Merge pull request uyuni-project#9098 from cbosdo/py2-ssl-revert

Revert commit 91ca92d for compatibility with old traditional clients
nodeg · Aug 20, 2024 · bd4915b · bd4915b
2 parents eec46ba + 3e34aa9
commit bd4915b
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 13 deletions.
diff --git a/python/rhn/SSL.py b/python/rhn/SSL.py
@@ -98,19 +98,57 @@ def init_ssl(self, server_name=None):
         Initializes the SSL connection.
         """
         self._check_closed()
-        self._ctx = SSL.SSLContext(SSL.PROTOCOL_TLS_CLIENT)
-        self._ctx.options |= SSL.OP_NO_TLSv1
-        self._ctx.options |= SSL.OP_NO_TLSv1_1
-        self._ctx.verify_mode = SSL.CERT_REQUIRED
-        self._ctx.check_hostname = True
-        self._ctx.load_default_certs(SSL.Purpose.SERVER_AUTH)
-        if self._trusted_certs:
-            # We have been supplied with trusted CA certs
-            for f in self._trusted_certs:
-                self._ctx.load_verify_locations(f)
-        self._connection = self._ctx.wrap_socket(
-            self._sock, server_hostname=server_name
-        )
+        if hasattr(SSL, "PROTOCOL_TLS_CLIENT"):
+            self._ctx = SSL.SSLContext(SSL.PROTOCOL_TLS_CLIENT)
+            self._ctx.options |= SSL.OP_NO_TLSv1
+            self._ctx.options |= SSL.OP_NO_TLSv1_1
+            self._ctx.verify_mode = SSL.CERT_REQUIRED
+            self._ctx.check_hostname = True
+            self._ctx.load_default_certs(SSL.Purpose.SERVER_AUTH)
+            if self._trusted_certs:
+                # We have been supplied with trusted CA certs
+                for f in self._trusted_certs:
+                    self._ctx.load_verify_locations(f)
+            self._connection = self._ctx.wrap_socket(
+                self._sock, server_hostname=server_name
+            )
+        else:
+            # This needs to be kept for old traditional clients
+            # SSL method to use
+            if hasattr(SSL, "PROTOCOL_TLS"):
+                self._ssl_method = SSL.PROTOCOL_TLS
+            else:
+                self._ssl_method = SSL.PROTOCOL_SSLv23
+
+            if hasattr(SSL, "SSLContext"):
+                self._ctx = SSL.SSLContext(self._ssl_method)
+                self._ctx.verify_mode = SSL.CERT_REQUIRED
+                self._ctx.check_hostname = True
+                self._ctx.load_default_certs(SSL.Purpose.SERVER_AUTH)
+                if self._trusted_certs:
+                    # We have been supplied with trusted CA certs
+                    for f in self._trusted_certs:
+                        self._ctx.load_verify_locations(f)
+
+                # pylint: disable-next=deprecated-method
+                self._connection = self._ctx.wrap_socket(
+                    self._sock, server_hostname=server_name
+                )
+            else:
+                # Python 2.6-2.7.8
+                cacert = None
+                if self._trusted_certs:
+                    # seems python2.6 supports only 1
+                    cacert = self._trusted_certs[0]
+                # pylint: disable-next=deprecated-method
+                self._connection = SSL.wrap_socket(
+                    self._sock,
+                    ssl_version=self._ssl_method,
+                    cert_reqs=SSL.CERT_REQUIRED,
+                    ca_certs=cacert,
+                )
+                # pylint: disable-next=used-before-assignment
+                match_hostname(self._connection.getpeercert(), server_name)
 
     # pylint: disable-next=unused-argument
     def makefile(self, mode, bufsize=None):

diff --git a/python/rhn/rhnlib.changes.cbosdo.py2-ssl-revert b/python/rhn/rhnlib.changes.cbosdo.py2-ssl-revert
@@ -0,0 +1,2 @@
+- Add the old TLS code for very old traditional clients still on 
+  python 2.7 (bsc#1228198)