diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2014-10-15 16:58:21 +0200 |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2014-10-15 16:58:21 +0200 |
| commit | fd39a89e0e09de5460626a68e9e443fe0c103c14 (patch) | |
| tree | 69f3e067853b0f27e722b44ed3e05c79751dce5f /Lib/asyncio | |
| parent | 7184bac5446aefcf576bc8a0a666cfd096b86293 (diff) | |
| download | cpython-fd39a89e0e09de5460626a68e9e443fe0c103c14.tar.gz cpython-fd39a89e0e09de5460626a68e9e443fe0c103c14.zip | |
Issue #22641: In asyncio, the default SSL context for client connections is now created using ssl.create_default_context(), for stronger security.
Diffstat (limited to 'Lib/asyncio')
| -rw-r--r-- | Lib/asyncio/selector_events.py | 13 | ||||
| -rw-r--r-- | Lib/asyncio/test_utils.py | 13 |
2 files changed, 19 insertions, 7 deletions
diff --git a/Lib/asyncio/selector_events.py b/Lib/asyncio/selector_events.py index a55eff78767..c5debf8f02b 100644 --- a/Lib/asyncio/selector_events.py +++ b/Lib/asyncio/selector_events.py @@ -689,16 +689,17 @@ class _SelectorSslTransport(_SelectorTransport): if not sslcontext: # Client side may pass ssl=True to use a default # context; in that case the sslcontext passed is None. - # The default is the same as used by urllib with - # cadefault=True. - if hasattr(ssl, '_create_stdlib_context'): - sslcontext = ssl._create_stdlib_context( - cert_reqs=ssl.CERT_REQUIRED, - check_hostname=bool(server_hostname)) + # The default is secure for client connections. + if hasattr(ssl, 'create_default_context'): + # Python 3.4+: use up-to-date strong settings. + sslcontext = ssl.create_default_context() + if not server_hostname: + sslcontext.check_hostname = False else: # Fallback for Python 3.3. sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) sslcontext.options |= ssl.OP_NO_SSLv2 + sslcontext.options |= ssl.OP_NO_SSLv3 sslcontext.set_default_verify_paths() sslcontext.verify_mode = ssl.CERT_REQUIRED diff --git a/Lib/asyncio/test_utils.py b/Lib/asyncio/test_utils.py index ac7680de453..3e5eee54397 100644 --- a/Lib/asyncio/test_utils.py +++ b/Lib/asyncio/test_utils.py @@ -91,6 +91,13 @@ class SilentWSGIRequestHandler(WSGIRequestHandler): class SilentWSGIServer(WSGIServer): + request_timeout = 2 + + def get_request(self): + request, client_addr = super().get_request() + request.settimeout(self.request_timeout) + return request, client_addr + def handle_error(self, request, client_address): pass @@ -138,7 +145,8 @@ def _run_test_server(*, address, use_ssl=False, server_cls, server_ssl_cls): httpd = server_class(address, SilentWSGIRequestHandler) httpd.set_app(app) httpd.address = httpd.server_address - server_thread = threading.Thread(target=httpd.serve_forever) + server_thread = threading.Thread( + target=lambda: httpd.serve_forever(poll_interval=0.05)) server_thread.start() try: yield httpd @@ -160,12 +168,15 @@ if hasattr(socket, 'AF_UNIX'): class UnixWSGIServer(UnixHTTPServer, WSGIServer): + request_timeout = 2 + def server_bind(self): UnixHTTPServer.server_bind(self) self.setup_environ() def get_request(self): request, client_addr = super().get_request() + request.settimeout(self.request_timeout) # Code in the stdlib expects that get_request # will return a socket and a tuple (host, port). # However, this isn't true for UNIX sockets, |