Python ssl.VERIFY_CRL_CHECK_LEAF Examples

The following are 2 code examples of ssl.VERIFY_CRL_CHECK_LEAF(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module ssl , or try the search function .
Example #1
Source File: config.py    From karapace with Apache License 2.0 6 votes vote down vote up 
def create_ssl_context(config):
    # taken from conn.py, as it adds a lot more logic to the context configuration than the initial version
    ssl_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)  # pylint: disable=no-member
    ssl_context.options |= ssl.OP_NO_SSLv2  # pylint: disable=no-member
    ssl_context.options |= ssl.OP_NO_SSLv3  # pylint: disable=no-member
    ssl_context.verify_mode = ssl.CERT_OPTIONAL
    if config.get('ssl_check_hostname'):
        ssl_context.check_hostname = True
    if config['ssl_cafile']:
        ssl_context.load_verify_locations(config['ssl_cafile'])
        ssl_context.verify_mode = ssl.CERT_REQUIRED
    if config['ssl_certfile'] and config['ssl_keyfile']:
        ssl_context.load_cert_chain(
            certfile=config['ssl_certfile'], keyfile=config['ssl_keyfile'], password=config.get('ssl_password')
        )
    if config.get('ssl_crlfile'):
        if not hasattr(ssl, 'VERIFY_CRL_CHECK_LEAF'):
            raise RuntimeError('This version of Python does not support ssl_crlfile!')
        ssl_context.load_verify_locations(config['ssl_crlfile'])
        # pylint: disable=no-member
        ssl_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
    if config.get('ssl_ciphers'):
        ssl_context.set_ciphers(config['ssl_ciphers'])
    return ssl_context
Example #2
Source File: ssl_utils.py    From ansible-kafka-admin with Apache License 2.0 4 votes vote down vote up 
def generate_ssl_context(ssl_check_hostname,
                         ssl_cafile,
                         ssl_certfile,
                         ssl_keyfile,
                         ssl_password,
                         ssl_crlfile,
                         ssl_supported_protocols,
                         ssl_ciphers):
    """
    Generate SSLContext for kafka client.
    """
    log.debug('Configuring default SSL Context')
    ssl_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
    ssl_context.options |= ssl.OP_NO_SSLv2
    ssl_context.options |= ssl.OP_NO_SSLv3
    ssl_context.verify_mode = ssl.CERT_OPTIONAL
    if ssl_supported_protocols:
        if 'TLSv1' not in ssl_supported_protocols:
            ssl_context.options |= ssl.OP_NO_TLSv1
        if 'TLSv1.1' not in ssl_supported_protocols:
            ssl_context.options |= ssl.OP_NO_TLSv1_1
        if 'TLSv1.2' not in ssl_supported_protocols:
            ssl_context.options |= ssl.OP_NO_TLSv1_2
    if ssl_check_hostname:
        ssl_context.check_hostname = True
    if ssl_cafile:
        log.info('Loading SSL CA from %s', ssl_cafile)
        ssl_context.load_verify_locations(ssl_cafile)
        ssl_context.verify_mode = ssl.CERT_REQUIRED
    else:
        log.info('Loading system default SSL CAs from %s',
                 ssl.get_default_verify_paths())
        ssl_context.load_default_certs()
    if ssl_certfile and ssl_keyfile:
        log.info('Loading SSL Cert from %s', ssl_certfile)
        log.info('Loading SSL Key from %s', ssl_keyfile)
        ssl_context.load_cert_chain(
            certfile=ssl_certfile,
            keyfile=ssl_keyfile,
            password=ssl_password)
    if ssl_crlfile:
        if not hasattr(ssl, 'VERIFY_CRL_CHECK_LEAF'):
            raise RuntimeError('This version of Python does not'
                               ' support ssl_crlfile!')
        log.info('Loading SSL CRL from %s', ssl_crlfile)
        ssl_context.load_verify_locations(ssl_crlfile)
        ssl_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
    if ssl_ciphers:
        log.info('Setting SSL Ciphers: %s', ssl_ciphers)
        ssl_context.set_ciphers(ssl_ciphers)
    return ssl_context