On 12/11/2015 09:41 AM, Mike McLean wrote:
In python 2.7.9, a context option was added to
httplib.HTTPSConnection and
changed its behavior to performs certificate and hostname checks by default.
While this is definitely an improvement, we were relying on the old behavior.
This change restores that (until we can switch to proper verification).
I'm a bit surprised this hasn't come up before. I started seeing it when
I upgraded to F22.
It doesn't happen when talking with Fedora's koji (or any instance using
ssl auth) because having ssl auth configured, even for anon calls, hits
the old ssl codepath and sets up the context.
---
koji/__init__.py | 6 ++++++
koji/ssl/__init__.py | 7 +++++++
2 files changed, 13 insertions(+)
diff --git a/koji/__init__.py b/koji/__init__.py
index 2406a02..ebdd4b8 100644
--- a/koji/__init__.py
+++ b/koji/__init__.py
@@ -45,6 +45,7 @@ import shutil
import signal
import socket
import ssl.SSLCommon
+from ssl import ssl as pyssl
import struct
import tempfile
import time
@@ -1614,6 +1615,11 @@ class ClientSession(object):
default_port = 443
elif scheme == 'https':
cnxOpts = {}
+ if sys.version_info[:3] >= (2, 7, 9):
+ #ctx = pyssl.SSLContext(pyssl.PROTOCOL_SSLv23)
+ ctx = pyssl._create_unverified_context()
+ # TODO - we should default to verifying where possible
+ cnxOpts['context'] = ctx
cnxClass = httplib.HTTPSConnection
default_port = 443
elif scheme == 'http':
diff --git a/koji/ssl/__init__.py b/koji/ssl/__init__.py
index 180fed6..0be8717 100644
--- a/koji/ssl/__init__.py
+++ b/koji/ssl/__init__.py
@@ -1 +1,8 @@
# identify this as the ssl module
+
+# our own ssl submodule masks python's in the main lib, so we import this here
+try:
+ import ssl # python's ssl module
+except ImportError:
+ # ssl module added in 2.6
+ pass