483] Fix | Delete
compatibility.
[484] Fix | Delete
"""
[485] Fix | Delete
if not isinstance(purpose, _ASN1Object):
[486] Fix | Delete
raise TypeError(purpose)
[487] Fix | Delete
[488] Fix | Delete
# SSLContext sets OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION,
[489] Fix | Delete
# OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE
[490] Fix | Delete
# by default.
[491] Fix | Delete
context = SSLContext(protocol)
[492] Fix | Delete
[493] Fix | Delete
if not check_hostname:
[494] Fix | Delete
context.check_hostname = False
[495] Fix | Delete
if cert_reqs is not None:
[496] Fix | Delete
context.verify_mode = cert_reqs
[497] Fix | Delete
if check_hostname:
[498] Fix | Delete
context.check_hostname = True
[499] Fix | Delete
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
Function