|
21 | 21 | from AWSIoTPythonSDK.exception.AWSIoTExceptions import DiscoveryTimeoutException |
22 | 22 | from AWSIoTPythonSDK.exception.AWSIoTExceptions import DiscoveryFailure |
23 | 23 | from AWSIoTPythonSDK.core.greengrass.discovery.models import DiscoveryInfo |
| 24 | +from AWSIoTPythonSDK.core.protocol.connection.alpn import SSLContextBuilder |
24 | 25 | import re |
25 | 26 | import sys |
26 | 27 | import ssl |
@@ -249,15 +250,23 @@ def _create_ssl_connection(self, sock): |
249 | 250 | ssl_protocol_version = ssl.PROTOCOL_SSLv23 |
250 | 251 |
|
251 | 252 | if self._port == 443: |
252 | | - ssl.set_alpn_protocols(['x-amzn-http-ca']) |
253 | | - #note: ALPN is a TLS 1.2 and later feature |
254 | | - |
255 | | - ssl_sock = ssl.wrap_socket(sock, |
256 | | - certfile=self._cert_path, |
257 | | - keyfile=self._key_path, |
258 | | - ca_certs=self._ca_path, |
259 | | - cert_reqs=ssl.CERT_REQUIRED, |
260 | | - ssl_version=ssl_protocol_version) |
| 253 | + ssl_context = SSLContextBuilder()\ |
| 254 | + .with_ca_certs(self._ca_path)\ |
| 255 | + .with_cert_key_pair(self._cert_path, self._key_path)\ |
| 256 | + .with_cert_reqs(ssl.CERT_REQUIRED)\ |
| 257 | + .with_check_hostname(True)\ |
| 258 | + .with_ciphers(None)\ |
| 259 | + .with_alpn_protocols(['x-amzn-http-ca'])\ |
| 260 | + .build() |
| 261 | + ssl_sock = ssl_context.wrap_socket(sock, server_hostname=self._host, do_handshake_on_connect=False) |
| 262 | + ssl_sock.do_handshake() |
| 263 | + else: |
| 264 | + ssl_sock = ssl.wrap_socket(sock, |
| 265 | + certfile=self._cert_path, |
| 266 | + keyfile=self._key_path, |
| 267 | + ca_certs=self._ca_path, |
| 268 | + cert_reqs=ssl.CERT_REQUIRED, |
| 269 | + ssl_version=ssl_protocol_version) |
261 | 270 |
|
262 | 271 | self._logger.debug("Matching host name...") |
263 | 272 | if sys.version_info[0] < 3 or (sys.version_info[0] == 3 and sys.version_info[1] < 2): |
|
0 commit comments