python TSSLSocket improvements, including certificate validation ----------------------------------------------------------------
Key: THRIFT-1100 URL: https://issues.apache.org/jira/browse/THRIFT-1100 Project: Thrift Issue Type: Improvement Components: Python - Library Reporter: Will Pierce Assignee: Will Pierce The python TSSLSocket.py module has TSSLSocket and TSSLServerSocket for outbound and inbound SSL connection wrapping. This ticket is for a patch that makes several improvements: * adds Apache license at top of file * for outbound sockets, SSL certificate validation is now performed by default ** but may be disabled with validate=False in the constructor ** instructs python's ssl library to perform CERT_REQUIRED validation of the certificate ** also checks to make sure the certificate's {{commonName}} matches the hostname we tried to connect to ** raises TTransportExceptions when the certificate fails validation - tested using google's www.gmail.com (doesnt match) versus mail.google.com (matched cert commonName) ** puts a copy of the peer certificate in self.peercert, regardless of validation status ** sets a public boolean self.is_valid member variable to indicate whether the certificate was validated or not * adds a configurable server certificate file, as a constructor argument {{certfile}} ** allows runtime changing of server cert with setCertfile() on the server, that changes the certfile used in subsequent ssl_wrap() calls ** exposes a class-level variable SSL_PROTOCOL to let the user select ssl.PROTOCOL_TLSv1 or other versions of SSL, instead of hard-coding TLSv1. Defaults to TLSv1 though. * removes unnecessary sys.path modification * adds lots of docstrings In a somewhat unrelated change, this patch changes two lines in TSocket.py where self.handle is compared to None using {{!=}} instead of: {{is not}}. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira