Create and return an SSLContext object.
(
certfile: Optional[str],
passphrase: Optional[str],
ca_certs: Optional[str],
crlfile: Optional[str],
allow_invalid_certificates: bool,
allow_invalid_hostnames: bool,
disable_ocsp_endpoint_check: bool,
is_sync: bool,
)
| 81 | return _ssl.HAS_SNI |
| 82 | |
| 83 | def get_ssl_context( |
| 84 | certfile: Optional[str], |
| 85 | passphrase: Optional[str], |
| 86 | ca_certs: Optional[str], |
| 87 | crlfile: Optional[str], |
| 88 | allow_invalid_certificates: bool, |
| 89 | allow_invalid_hostnames: bool, |
| 90 | disable_ocsp_endpoint_check: bool, |
| 91 | is_sync: bool, |
| 92 | ) -> Union[_pyssl.SSLContext, _ssl.SSLContext]: # type: ignore[name-defined] |
| 93 | """Create and return an SSLContext object.""" |
| 94 | if is_sync and HAVE_PYSSL: |
| 95 | ssl: types.ModuleType = _pyssl |
| 96 | else: |
| 97 | ssl = _ssl |
| 98 | verify_mode = CERT_NONE if allow_invalid_certificates else CERT_REQUIRED |
| 99 | ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |
| 100 | if verify_mode != CERT_NONE: |
| 101 | ctx.check_hostname = not allow_invalid_hostnames |
| 102 | else: |
| 103 | ctx.check_hostname = False |
| 104 | if hasattr(ctx, "check_ocsp_endpoint"): |
| 105 | ctx.check_ocsp_endpoint = not disable_ocsp_endpoint_check |
| 106 | if hasattr(ctx, "options"): |
| 107 | # Explicitly disable SSLv2, SSLv3 and TLS compression. Note that |
| 108 | # up to date versions of MongoDB 2.4 and above already disable |
| 109 | # SSLv2 and SSLv3, python disables SSLv2 by default in >= 2.7.7 |
| 110 | # and >= 3.3.4 and SSLv3 in >= 3.4.3. |
| 111 | ctx.options |= ssl.OP_NO_SSLv2 |
| 112 | ctx.options |= ssl.OP_NO_SSLv3 |
| 113 | ctx.options |= ssl.OP_NO_COMPRESSION |
| 114 | ctx.options |= ssl.OP_NO_RENEGOTIATION |
| 115 | if certfile is not None: |
| 116 | try: |
| 117 | ctx.load_cert_chain(certfile, None, passphrase) |
| 118 | except ssl.SSLError as exc: |
| 119 | raise ConfigurationError(f"Private key doesn't match certificate: {exc}") from None |
| 120 | if crlfile is not None: |
| 121 | if ssl.IS_PYOPENSSL: |
| 122 | raise ConfigurationError("tlsCRLFile cannot be used with PyOpenSSL") |
| 123 | # Match the server's behavior. |
| 124 | ctx.verify_flags = getattr(ssl, "VERIFY_CRL_CHECK_LEAF", 0) |
| 125 | ctx.load_verify_locations(crlfile) |
| 126 | if ca_certs is not None: |
| 127 | ctx.load_verify_locations(ca_certs) |
| 128 | elif verify_mode != CERT_NONE: |
| 129 | ctx.load_default_certs() |
| 130 | ctx.verify_mode = verify_mode |
| 131 | return ctx |
| 132 | |
| 133 | else: |
| 134 |