@ -106,6 +106,33 @@ try:
except ImportError :
HAS_SSLCONTEXT = False
# Select a protocol that includes all secure tls protocols
# Exclude insecure ssl protocols if possible
# If we can't find extra tls methods, ssl.PROTOCOL_TLSv1 is sufficient
PROTOCOL = ssl . PROTOCOL_TLSv1
if not HAS_SSLCONTEXT and HAS_SSL :
try :
import ctypes , ctypes . util
except ImportError :
# python 2.4 (likely rhel5 which doesn't have tls1.1 support in its openssl)
pass
else :
libssl_name = ctypes . util . find_library ( ' ssl ' )
libssl = ctypes . CDLL ( libssl_name )
for method in ( ' TLSv1_1_method ' , ' TLSv1_2_method ' ) :
try :
libssl [ method ]
# Found something - we'll let openssl autonegotiate and hope
# the server has disabled sslv2 and 3. best we can do.
PROTOCOL = ssl . PROTOCOL_SSLv23
break
except AttributeError :
pass
del libssl
HAS_MATCH_HOSTNAME = True
try :
from ssl import match_hostname , CertificateError
@ -304,7 +331,7 @@ class CustomHTTPSConnection(httplib.HTTPSConnection):
if HAS_SSLCONTEXT :
self . sock = self . context . wrap_socket ( sock , server_hostname = self . host )
else :
self . sock = ssl . wrap_socket ( sock , keyfile = self . key_file , certfile = self . cert_file , ssl_version = ssl. PROTOCOL_TLSv1 )
self . sock = ssl . wrap_socket ( sock , keyfile = self . key_file , certfile = self . cert_file , ssl_version = PROTOCOL)
class CustomHTTPSHandler ( urllib2 . HTTPSHandler ) :
@ -514,7 +541,7 @@ class SSLValidationHandler(urllib2.BaseHandler):
if context :
ssl_s = context . wrap_socket ( s , server_hostname = proxy_parts . get ( ' hostname ' ) )
else :
ssl_s = ssl . wrap_socket ( s , ca_certs = tmp_ca_cert_path , cert_reqs = ssl . CERT_REQUIRED , ssl_version = ssl. PROTOCOL_TLSv1 )
ssl_s = ssl . wrap_socket ( s , ca_certs = tmp_ca_cert_path , cert_reqs = ssl . CERT_REQUIRED , ssl_version = PROTOCOL)
match_hostname ( ssl_s . getpeercert ( ) , self . hostname )
else :
raise ProxyError ( ' Unsupported proxy scheme: %s . Currently ansible only supports HTTP proxies. ' % proxy_parts . get ( ' scheme ' ) )
@ -523,7 +550,7 @@ class SSLValidationHandler(urllib2.BaseHandler):
if context :
ssl_s = context . wrap_socket ( s , server_hostname = self . hostname )
else :
ssl_s = ssl . wrap_socket ( s , ca_certs = tmp_ca_cert_path , cert_reqs = ssl . CERT_REQUIRED , ssl_version = ssl. PROTOCOL_TLSv1 )
ssl_s = ssl . wrap_socket ( s , ca_certs = tmp_ca_cert_path , cert_reqs = ssl . CERT_REQUIRED , ssl_version = PROTOCOL)
match_hostname ( ssl_s . getpeercert ( ) , self . hostname )
# close the ssl connection
#ssl_s.unwrap()