Fallback to old ssl_wrap_socket

2025-07-02 14:40:19 -07:00 · 2017-01-06 11:03:10 -06:00 · 2017-01-06 11:03:10 -06:00 · 13ac993d25
commit 13ac993d25
parent b4b76bab14
3 changed files with 81 additions and 18 deletions
--- a/lib/ansible/module_utils/urls.py
+++ b/lib/ansible/module_utils/urls.py
@ -145,14 +145,26 @@ try:
 except ImportError:
    HAS_SSLCONTEXT = False

+# SNI Handling for python < 2.7.9 with urllib3 support
 try:
+    # urllib3>=1.15
+    HAS_URLLIB3_SSL_WRAP_SOCKET = False
    try:
        from urllib3.contrib.pyopenssl import PyOpenSSLContext
    except ImportError:
        from requests.packages.urllib3.contrib.pyopenssl import PyOpenSSLContext
-    HAS_PYOPENSSL_CONTEXT = True
+    HAS_URLLIB3_PYOPENSSLCONTEXT = True
 except ImportError:
-    HAS_PYOPENSSL_CONTEXT = False
+    # urllib3<1.15,>=1.6
+    HAS_URLLIB3_PYOPENSSLCONTEXT = False
+    try:
+        try:
+            from urllib3.contrib.pyopenssl import ssl_wrap_socket
+        except ImportError:
+            from requests.packages.urllib3.contrib.pyopenssl import ssl_wrap_socket
+        HAS_URLLIB3_SSL_WRAP_SOCKET = True
+    except ImportError:
+        pass

 # Select a protocol that includes all secure tls protocols
 # Exclude insecure ssl protocols if possible
@ -362,7 +374,7 @@ if hasattr(httplib, 'HTTPSConnection') and hasattr(urllib_request, 'HTTPSHandler
            self.context = None
            if HAS_SSLCONTEXT:
                self.context = create_default_context()
-            elif HAS_PYOPENSSL_CONTEXT:
+            elif HAS_URLLIB3_PYOPENSSLCONTEXT:
                self.context = PyOpenSSLContext(PROTOCOL)
            if self.context and self.cert_file:
                self.context.load_cert_chain(self.cert_file, self.key_file)
@ -383,8 +395,11 @@ if hasattr(httplib, 'HTTPSConnection') and hasattr(urllib_request, 'HTTPSHandler
                self._tunnel()
                server_hostname = self._tunnel_host

-            if HAS_SSLCONTEXT or HAS_PYOPENSSL_CONTEXT:
+            if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT:
                self.sock = self.context.wrap_socket(sock, server_hostname=server_hostname)
+            elif HAS_URLLIB3_SSL_WRAP_SOCKET:
+                self.sock = ssl_wrap_socket(sock, keyfile=self.key_file, cert_reqs=ssl.CERT_NONE, certfile=self.cert_file, ssl_version=PROTOCOL,
+                        server_hostname=server_hostname)
            else:
                self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, certfile=self.cert_file, ssl_version=PROTOCOL)

@ -541,7 +556,7 @@ def build_ssl_validation_error(hostname, port, paths, exc=None):
    if not HAS_SSLCONTEXT:
        msg.append('If the website serving the url uses SNI you need'
                   ' python >= 2.7.9 on your managed machine')
-        if not HAS_PYOPENSSL_CONTEXT:
+        if not HAS_URLLIB3_PYOPENSSLCONTEXT or not HAS_URLLIB3_SSL_WRAP_SOCKET:
            msg.append('or you can install the `urllib3`, `pyOpenSSL`,'
                       ' `ndg-httpsclient`, and `pyasn1` python modules')

@ -665,7 +680,7 @@ class SSLValidationHandler(urllib_request.BaseHandler):
        return True

    def _make_context(self, to_add_ca_cert_path):
-        if HAS_PYOPENSSL_CONTEXT:
+        if HAS_URLLIB3_PYOPENSSLCONTEXT:
            context = PyOpenSSLContext(PROTOCOL)
        else:
            context = create_default_context()
@ -677,7 +692,7 @@ class SSLValidationHandler(urllib_request.BaseHandler):
        tmp_ca_cert_path, to_add_ca_cert_path, paths_checked = self.get_ca_certs()
        https_proxy = os.environ.get('https_proxy')
        context = None
-        if HAS_SSLCONTEXT or HAS_PYOPENSSL_CONTEXT:
+        if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT:
            context = self._make_context(to_add_ca_cert_path)

        # Detect if 'no_proxy' environment variable is set and if our URL is included
@ -708,6 +723,8 @@ class SSLValidationHandler(urllib_request.BaseHandler):
                    self.validate_proxy_response(connect_result)
                    if context:
                        ssl_s = context.wrap_socket(s, server_hostname=self.hostname)
+                    elif HAS_URLLIB3_SSL_WRAP_SOCKET:
+                        ssl_s = ssl_wrap_socket(s, ca_certs=tmp_ca_cert_path, cert_reqs=ssl.CERT_REQUIRED, ssl_version=PROTOCOL, server_hostname=self.hostname)
                    else:
                        ssl_s = ssl.wrap_socket(s, ca_certs=tmp_ca_cert_path, cert_reqs=ssl.CERT_REQUIRED, ssl_version=PROTOCOL)
                        match_hostname(ssl_s.getpeercert(), self.hostname)
@ -717,6 +734,8 @@ class SSLValidationHandler(urllib_request.BaseHandler):
                s.connect((self.hostname, self.port))
                if context:
                    ssl_s = context.wrap_socket(s, server_hostname=self.hostname)
+                elif HAS_URLLIB3_SSL_WRAP_SOCKET:
+                    ssl_s = ssl_wrap_socket(s, ca_certs=tmp_ca_cert_path, cert_reqs=ssl.CERT_REQUIRED, ssl_version=PROTOCOL, server_hostname=self.hostname)
                else:
                    ssl_s = ssl.wrap_socket(s, ca_certs=tmp_ca_cert_path, cert_reqs=ssl.CERT_REQUIRED, ssl_version=PROTOCOL)
                    match_hostname(ssl_s.getpeercert(), self.hostname)