control: tags -1 patch
On 2018-09-25 03:04:49 [+0200], Witold Baryluk wrote:
> Now it takes few minutes on any command, and then errors out:
> Cleaning older backups
> Traceback (innermost last):
…
> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
> (_ssl.c:726)
It looks like missing SNI support.
Could you please try if the patch attached works? It is completly
untested it just looks like it might work…
Sebastian
>From 978e87c8f0dfb93c26814b5e5806d2f2332db164 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Date: Sat, 29 Sep 2018 21:47:11 +0200
Subject: [PATCH] boto: try to add SNI support
Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
---
boto/connection.py | 18 +++++++++---------
boto/https_connection.py | 21 ++++++++++-----------
diff --git a/boto/connection.py b/boto/connection.py
index 2fef44872ffa7..b86c0cdec58e1 100644
--- a/boto/connection.py
+++ b/boto/connection.py
@@ -821,23 +821,23 @@ DEFAULT_CA_CERTS_FILE = os.path.join(os.path.dirname(os.path.abspath(boto.cacert
h = http_client.HTTPConnection(host)
if self.https_validate_certificates and HAVE_HTTPS_CONNECTION:
+ context = ssl.create_default_context()
+ context.verify_mode = ssl.CERT_REQUIRED
+ context.check_hostname = True
+
msg = "wrapping ssl socket for proxied connection; "
if self.ca_certificates_file:
msg += "CA certificate file=%s" % self.ca_certificates_file
+ context.load_verify_locations(cafile=self.ca_certificates_file)
else:
msg += "using system provided SSL certs"
+ context.load_default_certs()
boto.log.debug(msg)
key_file = self.http_connection_kwargs.get('key_file', None)
cert_file = self.http_connection_kwargs.get('cert_file', None)
- sslSock = ssl.wrap_socket(sock, keyfile=key_file,
- certfile=cert_file,
- cert_reqs=ssl.CERT_REQUIRED,
- ca_certs=self.ca_certificates_file)
- cert = sslSock.getpeercert()
- hostname = self.host.split(':', 0)[0]
- if not https_connection.ValidateCertificateHostname(cert, hostname):
- raise https_connection.InvalidCertificateException(
- hostname, cert, 'hostname mismatch')
+ context.load_cert_chain(certfile=cert_file, keyfile=key_file)
+
+ sslSock = context.wrap_socket(sock, server_hostname=host)
else:
# Fallback for old Python without ssl.wrap_socket
if hasattr(http_client, 'ssl'):
diff --git a/boto/https_connection.py b/boto/https_connection.py
index ddc31a152292e..949956178cea0 100644
--- a/boto/https_connection.py
+++ b/boto/https_connection.py
@@ -119,20 +119,19 @@ from boto.compat import six, http_client
sock = socket.create_connection((self.host, self.port), self.timeout)
else:
sock = socket.create_connection((self.host, self.port))
+
+ context = ssl.create_default_context()
+ context.verify_mode = ssl.CERT_REQUIRED
+ context.check_hostname = True
+ context.load_cert_chain(certfile=self.cert_file, keyfile=self.key_file)
+
msg = "wrapping ssl socket; "
if self.ca_certs:
msg += "CA certificate file=%s" % self.ca_certs
+ context.load_verify_locations(cafile=self.ca_certs)
else:
msg += "using system provided SSL certs"
+ context.load_default_certs()
boto.log.debug(msg)
- self.sock = ssl.wrap_socket(sock, keyfile=self.key_file,
- certfile=self.cert_file,
- cert_reqs=ssl.CERT_REQUIRED,
- ca_certs=self.ca_certs)
- cert = self.sock.getpeercert()
- hostname = self.host.split(':', 0)[0]
- if not ValidateCertificateHostname(cert, hostname):
- raise InvalidCertificateException(hostname,
- cert,
- 'remote hostname "%s" does not match '
- 'certificate' % hostname)
+
+ self.sock = context.wrap_socket(sock, server_hostname=self.host)
--
2.19.0
