Logic for constructing an SSLContext from all TLS parameters, passing that down into ssl_wrap_socket, and then doing certificate verification either via hostname or fingerprint. This function exists to guarantee that both proxies and targets have the same behavior when connecting via TLS
(
sock: socket.socket,
*,
cert_reqs: None | str | int,
ssl_version: None | str | int,
ssl_minimum_version: int | None,
ssl_maximum_version: int | None,
cert_file: str | None,
key_file: str | None,
key_password: str | None,
ca_certs: str | None,
ca_cert_dir: str | None,
ca_cert_data: None | str | bytes,
assert_hostname: None | str | typing.Literal[False],
assert_fingerprint: str | None,
server_hostname: str | None,
ssl_context: ssl.SSLContext | None,
tls_in_tls: bool = False,
)
| 899 | |
| 900 | |
| 901 | def _ssl_wrap_socket_and_match_hostname( |
| 902 | sock: socket.socket, |
| 903 | *, |
| 904 | cert_reqs: None | str | int, |
| 905 | ssl_version: None | str | int, |
| 906 | ssl_minimum_version: int | None, |
| 907 | ssl_maximum_version: int | None, |
| 908 | cert_file: str | None, |
| 909 | key_file: str | None, |
| 910 | key_password: str | None, |
| 911 | ca_certs: str | None, |
| 912 | ca_cert_dir: str | None, |
| 913 | ca_cert_data: None | str | bytes, |
| 914 | assert_hostname: None | str | typing.Literal[False], |
| 915 | assert_fingerprint: str | None, |
| 916 | server_hostname: str | None, |
| 917 | ssl_context: ssl.SSLContext | None, |
| 918 | tls_in_tls: bool = False, |
| 919 | ) -> _WrappedAndVerifiedSocket: |
| 920 | """Logic for constructing an SSLContext from all TLS parameters, passing |
| 921 | that down into ssl_wrap_socket, and then doing certificate verification |
| 922 | either via hostname or fingerprint. This function exists to guarantee |
| 923 | that both proxies and targets have the same behavior when connecting via TLS. |
| 924 | """ |
| 925 | default_ssl_context = False |
| 926 | if ssl_context is None: |
| 927 | default_ssl_context = True |
| 928 | context = create_urllib3_context( |
| 929 | ssl_version=resolve_ssl_version(ssl_version), |
| 930 | ssl_minimum_version=ssl_minimum_version, |
| 931 | ssl_maximum_version=ssl_maximum_version, |
| 932 | cert_reqs=resolve_cert_reqs(cert_reqs), |
| 933 | ) |
| 934 | else: |
| 935 | context = ssl_context |
| 936 | |
| 937 | context.verify_mode = resolve_cert_reqs(cert_reqs) |
| 938 | |
| 939 | # In some cases, we want to verify hostnames ourselves |
| 940 | if ( |
| 941 | # `ssl` can't verify fingerprints or alternate hostnames |
| 942 | assert_fingerprint |
| 943 | or assert_hostname |
| 944 | # assert_hostname can be set to False to disable hostname checking |
| 945 | or assert_hostname is False |
| 946 | # We still support OpenSSL 1.0.2, which prevents us from verifying |
| 947 | # hostnames easily: https://github.com/pyca/pyopenssl/pull/933 |
| 948 | or ssl_.IS_PYOPENSSL |
| 949 | or not ssl_.HAS_NEVER_CHECK_COMMON_NAME |
| 950 | ): |
| 951 | context.check_hostname = False |
| 952 | |
| 953 | # Try to load OS default certs if none are given. We need to do the hasattr() check |
| 954 | # for custom pyOpenSSL SSLContext objects because they don't support |
| 955 | # load_default_certs(). |
| 956 | if ( |
| 957 | not ca_certs |
| 958 | and not ca_cert_dir |
no test coverage detected