MCPcopy Index your code
hub / github.com/mongodb/mongo-python-driver / get_ssl_context

Function get_ssl_context

pymongo/ssl_support.py:83–131  ·  view source on GitHub ↗

Create and return an SSLContext object.

(
        certfile: Optional[str],
        passphrase: Optional[str],
        ca_certs: Optional[str],
        crlfile: Optional[str],
        allow_invalid_certificates: bool,
        allow_invalid_hostnames: bool,
        disable_ocsp_endpoint_check: bool,
        is_sync: bool,
    )

Source from the content-addressed store, hash-verified

81 return _ssl.HAS_SNI
82
83 def get_ssl_context(
84 certfile: Optional[str],
85 passphrase: Optional[str],
86 ca_certs: Optional[str],
87 crlfile: Optional[str],
88 allow_invalid_certificates: bool,
89 allow_invalid_hostnames: bool,
90 disable_ocsp_endpoint_check: bool,
91 is_sync: bool,
92 ) -> Union[_pyssl.SSLContext, _ssl.SSLContext]: # type: ignore[name-defined]
93 """Create and return an SSLContext object."""
94 if is_sync and HAVE_PYSSL:
95 ssl: types.ModuleType = _pyssl
96 else:
97 ssl = _ssl
98 verify_mode = CERT_NONE if allow_invalid_certificates else CERT_REQUIRED
99 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
100 if verify_mode != CERT_NONE:
101 ctx.check_hostname = not allow_invalid_hostnames
102 else:
103 ctx.check_hostname = False
104 if hasattr(ctx, "check_ocsp_endpoint"):
105 ctx.check_ocsp_endpoint = not disable_ocsp_endpoint_check
106 if hasattr(ctx, "options"):
107 # Explicitly disable SSLv2, SSLv3 and TLS compression. Note that
108 # up to date versions of MongoDB 2.4 and above already disable
109 # SSLv2 and SSLv3, python disables SSLv2 by default in >= 2.7.7
110 # and >= 3.3.4 and SSLv3 in >= 3.4.3.
111 ctx.options |= ssl.OP_NO_SSLv2
112 ctx.options |= ssl.OP_NO_SSLv3
113 ctx.options |= ssl.OP_NO_COMPRESSION
114 ctx.options |= ssl.OP_NO_RENEGOTIATION
115 if certfile is not None:
116 try:
117 ctx.load_cert_chain(certfile, None, passphrase)
118 except ssl.SSLError as exc:
119 raise ConfigurationError(f"Private key doesn't match certificate: {exc}") from None
120 if crlfile is not None:
121 if ssl.IS_PYOPENSSL:
122 raise ConfigurationError("tlsCRLFile cannot be used with PyOpenSSL")
123 # Match the server's behavior.
124 ctx.verify_flags = getattr(ssl, "VERIFY_CRL_CHECK_LEAF", 0)
125 ctx.load_verify_locations(crlfile)
126 if ca_certs is not None:
127 ctx.load_verify_locations(ca_certs)
128 elif verify_mode != CERT_NONE:
129 ctx.load_default_certs()
130 ctx.verify_mode = verify_mode
131 return ctx
132
133else:
134

Callers 12

check_ocspFunction · 0.90
test_certifi_supportMethod · 0.90
test_wincertstoreMethod · 0.90
test_certifi_supportMethod · 0.90
test_wincertstoreMethod · 0.90
_parse_ssl_optionsFunction · 0.90
kms_requestMethod · 0.90
kms_requestMethod · 0.90

Calls 4

load_cert_chainMethod · 0.95
load_verify_locationsMethod · 0.95
load_default_certsMethod · 0.95
ConfigurationErrorClass · 0.90