python TSSLSocket improvements, including certificate validation
----------------------------------------------------------------
Key: THRIFT-1100
URL: https://issues.apache.org/jira/browse/THRIFT-1100
Project: Thrift
Issue Type: Improvement
Components: Python - Library
Reporter: Will Pierce
Assignee: Will Pierce
The python TSSLSocket.py module has TSSLSocket and TSSLServerSocket for
outbound and inbound SSL connection wrapping.
This ticket is for a patch that makes several improvements:
* adds Apache license at top of file
* for outbound sockets, SSL certificate validation is now performed by default
** but may be disabled with validate=False in the constructor
** instructs python's ssl library to perform CERT_REQUIRED validation of the
certificate
** also checks to make sure the certificate's {{commonName}} matches the
hostname we tried to connect to
** raises TTransportExceptions when the certificate fails validation - tested
using google's www.gmail.com (doesnt match) versus mail.google.com (matched
cert commonName)
** puts a copy of the peer certificate in self.peercert, regardless of
validation status
** sets a public boolean self.is_valid member variable to indicate whether the
certificate was validated or not
* adds a configurable server certificate file, as a constructor argument
{{certfile}}
** allows runtime changing of server cert with setCertfile() on the server,
that changes the certfile used in subsequent ssl_wrap() calls
** exposes a class-level variable SSL_PROTOCOL to let the user select
ssl.PROTOCOL_TLSv1 or other versions of SSL, instead of hard-coding TLSv1.
Defaults to TLSv1 though.
* removes unnecessary sys.path modification
* adds lots of docstrings
In a somewhat unrelated change, this patch changes two lines in TSocket.py
where self.handle is compared to None using {{!=}} instead of: {{is not}}.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
