101 # server_hostname is unique to SSLContext.wrap_socket and is used |
101 # server_hostname is unique to SSLContext.wrap_socket and is used |
102 # for SNI in that context. So there's nothing for us to do with it |
102 # for SNI in that context. So there's nothing for us to do with it |
103 # in this legacy code since we don't support SNI. |
103 # in this legacy code since we don't support SNI. |
104 |
104 |
105 args = { |
105 args = { |
106 r'keyfile': self._keyfile, |
106 'keyfile': self._keyfile, |
107 r'certfile': self._certfile, |
107 'certfile': self._certfile, |
108 r'server_side': server_side, |
108 'server_side': server_side, |
109 r'cert_reqs': self.verify_mode, |
109 'cert_reqs': self.verify_mode, |
110 r'ssl_version': self.protocol, |
110 'ssl_version': self.protocol, |
111 r'ca_certs': self._cacerts, |
111 'ca_certs': self._cacerts, |
112 r'ciphers': self._ciphers, |
112 'ciphers': self._ciphers, |
113 } |
113 } |
114 |
114 |
115 return ssl.wrap_socket(socket, **args) |
115 return ssl.wrap_socket(socket, **args) |
116 |
116 |
117 |
117 |
497 # This error occurs when the client and server don't share a |
497 # This error occurs when the client and server don't share a |
498 # common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3 |
498 # common/supported SSL/TLS protocol. We've disabled SSLv2 and SSLv3 |
499 # outright. Hopefully the reason for this error is that we require |
499 # outright. Hopefully the reason for this error is that we require |
500 # TLS 1.1+ and the server only supports TLS 1.0. Whatever the |
500 # TLS 1.1+ and the server only supports TLS 1.0. Whatever the |
501 # reason, try to emit an actionable warning. |
501 # reason, try to emit an actionable warning. |
502 if e.reason == r'UNSUPPORTED_PROTOCOL': |
502 if e.reason == 'UNSUPPORTED_PROTOCOL': |
503 # We attempted TLS 1.0+. |
503 # We attempted TLS 1.0+. |
504 if settings[b'protocolui'] == b'tls1.0': |
504 if settings[b'protocolui'] == b'tls1.0': |
505 # We support more than just TLS 1.0+. If this happens, |
505 # We support more than just TLS 1.0+. If this happens, |
506 # the likely scenario is either the client or the server |
506 # the likely scenario is either the client or the server |
507 # is really old. (e.g. server doesn't support TLS 1.0+ or |
507 # is really old. (e.g. server doesn't support TLS 1.0+ or |
735 ''' |
733 ''' |
736 if not cert: |
734 if not cert: |
737 return _(b'no certificate received') |
735 return _(b'no certificate received') |
738 |
736 |
739 dnsnames = [] |
737 dnsnames = [] |
740 san = cert.get(r'subjectAltName', []) |
738 san = cert.get('subjectAltName', []) |
741 for key, value in san: |
739 for key, value in san: |
742 if key == r'DNS': |
740 if key == 'DNS': |
743 try: |
741 try: |
744 if _dnsnamematch(value, hostname): |
742 if _dnsnamematch(value, hostname): |
745 return |
743 return |
746 except wildcarderror as e: |
744 except wildcarderror as e: |
747 return stringutil.forcebytestr(e.args[0]) |
745 return stringutil.forcebytestr(e.args[0]) |
748 |
746 |
749 dnsnames.append(value) |
747 dnsnames.append(value) |
750 |
748 |
751 if not dnsnames: |
749 if not dnsnames: |
752 # The subject is only checked when there is no DNS in subjectAltName. |
750 # The subject is only checked when there is no DNS in subjectAltName. |
753 for sub in cert.get(r'subject', []): |
751 for sub in cert.get('subject', []): |
754 for key, value in sub: |
752 for key, value in sub: |
755 # According to RFC 2818 the most specific Common Name must |
753 # According to RFC 2818 the most specific Common Name must |
756 # be used. |
754 # be used. |
757 if key == r'commonName': |
755 if key == 'commonName': |
758 # 'subject' entries are unicode. |
756 # 'subject' entries are unicode. |
759 try: |
757 try: |
760 value = value.encode('ascii') |
758 value = value.encode('ascii') |
761 except UnicodeEncodeError: |
759 except UnicodeEncodeError: |
762 return _(b'IDN in certificate not supported') |
760 return _(b'IDN in certificate not supported') |