Added support for SNI

python-zk · Jun 27, 2024 · aac0b17 · aac0b17
1 parent 0ceb410
commit aac0b17
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 3 deletions.
diff --git a/kazoo/client.py b/kazoo/client.py
@@ -120,6 +120,7 @@ def __init__(
         ca=None,
         use_ssl=False,
         verify_certs=True,
+        check_hostname=False,
         **kwargs,
     ):
         """Create a :class:`KazooClient` instance. All time arguments
@@ -237,6 +238,7 @@ def __init__(
 
         self.use_ssl = use_ssl
         self.verify_certs = verify_certs
+        self.check_hostname = check_hostname
         self.certfile = certfile
         self.keyfile = keyfile
         self.keyfile_password = keyfile_password
@@ -758,15 +760,18 @@ def command(self, cmd=b"ruok"):
             raise ConnectionLoss("No connection to server")
 
         peer = self._connection._socket.getpeername()[:2]
+        peer_host = self._connection._socket.getpeername()[1]
         sock = self.handler.create_connection(
             peer,
+            hostname=peer_host,
             timeout=self._session_timeout / 1000.0,
             use_ssl=self.use_ssl,
             ca=self.ca,
             certfile=self.certfile,
             keyfile=self.keyfile,
             keyfile_password=self.keyfile_password,
             verify_certs=self.verify_certs,
+            check_hostname=self.check_hostname
         )
         sock.sendall(cmd)
         result = sock.recv(8192)

diff --git a/kazoo/handlers/utils.py b/kazoo/handlers/utils.py
@@ -196,13 +196,15 @@ def create_tcp_socket(module):
 def create_tcp_connection(
     module,
     address,
+    hostname=None,
     timeout=None,
     use_ssl=False,
     ca=None,
     certfile=None,
     keyfile=None,
     keyfile_password=None,
     verify_certs=True,
+    check_hostname=False,
     options=None,
     ciphers=None,
 ):
@@ -241,7 +243,7 @@ def create_tcp_connection(
             # verify_mode to CERT_NONE.
             # TODO: Make hostname verification configurable as some users may
             # elect to use it.
-            context.check_hostname = False
+            context.check_hostname = check_hostname
             context.verify_mode = (
                 ssl.CERT_REQUIRED if verify_certs else ssl.CERT_NONE
             )
@@ -258,7 +260,7 @@ def create_tcp_connection(
                 addrs = socket.getaddrinfo(
                     address[0], address[1], 0, socket.SOCK_STREAM
                 )
-                conn = context.wrap_socket(module.socket(addrs[0][0]))
+                conn = context.wrap_socket(module.socket(addrs[0][0]), server_hostname=hostname)
                 conn.settimeout(timeout_at)
                 conn.connect(address)
                 sock = conn

diff --git a/kazoo/protocol/connection.py b/kazoo/protocol/connection.py
@@ -703,13 +703,15 @@ def _connect(self, host, hostip, port):
         with self._socket_error_handling():
             self._socket = self.handler.create_connection(
                 address=(hostip, port),
+                hostname=host,
                 timeout=client._session_timeout / 1000.0,
                 use_ssl=self.client.use_ssl,
                 keyfile=self.client.keyfile,
                 certfile=self.client.certfile,
                 ca=self.client.ca,
                 keyfile_password=self.client.keyfile_password,
                 verify_certs=self.client.verify_certs,
+                check_hostname=self.client.check_hostname
             )
 
         self._socket.setblocking(0)

diff --git a/kazoo/tests/test_utils.py b/kazoo/tests/test_utils.py
@@ -30,12 +30,26 @@ def test_timeout_arg(self):
                     timeout = call_args[0][1]
                     assert timeout >= 0, "socket timeout must be nonnegative"
 
+    def test_ssl_server_hostname(self):
+        from kazoo.handlers import utils
+        from kazoo.handlers.utils import create_tcp_connection, socket, ssl
+
+        with patch.object(utils, "_set_default_tcpsock_options"):
+            with patch.object(ssl.SSLContext, "wrap_socket") as wrap_socket:
+                create_tcp_connection(
+                    socket, ("127.0.0.1", 2181), timeout=1.5, hostname="fakehostname", use_ssl=True
+                )
+
+                for call_args in wrap_socket.call_args_list:
+                    server_hostname = call_args[1]['server_hostname']
+                    assert server_hostname == "fakehostname"
+
     def test_timeout_arg_eventlet(self):
         if not EVENTLET_HANDLER_AVAILABLE:
             pytest.skip("eventlet handler not available.")
 
         from kazoo.handlers import utils
-        from kazoo.handlers.utils import create_tcp_connection, time
+        from kazoo.handlers.utils import create_tcp_connection, socket, time
 
         with patch.object(socket, "create_connection") as create_connection:
             with patch.object(utils, "_set_default_tcpsock_options"):