bolkedebruin commented on a change in pull request #4006: [AIRFLOW-3164] Verify
server certificate when connecting to LDAP
URL: https://github.com/apache/incubator-airflow/pull/4006#discussion_r230873322
##########
File path: airflow/contrib/auth/backends/ldap_auth.py
##########
@@ -55,16 +55,20 @@ class LdapException(Exception):
def get_ldap_connection(dn=None, password=None):
- tls_configuration = None
- use_ssl = False
+ cacert = None
try:
cacert = configuration.conf.get("ldap", "cacert")
- tls_configuration = Tls(validate=ssl.CERT_REQUIRED,
ca_certs_file=cacert)
- use_ssl = True
- except Exception:
+ except AirflowConfigException:
pass
- server = Server(configuration.conf.get("ldap", "uri"), use_ssl,
tls_configuration)
+ tls_configuration = Tls(validate=ssl.CERT_REQUIRED,
+ version=ssl.PROTOCOL_SSLv23,
Review comment:
I.probably misread the docs, but I'm not sure if you are looking at the
right place either. From https://docs.python.org/2/library/ssl.html
The parameter ssl_version specifies which version of the SSL protocol to
use. Typically, the server chooses a particular protocol version, and the
client must adapt to the server’s choice. Most of the versions are not
interoperable with the other versions. If not specified, the default is
PROTOCOL_SSLv23; it provides the most compatibility with other versions.
@ashn
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
