Browse code
Allow setting SSL authentication
Aleksandr Chazov authored on 2019/07/19 07:15:18Showing 3 changed files
| ... | ... |
@@ -153,6 +153,8 @@ class Config(object): |
| 153 | 153 |
gpg_decrypt = u"%(gpg_command)s -d --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s" |
| 154 | 154 |
use_https = True |
| 155 | 155 |
ca_certs_file = u"" |
| 156 |
+ ssl_key_file = u"" |
|
| 157 |
+ ssl_cert_file = u"" |
|
| 156 | 158 |
check_ssl_certificate = True |
| 157 | 159 |
check_ssl_hostname = True |
| 158 | 160 |
bucket_location = u"US" |
| ... | ... |
@@ -61,6 +61,19 @@ class http_connection(object): |
| 61 | 61 |
return context |
| 62 | 62 |
|
| 63 | 63 |
@staticmethod |
| 64 |
+ def _ssl_client_auth_context(certfile, keyfile, check_server_cert, cafile): |
|
| 65 |
+ context = None |
|
| 66 |
+ try: |
|
| 67 |
+ cert_reqs = ssl.CERT_REQUIRED if check_server_cert else ssl.CERT_NONE |
|
| 68 |
+ context = ssl._create_unverified_context(cafile=cafile, |
|
| 69 |
+ keyfile=keyfile, |
|
| 70 |
+ certfile=certfile, |
|
| 71 |
+ cert_reqs=cert_reqs) |
|
| 72 |
+ except AttributeError: # no ssl._create_unverified_context |
|
| 73 |
+ pass |
|
| 74 |
+ return context |
|
| 75 |
+ |
|
| 76 |
+ @staticmethod |
|
| 64 | 77 |
def _ssl_context(): |
| 65 | 78 |
if http_connection.context_set: |
| 66 | 79 |
return http_connection.context |
| ... | ... |
@@ -69,9 +82,20 @@ class http_connection(object): |
| 69 | 69 |
cafile = cfg.ca_certs_file |
| 70 | 70 |
if cafile == "": |
| 71 | 71 |
cafile = None |
| 72 |
+ certfile = cfg.ssl_cert_file |
|
| 73 |
+ if certfile == "": |
|
| 74 |
+ certfile = None |
|
| 75 |
+ keyfile = cfg.ssl_key_file |
|
| 76 |
+ if keyfile == "": |
|
| 77 |
+ keyfile = None |
|
| 78 |
+ |
|
| 72 | 79 |
debug(u"Using ca_certs_file %s", cafile) |
| 80 |
+ debug(u"Using ssl_cert_file %s", certfile) |
|
| 81 |
+ debug(u"Using ssl_key_file %s", keyfile) |
|
| 73 | 82 |
|
| 74 |
- if cfg.check_ssl_certificate: |
|
| 83 |
+ if keyfile is not None and certfile is not None: |
|
| 84 |
+ context = http_connection._ssl_client_auth_context(certfile, keyfile, cfg.check_ssl_certificate, cafile) |
|
| 85 |
+ elif cfg.check_ssl_certificate: |
|
| 75 | 86 |
context = http_connection._ssl_verified_context(cafile) |
| 76 | 87 |
else: |
| 77 | 88 |
context = http_connection._ssl_unverified_context(cafile) |
| ... | ... |
@@ -2811,6 +2811,8 @@ def main(): |
| 2811 | 2811 |
optparser.add_option( "--cache-file", dest="cache_file", action="store", default="", metavar="FILE", help="Cache FILE containing local source MD5 values") |
| 2812 | 2812 |
optparser.add_option("-q", "--quiet", dest="quiet", action="store_true", default=False, help="Silence output on stdout")
|
| 2813 | 2813 |
optparser.add_option( "--ca-certs", dest="ca_certs_file", action="store", default=None, help="Path to SSL CA certificate FILE (instead of system default)") |
| 2814 |
+ optparser.add_option( "--ssl-cert", dest="ssl_cert_file", action="store", default=None, help="Path to client SSL certificate FILE") |
|
| 2815 |
+ optparser.add_option( "--ssl-key", dest="ssl_key_file", action="store", default=None, help="Path to client SSL certificate key FILE") |
|
| 2814 | 2816 |
optparser.add_option( "--check-certificate", dest="check_ssl_certificate", action="store_true", help="Check SSL certificate validity") |
| 2815 | 2817 |
optparser.add_option( "--no-check-certificate", dest="check_ssl_certificate", action="store_false", help="Do not check SSL certificate validity") |
| 2816 | 2818 |
optparser.add_option( "--check-hostname", dest="check_ssl_hostname", action="store_true", help="Check SSL certificate hostname validity") |