Skip to content

Commit

Permalink
Drop deprecated ssl settings (#3548)
Browse files Browse the repository at this point in the history
  • Loading branch information
@asvetlov
asvetlov committed Jan 22, 2019
1 parent 479085d commit bb148e6
Show file tree
Hide file tree
Showing 8 changed files with 27 additions and 236 deletions.
1 change: 1 addition & 0 deletions CHANGES/3548.removal
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Drop deprecated SSL client settings.
22 changes: 7 additions & 15 deletions aiohttp/client.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,11 +53,11 @@
WSServerHandshakeError,
)
from .client_reqrep import (
SSL_ALLOWED_TYPES,
ClientRequest,
ClientResponse,
Fingerprint,
RequestInfo,
_merge_ssl_params,
)
from .client_ws import ClientWebSocketResponse
from .connector import BaseConnector, TCPConnector, UnixConnector
Expand Down Expand Up @@ -322,9 +322,6 @@ async def _request(
proxy: Optional[StrOrURL]=None,
proxy_auth: Optional[BasicAuth]=None,
timeout: Union[ClientTimeout, object]=sentinel,
verify_ssl: Optional[bool]=None,
fingerprint: Optional[bytes]=None,
ssl_context: Optional[SSLContext]=None,
ssl: Optional[Union[SSLContext, bool, Fingerprint]]=None,
proxy_headers: Optional[LooseHeaders]=None,
trace_request_ctx: Optional[SimpleNamespace]=None
Expand All @@ -337,7 +334,9 @@ async def _request(
if self.closed:
raise RuntimeError('Session is closed')

ssl = _merge_ssl_params(ssl, verify_ssl, ssl_context, fingerprint)
if not isinstance(ssl, SSL_ALLOWED_TYPES):
raise TypeError("ssl should be SSLContext, bool, Fingerprint, "
"or None, got {!r} instead.".format(ssl))

if data is not None and json is not None:
raise ValueError(
Expand Down Expand Up @@ -620,9 +619,6 @@ def ws_connect(
proxy: Optional[StrOrURL]=None,
proxy_auth: Optional[BasicAuth]=None,
ssl: Union[SSLContext, bool, None, Fingerprint]=None,
verify_ssl: Optional[bool]=None,
fingerprint: Optional[bytes]=None,
ssl_context: Optional[SSLContext]=None,
proxy_headers: Optional[LooseHeaders]=None,
compress: int=0,
max_msg_size: int=4*1024*1024) -> '_WSRequestContextManager':
Expand All @@ -642,9 +638,6 @@ def ws_connect(
proxy=proxy,
proxy_auth=proxy_auth,
ssl=ssl,
verify_ssl=verify_ssl,
fingerprint=fingerprint,
ssl_context=ssl_context,
proxy_headers=proxy_headers,
compress=compress,
max_msg_size=max_msg_size))
Expand All @@ -665,9 +658,6 @@ async def _ws_connect(
proxy: Optional[StrOrURL]=None,
proxy_auth: Optional[BasicAuth]=None,
ssl: Union[SSLContext, bool, None, Fingerprint]=None,
verify_ssl: Optional[bool]=None,
fingerprint: Optional[bytes]=None,
ssl_context: Optional[SSLContext]=None,
proxy_headers: Optional[LooseHeaders]=None,
compress: int=0,
max_msg_size: int=4*1024*1024
Expand Down Expand Up @@ -698,7 +688,9 @@ async def _ws_connect(
extstr = ws_ext_gen(compress=compress)
real_headers[hdrs.SEC_WEBSOCKET_EXTENSIONS] = extstr

ssl = _merge_ssl_params(ssl, verify_ssl, ssl_context, fingerprint)
if not isinstance(ssl, SSL_ALLOWED_TYPES):
raise TypeError("ssl should be SSLContext, bool, Fingerprint, "
"or None, got {!r} instead.".format(ssl))

# send request
resp = await self.request(method, url,
Expand Down
40 changes: 0 additions & 40 deletions aiohttp/client_reqrep.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,46 +142,6 @@ def check(self, transport: asyncio.Transport) -> None:
SSL_ALLOWED_TYPES = type(None)


def _merge_ssl_params(
ssl: Union['SSLContext', bool, Fingerprint, None],
verify_ssl: Optional[bool],
ssl_context: Optional['SSLContext'],
fingerprint: Optional[bytes]
) -> Union['SSLContext', bool, Fingerprint, None]:
if verify_ssl is not None and not verify_ssl:
warnings.warn("verify_ssl is deprecated, use ssl=False instead",
DeprecationWarning,
stacklevel=3)
if ssl is not None:
raise ValueError("verify_ssl, ssl_context, fingerprint and ssl "
"parameters are mutually exclusive")
else:
ssl = False
if ssl_context is not None:
warnings.warn("ssl_context is deprecated, use ssl=context instead",
DeprecationWarning,
stacklevel=3)
if ssl is not None:
raise ValueError("verify_ssl, ssl_context, fingerprint and ssl "
"parameters are mutually exclusive")
else:
ssl = ssl_context
if fingerprint is not None:
warnings.warn("fingerprint is deprecated, "
"use ssl=Fingerprint(fingerprint) instead",
DeprecationWarning,
stacklevel=3)
if ssl is not None:
raise ValueError("verify_ssl, ssl_context, fingerprint and ssl "
"parameters are mutually exclusive")
else:
ssl = Fingerprint(fingerprint)
if not isinstance(ssl, SSL_ALLOWED_TYPES):
raise TypeError("ssl should be SSLContext, bool, Fingerprint or None, "
"got {!r} instead.".format(ssl))
return ssl


@attr.s(slots=True, frozen=True)
class ConnectionKey:
# the key should contain an information about used proxy / TLS
Expand Down
12 changes: 6 additions & 6 deletions aiohttp/connector.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
ssl_errors,
)
from .client_proto import ResponseHandler
from .client_reqrep import ClientRequest, Fingerprint, _merge_ssl_params
from .client_reqrep import SSL_ALLOWED_TYPES, ClientRequest, Fingerprint
from .helpers import (
PY_36,
CeilTimeout,
Expand Down Expand Up @@ -710,11 +710,9 @@ class TCPConnector(BaseConnector):
loop - Optional event loop.
"""

def __init__(self, *, verify_ssl: bool=True,
fingerprint: Optional[bytes]=None,
def __init__(self, *,
use_dns_cache: bool=True, ttl_dns_cache: int=10,
family: int=0,
ssl_context: Optional[SSLContext]=None,
ssl: Union[None, bool, Fingerprint, SSLContext]=None,
local_addr: Optional[str]=None,
resolver: Optional[AbstractResolver]=None,
Expand All @@ -729,8 +727,10 @@ def __init__(self, *, verify_ssl: bool=True,
enable_cleanup_closed=enable_cleanup_closed,
loop=loop)

self._ssl = _merge_ssl_params(ssl, verify_ssl, ssl_context,
fingerprint)
if not isinstance(ssl, SSL_ALLOWED_TYPES):
raise TypeError("ssl should be SSLContext, bool, Fingerprint, "
"or None, got {!r} instead.".format(ssl))
self._ssl = ssl
if resolver is None:
resolver = DefaultResolver(loop=self._loop)
self._resolver = resolver
Expand Down
117 changes: 7 additions & 110 deletions docs/client_reference.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,8 +240,7 @@ The client session supports the context manager protocol for self closing.
compress=None, chunked=None, expect100=False, raise_for_status=None,\
read_until_eof=True, proxy=None, proxy_auth=None,\
timeout=sentinel, ssl=None, \
verify_ssl=None, fingerprint=None, \
ssl_context=None, proxy_headers=None)
proxy_headers=None)
:async-with:
:coroutine:

Expand Down Expand Up @@ -352,46 +351,8 @@ The client session supports the context manager protocol for self closing.
validation, :class:`ssl.SSLContext` for custom SSL
certificate validation.

Supersedes *verify_ssl*, *ssl_context* and
*fingerprint* parameters.

.. versionadded:: 3.0

:param bool verify_ssl: Perform SSL certificate validation for
*HTTPS* requests (enabled by default). May be disabled to
skip validation for sites with invalid certificates.

.. versionadded:: 2.3

.. deprecated:: 3.0

Use ``ssl=False``

:param bytes fingerprint: Pass the SHA256 digest of the expected
certificate in DER format to verify that the certificate the
server presents matches. Useful for `certificate pinning
<https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning>`_.

Warning: use of MD5 or SHA1 digests is insecure and removed.

.. versionadded:: 2.3

.. deprecated:: 3.0

Use ``ssl=aiohttp.Fingerprint(digest)``

:param ssl.SSLContext ssl_context: ssl context used for processing
*HTTPS* requests (optional).

*ssl_context* may be used for configuring certification
authority channel, supported SSL options etc.

.. versionadded:: 2.3

.. deprecated:: 3.0

Use ``ssl=ssl_context``

:param abc.Mapping proxy_headers: HTTP headers to send to the proxy if the
parameter proxy has been provided.

Expand Down Expand Up @@ -544,8 +505,7 @@ The client session supports the context manager protocol for self closing.
origin=None, \
headers=None, \
proxy=None, proxy_auth=None, ssl=None, \
verify_ssl=None, fingerprint=None, \
ssl_context=None, proxy_headers=None, \
proxy_headers=None, \
compress=0, max_msg_size=4194304)
:async-with:
:coroutine:
Expand Down Expand Up @@ -598,46 +558,8 @@ The client session supports the context manager protocol for self closing.
validation, :class:`ssl.SSLContext` for custom SSL
certificate validation.

Supersedes *verify_ssl*, *ssl_context* and
*fingerprint* parameters.

.. versionadded:: 3.0

:param bool verify_ssl: Perform SSL certificate validation for
*HTTPS* requests (enabled by default). May be disabled to
skip validation for sites with invalid certificates.

.. versionadded:: 2.3

.. deprecated:: 3.0

Use ``ssl=False``

:param bytes fingerprint: Pass the SHA256 digest of the expected
certificate in DER format to verify that the certificate the
server presents matches. Useful for `certificate pinning
<https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning>`_.

Note: use of MD5 or SHA1 digests is insecure and deprecated.

.. versionadded:: 2.3

.. deprecated:: 3.0

Use ``ssl=aiohttp.Fingerprint(digest)``

:param ssl.SSLContext ssl_context: ssl context used for processing
*HTTPS* requests (optional).

*ssl_context* may be used for configuring certification
authority channel, supported SSL options etc.

.. versionadded:: 2.3

.. deprecated:: 3.0

Use ``ssl=ssl_context``

:param dict proxy_headers: HTTP headers to send to the proxy if the
parameter proxy has been provided.

Expand Down Expand Up @@ -890,9 +812,9 @@ BaseConnector
TCPConnector
^^^^^^^^^^^^

.. class:: TCPConnector(*, ssl=None, verify_ssl=True, fingerprint=None, \
.. class:: TCPConnector(*, ssl=None, \
use_dns_cache=True, ttl_dns_cache=10, \
family=0, ssl_context=None, local_addr=None, \
family=0, local_addr=None, \
resolver=None, keepalive_timeout=sentinel, \
force_close=False, limit=100, limit_per_host=0, \
enable_cleanup_closed=False, loop=None)
Expand All @@ -914,30 +836,8 @@ TCPConnector
validation, :class:`ssl.SSLContext` for custom SSL
certificate validation.

Supersedes *verify_ssl*, *ssl_context* and
*fingerprint* parameters.

.. versionadded:: 3.0

:param bool verify_ssl: perform SSL certificate validation for
*HTTPS* requests (enabled by default). May be disabled to
skip validation for sites with invalid certificates.

.. deprecated:: 2.3

Pass *verify_ssl* to ``ClientSession.get()`` etc.

:param bytes fingerprint: pass the SHA256 digest of the expected
certificate in DER format to verify that the certificate the
server presents matches. Useful for `certificate pinning
<https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning>`_.

Note: use of MD5 or SHA1 digests is insecure and deprecated.

.. deprecated:: 2.3

Pass *verify_ssl* to ``ClientSession.get()`` etc.

:param bool use_dns_cache: use internal cache for DNS lookups, ``True``
by default.

Expand Down Expand Up @@ -982,12 +882,6 @@ TCPConnector
:const:`socket.AF_INET` or
:const:`socket.AF_INET6` explicitly.

:param ssl.SSLContext ssl_context: SSL context used for processing
*HTTPS* requests (optional).

*ssl_context* may be used for configuring certification
authority channel, supported SSL options etc.

:param tuple local_addr: tuple of ``(local_host, local_port)`` used to bind
socket locally if specified.

Expand Down Expand Up @@ -1733,6 +1627,9 @@ CookieJar

Fingerprint helper for checking SSL certificates by *SHA256* digest.

Useful for `certificate pinning
<https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning>`_.

:param bytes digest: *SHA256* digest for certificate in DER-encoded
binary form (see
:meth:`ssl.SSLSocket.getpeercert`).
Expand Down
Loading

0 comments on commit bb148e6

Please sign in to comment.