[ https://issues.apache.org/jira/browse/THRIFT-1100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Duxbury closed THRIFT-1100. --------------------------------- Resolution: Fixed Fix Version/s: 0.7 I just committed this patch. Thanks Will! > python TSSLSocket improvements, including certificate validation > ---------------------------------------------------------------- > > Key: THRIFT-1100 > URL: https://issues.apache.org/jira/browse/THRIFT-1100 > Project: Thrift > Issue Type: Improvement > Components: Python - Library > Reporter: Will Pierce > Assignee: Will Pierce > Fix For: 0.7 > > Attachments: THRIFT-1100.python_ssl_enhance_and_cert_validate.patch > > > The python TSSLSocket.py module has TSSLSocket and TSSLServerSocket for > outbound and inbound SSL connection wrapping. > This ticket is for a patch that makes several improvements: > * adds Apache license at top of file > * for outbound sockets, SSL certificate validation is now performed by default > ** but may be disabled with validate=False in the constructor > ** instructs python's ssl library to perform CERT_REQUIRED validation of the > certificate > ** also checks to make sure the certificate's {{commonName}} matches the > hostname we tried to connect to > ** raises TTransportExceptions when the certificate fails validation - tested > using google's www.gmail.com (doesnt match) versus mail.google.com (matched > cert commonName) > ** puts a copy of the peer certificate in self.peercert, regardless of > validation status > ** sets a public boolean self.is_valid member variable to indicate whether > the certificate was validated or not > * adds a configurable server certificate file, as a constructor argument > {{certfile}} > ** allows runtime changing of server cert with setCertfile() on the server, > that changes the certfile used in subsequent ssl_wrap() calls > ** exposes a class-level variable SSL_PROTOCOL to let the user select > ssl.PROTOCOL_TLSv1 or other versions of SSL, instead of hard-coding TLSv1. > Defaults to TLSv1 though. > * removes unnecessary sys.path modification > * adds lots of docstrings > In a somewhat unrelated change, this patch changes two lines in TSocket.py > where self.handle is compared to None using {{!=}} instead of: {{is not}}. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira