:pep:`451` for the rationale.
(Contributed by Victor Stinner in :gh:`94379`.)
+* Remove the :func:`ssl.wrap_socket` function, deprecated in Python 3.7:
+ instead, create a :class:`ssl.SSLContext` object and call its
+ :class:`ssl.SSLContext.wrap_socket` method. Any package that still uses
+ :func:`ssl.wrap_socket` is broken and insecure. The function neither sends a
+ SNI TLS extension nor validates server hostname. Code is subject to `CWE-295
+ <https://cwe.mitre.org/data/definitions/295.html>`_: Improper Certificate
+ Validation.
+ (Contributed by Victor Stinner in :gh:`94199`.)
+
Porting to Python 3.12
======================
SSLContext.sslobject_class = SSLObject
-def wrap_socket(sock, keyfile=None, certfile=None,
- server_side=False, cert_reqs=CERT_NONE,
- ssl_version=PROTOCOL_TLS, ca_certs=None,
- do_handshake_on_connect=True,
- suppress_ragged_eofs=True,
- ciphers=None):
- warnings.warn(
- "ssl.wrap_socket() is deprecated, use SSLContext.wrap_socket()",
- category=DeprecationWarning,
- stacklevel=2
- )
- if server_side and not certfile:
- raise ValueError("certfile must be specified for server-side "
- "operations")
- if keyfile and not certfile:
- raise ValueError("certfile must be specified")
- context = SSLContext(ssl_version)
- context.verify_mode = cert_reqs
- if ca_certs:
- context.load_verify_locations(ca_certs)
- if certfile:
- context.load_cert_chain(certfile, keyfile)
- if ciphers:
- context.set_ciphers(ciphers)
- return context.wrap_socket(
- sock=sock, server_side=server_side,
- do_handshake_on_connect=do_handshake_on_connect,
- suppress_ragged_eofs=suppress_ragged_eofs
- )
-
# some utility functions
def cert_time_to_seconds(cert_time):
str(cm.warning)
)
- @ignore_deprecation
- def test_errors_sslwrap(self):
- sock = socket.socket()
- self.assertRaisesRegex(ValueError,
- "certfile must be specified",
- ssl.wrap_socket, sock, keyfile=CERTFILE)
- self.assertRaisesRegex(ValueError,
- "certfile must be specified for server-side operations",
- ssl.wrap_socket, sock, server_side=True)
- self.assertRaisesRegex(ValueError,
- "certfile must be specified for server-side operations",
- ssl.wrap_socket, sock, server_side=True, certfile="")
- with ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE) as s:
- self.assertRaisesRegex(ValueError, "can't connect in server-side mode",
- s.connect, (HOST, 8080))
- with self.assertRaises(OSError) as cm:
- with socket.socket() as sock:
- ssl.wrap_socket(sock, certfile=NONEXISTINGCERT)
- self.assertEqual(cm.exception.errno, errno.ENOENT)
- with self.assertRaises(OSError) as cm:
- with socket.socket() as sock:
- ssl.wrap_socket(sock,
- certfile=CERTFILE, keyfile=NONEXISTINGCERT)
- self.assertEqual(cm.exception.errno, errno.ENOENT)
- with self.assertRaises(OSError) as cm:
- with socket.socket() as sock:
- ssl.wrap_socket(sock,
- certfile=NONEXISTINGCERT, keyfile=NONEXISTINGCERT)
- self.assertEqual(cm.exception.errno, errno.ENOENT)
-
def bad_cert_test(self, certfile):
"""Check that trying to use the given client certificate fails"""
certfile = os.path.join(os.path.dirname(__file__) or os.curdir,
--- /dev/null
+Remove the :func:`ssl.wrap_socket` function, deprecated in Python 3.7: instead,
+create a :class:`ssl.SSLContext` object and call its
+:class:`ssl.SSLContext.wrap_socket` method. Any package that still uses
+:func:`ssl.wrap_socket` is broken and insecure. The function neither sends a
+SNI TLS extension nor validates server hostname. Code is subject to `CWE-295
+<https://cwe.mitre.org/data/definitions/295.html>`_: Improper Certificate
+Validation. Patch by Victor Stinner.
projects / thirdparty / Python / cpython.git / commitdiff
