control: tags -1 patch On 2018-09-25 03:04:49 [+0200], Witold Baryluk wrote: > Now it takes few minutes on any command, and then errors out: > Cleaning older backups > Traceback (innermost last): … > SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed > (_ssl.c:726)
It looks like missing SNI support. Could you please try if the patch attached works? It is completly untested it just looks like it might work… Sebastian
>From 978e87c8f0dfb93c26814b5e5806d2f2332db164 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Date: Sat, 29 Sep 2018 21:47:11 +0200 Subject: [PATCH] boto: try to add SNI support Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- boto/connection.py | 18 +++++++++--------- boto/https_connection.py | 21 ++++++++++----------- diff --git a/boto/connection.py b/boto/connection.py index 2fef44872ffa7..b86c0cdec58e1 100644 --- a/boto/connection.py +++ b/boto/connection.py @@ -821,23 +821,23 @@ DEFAULT_CA_CERTS_FILE = os.path.join(os.path.dirname(os.path.abspath(boto.cacert h = http_client.HTTPConnection(host) if self.https_validate_certificates and HAVE_HTTPS_CONNECTION: + context = ssl.create_default_context() + context.verify_mode = ssl.CERT_REQUIRED + context.check_hostname = True + msg = "wrapping ssl socket for proxied connection; " if self.ca_certificates_file: msg += "CA certificate file=%s" % self.ca_certificates_file + context.load_verify_locations(cafile=self.ca_certificates_file) else: msg += "using system provided SSL certs" + context.load_default_certs() boto.log.debug(msg) key_file = self.http_connection_kwargs.get('key_file', None) cert_file = self.http_connection_kwargs.get('cert_file', None) - sslSock = ssl.wrap_socket(sock, keyfile=key_file, - certfile=cert_file, - cert_reqs=ssl.CERT_REQUIRED, - ca_certs=self.ca_certificates_file) - cert = sslSock.getpeercert() - hostname = self.host.split(':', 0)[0] - if not https_connection.ValidateCertificateHostname(cert, hostname): - raise https_connection.InvalidCertificateException( - hostname, cert, 'hostname mismatch') + context.load_cert_chain(certfile=cert_file, keyfile=key_file) + + sslSock = context.wrap_socket(sock, server_hostname=host) else: # Fallback for old Python without ssl.wrap_socket if hasattr(http_client, 'ssl'): diff --git a/boto/https_connection.py b/boto/https_connection.py index ddc31a152292e..949956178cea0 100644 --- a/boto/https_connection.py +++ b/boto/https_connection.py @@ -119,20 +119,19 @@ from boto.compat import six, http_client sock = socket.create_connection((self.host, self.port), self.timeout) else: sock = socket.create_connection((self.host, self.port)) + + context = ssl.create_default_context() + context.verify_mode = ssl.CERT_REQUIRED + context.check_hostname = True + context.load_cert_chain(certfile=self.cert_file, keyfile=self.key_file) + msg = "wrapping ssl socket; " if self.ca_certs: msg += "CA certificate file=%s" % self.ca_certs + context.load_verify_locations(cafile=self.ca_certs) else: msg += "using system provided SSL certs" + context.load_default_certs() boto.log.debug(msg) - self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, - certfile=self.cert_file, - cert_reqs=ssl.CERT_REQUIRED, - ca_certs=self.ca_certs) - cert = self.sock.getpeercert() - hostname = self.host.split(':', 0)[0] - if not ValidateCertificateHostname(cert, hostname): - raise InvalidCertificateException(hostname, - cert, - 'remote hostname "%s" does not match ' - 'certificate' % hostname) + + self.sock = context.wrap_socket(sock, server_hostname=self.host) -- 2.19.0