MCPcopy
hub / github.com/urllib3/urllib3 / _ssl_wrap_socket_and_match_hostname

Function _ssl_wrap_socket_and_match_hostname

src/urllib3/connection.py:901–1023  ·  view source on GitHub ↗

Logic for constructing an SSLContext from all TLS parameters, passing that down into ssl_wrap_socket, and then doing certificate verification either via hostname or fingerprint. This function exists to guarantee that both proxies and targets have the same behavior when connecting via TLS

(
    sock: socket.socket,
    *,
    cert_reqs: None | str | int,
    ssl_version: None | str | int,
    ssl_minimum_version: int | None,
    ssl_maximum_version: int | None,
    cert_file: str | None,
    key_file: str | None,
    key_password: str | None,
    ca_certs: str | None,
    ca_cert_dir: str | None,
    ca_cert_data: None | str | bytes,
    assert_hostname: None | str | typing.Literal[False],
    assert_fingerprint: str | None,
    server_hostname: str | None,
    ssl_context: ssl.SSLContext | None,
    tls_in_tls: bool = False,
)

Source from the content-addressed store, hash-verified

899
900
901def _ssl_wrap_socket_and_match_hostname(
902 sock: socket.socket,
903 *,
904 cert_reqs: None | str | int,
905 ssl_version: None | str | int,
906 ssl_minimum_version: int | None,
907 ssl_maximum_version: int | None,
908 cert_file: str | None,
909 key_file: str | None,
910 key_password: str | None,
911 ca_certs: str | None,
912 ca_cert_dir: str | None,
913 ca_cert_data: None | str | bytes,
914 assert_hostname: None | str | typing.Literal[False],
915 assert_fingerprint: str | None,
916 server_hostname: str | None,
917 ssl_context: ssl.SSLContext | None,
918 tls_in_tls: bool = False,
919) -> _WrappedAndVerifiedSocket:
920 """Logic for constructing an SSLContext from all TLS parameters, passing
921 that down into ssl_wrap_socket, and then doing certificate verification
922 either via hostname or fingerprint. This function exists to guarantee
923 that both proxies and targets have the same behavior when connecting via TLS.
924 """
925 default_ssl_context = False
926 if ssl_context is None:
927 default_ssl_context = True
928 context = create_urllib3_context(
929 ssl_version=resolve_ssl_version(ssl_version),
930 ssl_minimum_version=ssl_minimum_version,
931 ssl_maximum_version=ssl_maximum_version,
932 cert_reqs=resolve_cert_reqs(cert_reqs),
933 )
934 else:
935 context = ssl_context
936
937 context.verify_mode = resolve_cert_reqs(cert_reqs)
938
939 # In some cases, we want to verify hostnames ourselves
940 if (
941 # `ssl` can't verify fingerprints or alternate hostnames
942 assert_fingerprint
943 or assert_hostname
944 # assert_hostname can be set to False to disable hostname checking
945 or assert_hostname is False
946 # We still support OpenSSL 1.0.2, which prevents us from verifying
947 # hostnames easily: https://github.com/pyca/pyopenssl/pull/933
948 or ssl_.IS_PYOPENSSL
949 or not ssl_.HAS_NEVER_CHECK_COMMON_NAME
950 ):
951 context.check_hostname = False
952
953 # Try to load OS default certs if none are given. We need to do the hasattr() check
954 # for custom pyOpenSSL SSLContext objects because they don't support
955 # load_default_certs().
956 if (
957 not ca_certs
958 and not ca_cert_dir

Callers 2

connectMethod · 0.85
_connect_tls_proxyMethod · 0.85

Calls 9

create_urllib3_contextFunction · 0.85
resolve_ssl_versionFunction · 0.85
resolve_cert_reqsFunction · 0.85
is_ipaddressFunction · 0.85
ssl_wrap_socketFunction · 0.85
_match_hostnameFunction · 0.85
getpeercertMethod · 0.45
closeMethod · 0.45

Tested by

no test coverage detected