add timeout parameter for get_server_certificate in ssl.py

[nixawk]

BPO	31870
Nosy	@tiran, @alex, @dstufft, @nixawk, @ZackerySpytz, @miss-islington
PRs	bpo-31870: add timeout parameter for get_server_certificate in ssl.py #4126 bpo-31870: Add a timeout parameter to ssl.get_server_certificate() #22270 bpo-31870: Fix test_get_server_certificate_timeout on Windows (GH-25570) #25570
Files	ssl.py: Added timeout support for func get_server_certificate in ssl module.

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2021-04-24.04:57:49.322>
created_at = <Date 2017-10-26.04:11:25.449>
labels = ['expert-SSL', 'type-feature', '3.10']
title = 'add timeout parameter for get_server_certificate in ssl.py'
updated_at = <Date 2021-04-24.05:54:11.227>
user = 'https://github.com/Nixawk'

bugs.python.org fields:

activity = <Date 2021-04-24.05:54:11.227>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2021-04-24.04:57:49.322>
closer = 'christian.heimes'
components = ['SSL']
creation = <Date 2017-10-26.04:11:25.449>
creator = 'Nixawk'
dependencies = []
files = ['47238']
hgrepos = []
issue_num = 31870
keywords = ['patch']
message_count = 4.0
messages = ['305021', '312879', '391758', '391760']
nosy_count = 7.0
nosy_names = ['janssen', 'christian.heimes', 'alex', 'dstufft', 'Nixawk', 'ZackerySpytz', 'miss-islington']
pr_nums = ['4126', '22270', '25570']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue31870'
versions = ['Python 3.10']

[nixawk]

The original get_server_certificate in ssl.py does not support socket timeout,

def get_server_certificate(addr, ssl_version=PROTOCOL_TLS, ca_certs=None):
    """Retrieve the certificate from the server at the specified address,
    and return it as a PEM-encoded string.
    If 'ca_certs' is specified, validate the server cert against it.
    If 'ssl_version' is specified, use it in the connection attempt."""

host, port = addr
if ca_certs is not None:
    cert_reqs = CERT_REQUIRED
else:
    cert_reqs = CERT_NONE
context = _create_stdlib_context(ssl_version,
                                 cert_reqs=cert_reqs,
                                 cafile=ca_certs)
with  create_connection(addr) as sock:
    with context.wrap_socket(sock) as sslsock:
        dercert = sslsock.getpeercert(True)
return DER_cert_to_PEM_cert(dercert)

If a timeout parameter, a sample demo can be here:

>>> import ssl
>>> ssl.get_server_certificate(("www.qq.com", 443), timeout=6)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/ssl.py", line 1017, in get_server_certificate
    with closing(create_connection(addr, timeout)) as sock:
  File "/usr/lib/python2.7/socket.py", line 575, in create_connection
    raise err
socket.error: [Errno 101] Network is unreachable

[tiran]

It's too late to land a new feature in 3.7.

[miss-islington]

New changeset b2fac1a by Zackery Spytz in branch 'master':
bpo-31870: Add a timeout parameter to ssl.get_server_certificate() (GH-22270)
b2fac1a

[tiran]

New changeset f05c2ae by Christian Heimes in branch 'master':
bpo-31870: Fix test_get_server_certificate_timeout on Windows (GH-25570)
f05c2ae