mirror of
https://github.com/python/cpython
synced 2024-09-15 23:57:10 +00:00
gh-94199: Remove the ssl.wrap_socket() function (#94203)
Remove the ssl.wrap_socket() function, deprecated in Python 3.7: instead, create a ssl.SSLContext object and call its sl.SSLContext.wrap_socket() method. Any package that still uses ssl.wrap_socket() is broken and insecure. The function neither sends a SNI TLS extension nor validates server hostname. Code is subject to CWE-295 : Improper Certificate Validation.
This commit is contained in:
parent
23ee4a8067
commit
00464bbed6
|
@ -304,6 +304,15 @@ Removed
|
||||||
:pep:`451` for the rationale.
|
:pep:`451` for the rationale.
|
||||||
(Contributed by Victor Stinner in :gh:`94379`.)
|
(Contributed by Victor Stinner in :gh:`94379`.)
|
||||||
|
|
||||||
|
* Remove the :func:`ssl.wrap_socket` function, deprecated in Python 3.7:
|
||||||
|
instead, create a :class:`ssl.SSLContext` object and call its
|
||||||
|
:class:`ssl.SSLContext.wrap_socket` method. Any package that still uses
|
||||||
|
:func:`ssl.wrap_socket` is broken and insecure. The function neither sends a
|
||||||
|
SNI TLS extension nor validates server hostname. Code is subject to `CWE-295
|
||||||
|
<https://cwe.mitre.org/data/definitions/295.html>`_: Improper Certificate
|
||||||
|
Validation.
|
||||||
|
(Contributed by Victor Stinner in :gh:`94199`.)
|
||||||
|
|
||||||
|
|
||||||
Porting to Python 3.12
|
Porting to Python 3.12
|
||||||
======================
|
======================
|
||||||
|
|
30
Lib/ssl.py
30
Lib/ssl.py
|
@ -1357,36 +1357,6 @@ def version(self):
|
||||||
SSLContext.sslobject_class = SSLObject
|
SSLContext.sslobject_class = SSLObject
|
||||||
|
|
||||||
|
|
||||||
def wrap_socket(sock, keyfile=None, certfile=None,
|
|
||||||
server_side=False, cert_reqs=CERT_NONE,
|
|
||||||
ssl_version=PROTOCOL_TLS, ca_certs=None,
|
|
||||||
do_handshake_on_connect=True,
|
|
||||||
suppress_ragged_eofs=True,
|
|
||||||
ciphers=None):
|
|
||||||
warnings.warn(
|
|
||||||
"ssl.wrap_socket() is deprecated, use SSLContext.wrap_socket()",
|
|
||||||
category=DeprecationWarning,
|
|
||||||
stacklevel=2
|
|
||||||
)
|
|
||||||
if server_side and not certfile:
|
|
||||||
raise ValueError("certfile must be specified for server-side "
|
|
||||||
"operations")
|
|
||||||
if keyfile and not certfile:
|
|
||||||
raise ValueError("certfile must be specified")
|
|
||||||
context = SSLContext(ssl_version)
|
|
||||||
context.verify_mode = cert_reqs
|
|
||||||
if ca_certs:
|
|
||||||
context.load_verify_locations(ca_certs)
|
|
||||||
if certfile:
|
|
||||||
context.load_cert_chain(certfile, keyfile)
|
|
||||||
if ciphers:
|
|
||||||
context.set_ciphers(ciphers)
|
|
||||||
return context.wrap_socket(
|
|
||||||
sock=sock, server_side=server_side,
|
|
||||||
do_handshake_on_connect=do_handshake_on_connect,
|
|
||||||
suppress_ragged_eofs=suppress_ragged_eofs
|
|
||||||
)
|
|
||||||
|
|
||||||
# some utility functions
|
# some utility functions
|
||||||
|
|
||||||
def cert_time_to_seconds(cert_time):
|
def cert_time_to_seconds(cert_time):
|
||||||
|
|
|
@ -629,36 +629,6 @@ def test_openssl111_deprecations(self):
|
||||||
str(cm.warning)
|
str(cm.warning)
|
||||||
)
|
)
|
||||||
|
|
||||||
@ignore_deprecation
|
|
||||||
def test_errors_sslwrap(self):
|
|
||||||
sock = socket.socket()
|
|
||||||
self.assertRaisesRegex(ValueError,
|
|
||||||
"certfile must be specified",
|
|
||||||
ssl.wrap_socket, sock, keyfile=CERTFILE)
|
|
||||||
self.assertRaisesRegex(ValueError,
|
|
||||||
"certfile must be specified for server-side operations",
|
|
||||||
ssl.wrap_socket, sock, server_side=True)
|
|
||||||
self.assertRaisesRegex(ValueError,
|
|
||||||
"certfile must be specified for server-side operations",
|
|
||||||
ssl.wrap_socket, sock, server_side=True, certfile="")
|
|
||||||
with ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE) as s:
|
|
||||||
self.assertRaisesRegex(ValueError, "can't connect in server-side mode",
|
|
||||||
s.connect, (HOST, 8080))
|
|
||||||
with self.assertRaises(OSError) as cm:
|
|
||||||
with socket.socket() as sock:
|
|
||||||
ssl.wrap_socket(sock, certfile=NONEXISTINGCERT)
|
|
||||||
self.assertEqual(cm.exception.errno, errno.ENOENT)
|
|
||||||
with self.assertRaises(OSError) as cm:
|
|
||||||
with socket.socket() as sock:
|
|
||||||
ssl.wrap_socket(sock,
|
|
||||||
certfile=CERTFILE, keyfile=NONEXISTINGCERT)
|
|
||||||
self.assertEqual(cm.exception.errno, errno.ENOENT)
|
|
||||||
with self.assertRaises(OSError) as cm:
|
|
||||||
with socket.socket() as sock:
|
|
||||||
ssl.wrap_socket(sock,
|
|
||||||
certfile=NONEXISTINGCERT, keyfile=NONEXISTINGCERT)
|
|
||||||
self.assertEqual(cm.exception.errno, errno.ENOENT)
|
|
||||||
|
|
||||||
def bad_cert_test(self, certfile):
|
def bad_cert_test(self, certfile):
|
||||||
"""Check that trying to use the given client certificate fails"""
|
"""Check that trying to use the given client certificate fails"""
|
||||||
certfile = os.path.join(os.path.dirname(__file__) or os.curdir,
|
certfile = os.path.join(os.path.dirname(__file__) or os.curdir,
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
Remove the :func:`ssl.wrap_socket` function, deprecated in Python 3.7: instead,
|
||||||
|
create a :class:`ssl.SSLContext` object and call its
|
||||||
|
:class:`ssl.SSLContext.wrap_socket` method. Any package that still uses
|
||||||
|
:func:`ssl.wrap_socket` is broken and insecure. The function neither sends a
|
||||||
|
SNI TLS extension nor validates server hostname. Code is subject to `CWE-295
|
||||||
|
<https://cwe.mitre.org/data/definitions/295.html>`_: Improper Certificate
|
||||||
|
Validation. Patch by Victor Stinner.
|
Loading…
Reference in a new issue