Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Several Google servers, including storage.googleapis.com, send an invalid certificate in response to HTTPS connections which do not include Server Name Indication (SNI) in ClientHello: OU = "No SNI provided; please fix your client.", CN = invalid2.invalid This can be demonstrated by running `openssl s_client -connect storage.googleapis.com:443` with and without the `-noservername` option. This causes errors in boto, such as: Traceback (most recent call last): File "./gsbototest.py", line 6, in <module> boto.storage_uri('bucket-name', 'gs').create_bucket() File "/tmp/boto/boto/storage_uri.py", line 574, in create_bucket storage_class) File "/tmp/boto/boto/gs/connection.py", line 95, in create_bucket data=get_utf8_value(data)) File "/tmp/boto/boto/s3/connection.py", line 682, in make_request retry_handler=retry_handler File "/tmp/boto/boto/connection.py", line 1074, in make_request retry_handler=retry_handler) File "/tmp/boto/boto/connection.py", line 1033, in _mexe raise ex ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727) To fix the issue, this commit sends SNI, where possible. This requires calling wrap_socket on an SSLContext instance. The necessary SSLContext is constructed and additional SSLSocket attributes are set using the [same code as SSLSocket] to minimize potential differences introduced. The code is only called when SSLContext is available (Python 2.7.9 and later) and only when OpenSSL is compiled with SNI support. [same code as SSLSocket]: https://github.com/python/cpython/blob/v2.7.15/Lib/ssl.py#L555-L570 Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
- Loading branch information
@kevinoid It looks like this doesn't work on Python 3.7.
Found this because we tried to add Python 3.7 to Boto's list of TravisCI test environments and got the errors below:
https://travis-ci.org/boto/boto/jobs/508512525