Stop to use deprecated method ssl.wrap_socket (celery#327)

`ssl.wrap_socket` is deprecated since python 3.7 and since python 3.2 and 2.7.9 (released in 2014) it is recommended to use the SSLContext.wrap_socket() instead of wrap_socket(). The top-level function is limited and creates an insecure client socket without server name indication or hostname matching [1]. Python 2.7 is now officially unmaintained, latest version of python 2.7 is 2.7.18, py-amqp only support python versions who are compatible with these changes [2]. These changes move away from `ssl.wrap_socket` by using now `ssl.SSLContext.wrap_socket` [3]. [1] https://docs.python.org/3/library/ssl.html#ssl.wrap_socket [2] https://github.com/celery/py-amqp/blob/master/setup.py#L24,L29 [3] https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket
jkgenser · Sep 2, 2020 · ad9697a · ad9697a
1 parent 23a9359
commit ad9697a
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 28 deletions.
diff --git a/amqp/connection.py b/amqp/connection.py
@@ -94,8 +94,8 @@ class Connection(AbstractChannel):
     client name. For EXTERNAL authentication both userid and password are
     ignored.
 
-    The 'ssl' parameter may be simply True/False, or for Python >= 2.6
-    a dictionary of options to pass to ssl.wrap_socket() such as
+    The 'ssl' parameter may be simply True/False, or for Python >= 3.6
+    a dictionary of options to pass to ssl.SSLContext such as
     requiring certain certificates.
 
     The "socket_settings" parameter is a dictionary defining tcp

diff --git a/amqp/transport.py b/amqp/transport.py
@@ -336,39 +336,33 @@ def _wrap_context(self, sock, sslopts, check_hostname=None, **ctx_options):
 
     def _wrap_socket_sni(self, sock, keyfile=None, certfile=None,
                          server_side=False, cert_reqs=ssl.CERT_NONE,
-                         ca_certs=None, do_handshake_on_connect=False,
+                         do_handshake_on_connect=False,
                          suppress_ragged_eofs=True, server_hostname=None,
-                         ciphers=None, ssl_version=ssl.PROTOCOL_TLS):
+                         ssl_version=ssl.PROTOCOL_TLS):
         """Socket wrap with SNI headers.
 
-        Default `ssl.wrap_socket` method augmented with support for
+        stdlib `ssl.SSLContext.wrap_socket` method augmented with support for
         setting the server_hostname field required for SNI hostname header
         """
         opts = {
             'sock': sock,
-            'keyfile': keyfile,
-            'certfile': certfile,
             'server_side': server_side,
-            'cert_reqs': cert_reqs,
-            'ca_certs': ca_certs,
             'do_handshake_on_connect': do_handshake_on_connect,
             'suppress_ragged_eofs': suppress_ragged_eofs,
-            'ciphers': ciphers,
-            'ssl_version': ssl_version
+            'server_hostname': server_hostname,
         }
 
-        sock = ssl.wrap_socket(**opts)
+        context = ssl.SSLContext(ssl_version)
+        if certfile is not None:
+            context.load_cert_chain(certfile, keyfile)
+        if cert_reqs != ssl.CERT_NONE:
+            context.check_hostname = True
         # Set SNI headers if supported
         if (server_hostname is not None) and (
                 hasattr(ssl, 'HAS_SNI') and ssl.HAS_SNI) and (
                 hasattr(ssl, 'SSLContext')):
-            context = ssl.SSLContext(opts['ssl_version'])
             context.verify_mode = cert_reqs
-            if cert_reqs != ssl.CERT_NONE:
-                context.check_hostname = True
-            if (certfile is not None) and (keyfile is not None):
-                context.load_cert_chain(certfile, keyfile)
-            sock = context.wrap_socket(sock, server_hostname=server_hostname)
+        sock = context.wrap_socket(**opts)
         return sock
 
     def _shutdown_transport(self):

diff --git a/t/unit/test_transport.py b/t/unit/test_transport.py
@@ -1,7 +1,6 @@
 import errno
 import os
 import socket
-import ssl
 import struct
 from struct import pack
 from unittest.mock import ANY, MagicMock, Mock, call, patch
@@ -616,18 +615,13 @@ def test_wrap_context(self):
 
     def test_wrap_socket_sni(self):
         sock = Mock()
-        with patch('ssl.wrap_socket') as mock_ssl_wrap:
+        with patch('ssl.SSLContext.wrap_socket') as mock_ssl_wrap:
             self.t._wrap_socket_sni(sock)
-            mock_ssl_wrap.assert_called_with(cert_reqs=0,
-                                             certfile=None,
-                                             keyfile=None,
-                                             sock=sock,
-                                             ca_certs=None,
+            mock_ssl_wrap.assert_called_with(sock=sock,
                                              server_side=False,
-                                             ciphers=None,
-                                             ssl_version=ssl.PROTOCOL_TLS,
+                                             do_handshake_on_connect=False,
                                              suppress_ragged_eofs=True,
-                                             do_handshake_on_connect=False)
+                                             server_hostname=None)
 
     def test_shutdown_transport(self):
         self.t.sock = None