New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for SSL context and SNI #92
Conversation
I've rebased this on the latest |
How can we move this forward? Is more work or review needed? SNI is the greatest! |
Just spotted a small unexpected behavious: tls_insecure_set() does not work when using tls_set_context() with a ssl.create_default_context(). This is caused by SSLContext.check_hostname that already performs the match_hostname during handshake. This flag is due on a SSLContext produced by create_default_context(). Note: when using tls_set() and tls_insecure_set() it works since in this case the SSLContext is created using ssl.SSLContext() and not create_default_context(). I think either tls_insecure_set() should update the check_hostname flag on the ssl context or add a note in documentation that tls_insecure_set should not be used with tls_set_context. Step to reproduce:
|
@PierreF , that makes sense. I think it's just a matter of re-arranging some of the logic. I'll look at it in more detail later. |
OK. So I think it's pretty complicated to get all of the logic completely consistent. I'm going open an issue to propose removing SSL support in Python versions that don't include SSLContext (i.e. require Python 2.7.9+ or Python 3.2+). It would remove quite a lot of branches and make the intended behaviour clearer. |
That sounds fine. |
Implement SNI support, if available (#11) Signed-off-by: James Myatt <james@jamesmyatt.co.uk>
Signed-off-by: James Myatt <james@jamesmyatt.co.uk>
Signed-off-by: James Myatt <james@jamesmyatt.co.uk>
Signed-off-by: James Myatt <james@jamesmyatt.co.uk>
@PierreF , your issue should be fixed now. Note that you must call |
try: | ||
# Try with server_hostname, even it's not supported in certain scenarios | ||
sock = self._ssl_context.wrap_socket(sock, server_hostname=self._host) | ||
except ValueError: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ssl.CertificateError get caught by the except ValueError. Which means that if certificate validation failed (and server_hostname is supported) we will try to re-wrap the socket (which fail).
We probably should add a except ssl.CertificateError:\n raise juste before.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:( Thanks for checking this out!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be fixed now.
Looking at the ssl package docs, ssl.CertificateError should be the only error raised by the ssl code that isn't derived from OSError.
Signed-off-by: James Myatt <james@jamesmyatt.co.uk>
When can we get the SNI support released with paho.mqtt.python pkg? We need this feature to support client side certificates in our connections to IoT Platform. |
@Lokesh-K-Haralakatta , might be better to ask at on the Paho-dev mailing list: https://dev.eclipse.org/mailman/listinfo/paho-dev |
Use SSLContext objects, if available, since this provides more options and features including SNI (#11). Also, allows default system context from
ssl.create_default_context()
to be used, improves encapsulation and supports dependency injection.Update: Removed support for SSL without SSLContext (#115)