In python 2.7.9, a context option was added to httplib.HTTPSConnection and changed its behavior to performs certificate and hostname checks by default.
While this is definitely an improvement, we were relying on the old behavior. This change restores that (until we can switch to proper verification). --- koji/__init__.py | 6 ++++++ koji/ssl/__init__.py | 7 +++++++ 2 files changed, 13 insertions(+)
diff --git a/koji/__init__.py b/koji/__init__.py index 2406a02..ebdd4b8 100644 --- a/koji/__init__.py +++ b/koji/__init__.py @@ -45,6 +45,7 @@ import shutil import signal import socket import ssl.SSLCommon +from ssl import ssl as pyssl import struct import tempfile import time @@ -1614,6 +1615,11 @@ class ClientSession(object): default_port = 443 elif scheme == 'https': cnxOpts = {} + if sys.version_info[:3] >= (2, 7, 9): + #ctx = pyssl.SSLContext(pyssl.PROTOCOL_SSLv23) + ctx = pyssl._create_unverified_context() + # TODO - we should default to verifying where possible + cnxOpts['context'] = ctx cnxClass = httplib.HTTPSConnection default_port = 443 elif scheme == 'http': diff --git a/koji/ssl/__init__.py b/koji/ssl/__init__.py index 180fed6..0be8717 100644 --- a/koji/ssl/__init__.py +++ b/koji/ssl/__init__.py @@ -1 +1,8 @@ # identify this as the ssl module + +# our own ssl submodule masks python's in the main lib, so we import this here +try: + import ssl # python's ssl module +except ImportError: + # ssl module added in 2.6 + pass
On 12/11/2015 09:41 AM, Mike McLean wrote:
In python 2.7.9, a context option was added to httplib.HTTPSConnection and changed its behavior to performs certificate and hostname checks by default.
While this is definitely an improvement, we were relying on the old behavior. This change restores that (until we can switch to proper verification).
I'm a bit surprised this hasn't come up before. I started seeing it when I upgraded to F22.
It doesn't happen when talking with Fedora's koji (or any instance using ssl auth) because having ssl auth configured, even for anon calls, hits the old ssl codepath and sets up the context.
koji/__init__.py | 6 ++++++ koji/ssl/__init__.py | 7 +++++++ 2 files changed, 13 insertions(+)
diff --git a/koji/__init__.py b/koji/__init__.py index 2406a02..ebdd4b8 100644 --- a/koji/__init__.py +++ b/koji/__init__.py @@ -45,6 +45,7 @@ import shutil import signal import socket import ssl.SSLCommon +from ssl import ssl as pyssl import struct import tempfile import time @@ -1614,6 +1615,11 @@ class ClientSession(object): default_port = 443 elif scheme == 'https': cnxOpts = {}
if sys.version_info[:3] >= (2, 7, 9):#ctx = pyssl.SSLContext(pyssl.PROTOCOL_SSLv23)ctx = pyssl._create_unverified_context()# TODO - we should default to verifying where possiblecnxOpts['context'] = ctx cnxClass = httplib.HTTPSConnection default_port = 443 elif scheme == 'http':diff --git a/koji/ssl/__init__.py b/koji/ssl/__init__.py index 180fed6..0be8717 100644 --- a/koji/ssl/__init__.py +++ b/koji/ssl/__init__.py @@ -1 +1,8 @@ # identify this as the ssl module
+# our own ssl submodule masks python's in the main lib, so we import this here +try:
- import ssl # python's ssl module
+except ImportError:
- # ssl module added in 2.6
- pass
koji-devel@lists.stg.fedorahosted.org
-
Mike McLean