Tc@sdZy$ddlmZddlmZWnek rKZeenXddl Z ddl m Z ddlmZmZddlmZmZddlZddlZdd lmZdd lmZd d gZeZie jjej6e jjej6Z y!e j!ie jj"ej#6Wne$k r8nXie jj%ej&6e jj'ej(6e jj'e jj)ej*6Z+d ddZ,ejZ-ej.Z/dZ0dZ1defdYZdZ2de3fdYZ4dZ5dddddddZ.dS(sSSL with SNI_-support for Python 2. Follow these instructions if you would like to verify SSL certificates in Python 2. Note, the default libraries do *not* do certificate checking; you need to do additional work to validate certificates yourself. This needs the following packages installed: * pyOpenSSL (tested with 0.13) * ndg-httpsclient (tested with 0.3.2) * pyasn1 (tested with 0.1.6) You can install them with the following command: pip install pyopenssl ndg-httpsclient pyasn1 To activate certificate checking, call :func:`~urllib3.contrib.pyopenssl.inject_into_urllib3` from your Python code before you begin making HTTP requests. This can be done in a ``sitecustomize`` module, or at any other time before your application begins using ``urllib3``, like this:: try: import urllib3.contrib.pyopenssl urllib3.contrib.pyopenssl.inject_into_urllib3() except ImportError: pass Now you can use :mod:`urllib3` as you normally would, and it will support SNI when the required modules are installed. Activating this module also has the positive side effect of disabling SSL/TLS compression in Python 2 (see `CRIME attack`_). If you want to configure the default list of supported cipher suites, you can set the ``urllib3.contrib.pyopenssl.DEFAULT_SSL_CIPHER_LIST`` variable. Module Variables ---------------- :var DEFAULT_SSL_CIPHER_LIST: The list of supported SSL/TLS cipher suites. Default: ``ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES: ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS`` .. _sni: https://en.wikipedia.org/wiki/Server_Name_Indication .. _crime attack: https://en.wikipedia.org/wiki/CRIME_(security_exploit) i(tSUBJ_ALT_NAME_SUPPORT(tSubjectAltNameN(tdecoder(tunivt constraint(t _fileobjectttimeouti(t connection(tutiltinject_into_urllib3textract_from_urllib3s,ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:sAECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:s!aNULL:!MD5:!DSScCstt_tt_dS(s7Monkey-patch urllib3 with PyOpenSSL-backed SSL-support.N(tssl_wrap_socketRtHAS_SNIR(((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyR ns cCstt_tt_dS(s4Undo monkey-patching by :func:`inject_into_urllib3`.N(torig_connection_ssl_wrap_socketRR torig_util_HAS_SNIRR (((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyR us RcBs*eZdZejjejddZRS(s0ASN.1 implementation for subjectAltNames supportii(t__name__t __module__t__doc__Rt SequenceOftsizeSpecRtValueSizeConstraint(((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyR}s c Cs g}ts|St}xt|jD]}|j|}|j}|dkr_q,n|j}tj|d|}x|D]x}t |tsqnxZtt |D]F} |j | } | j dkrqn|j t| jqWqWq,W|S(NtsubjectAltNametasn1SpectdNSName(RRtrangetget_extension_countt get_extensiontget_short_nametget_datat der_decodertdecodet isinstancetlentgetComponentByPositiontgetNametappendtstrt getComponent( t peer_certtdns_namet general_namestitexttext_nametext_datt decoded_dattnametentryt component((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytget_subj_alt_names*       %t WrappedSocketcBszeZdZedZdZddZdZdZdZ dZ d Z e d Z d Zd ZRS( sAPI-compatibility wrapper for Python OpenSSL's Connection-class. Note: _makefile_refs, _drop() and _reuse() are needed for the garbage collector of pypy. cCs(||_||_||_d|_dS(Ni(Rtsockettsuppress_ragged_eofst_makefile_refs(tselfRR3R4((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt__init__s   cCs |jjS(N(R3tfileno(R6((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyR8sicCs%|jd7_t|||dtS(Nitclose(R5RtTrue(R6tmodetbufsize((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytmakefilescOsy|jj||}Wntjjk rS}|jrM|jdkrMdSntjjk r}|jjtjj krdSnptjj k rt j |j ggg|j j \}}}|stdq|j||SnX|SdS(NisUnexpected EOFtsThe read operation timed out(isUnexpected EOF(RtrecvtOpenSSLtSSLt SysCallErrorR4targstZeroReturnErrort get_shutdowntRECEIVED_SHUTDOWNt WantReadErrortselectR3t gettimeoutR(R6RCtkwargstdatatetrdtwdted((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyR?s"*cCs|jj|S(N(R3t settimeout(R6R((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRPscCsx}try|jj|SWqtjjk r{tjg|jgg|jj\}}}|st qqqXqWdS(N( R:RtsendR@RAtWantWriteErrorRHR3RIR(R6RKt_twlist((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt_send_until_dones  cCs0x)t|r+|j|}||}qWdS(N(R RU(R6RKtsent((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytsendallscCs/|jdkr|jjS|jd8_dS(Ni(R5Rtshutdown(R6((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyR9s cCs~|jj}|s|S|r8tjjtjj|Sid|jjfffd6gt|D]}d|f^qdd6S(Nt commonNametsubjecttDNSR( Rtget_peer_certificateR@tcryptotdump_certificatet FILETYPE_ASN1t get_subjecttCNR1(R6t binary_formtx509tvalue((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt getpeercerts  cCs|jd7_dS(Ni(R5(R6((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt_reusescCs/|jdkr|jn|jd8_dS(Ni(R5R9(R6((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt_drops (RRRR:R7R8R=R?RPRURWR9tFalseReRfRg(((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyR2s         cCs |dkS(Ni((tcnxRcterr_not err_deptht return_code((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt_verify_callback sc Cstjjt|}|r8|p%|}|j|n|rN|j|n|tjkrt|jt |t n|ry|j |dWqtjj k r}tjd||qXn |jd} |j| |jttjj||} | j|| jxvtry| jWnZtjjk rbtj|gggqn+tjj k r}tjd|nXPqWt| |S(Nsbad ca_certs: %ris bad handshake(R@RAtContextt_openssl_versionstuse_certificate_filetuse_privatekey_filetsslt CERT_NONEt set_verifyt_openssl_verifyRmtload_verify_locationstNonetErrortSSLErrortset_default_verify_pathst set_optionstset_cipher_listtDEFAULT_SSL_CIPHER_LISTt Connectiontset_tlsext_host_nametset_connect_stateR:t do_handshakeRGRHR2( tsocktkeyfiletcertfilet cert_reqstca_certstserver_hostnamet ssl_versiontctxRLtOP_NO_COMPRESSIONRi((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyR s<       (7Rt%ndg.httpsclient.ssl_peer_verificationRtndg.httpsclient.subj_alt_nameRtBaseSubjectAltNamet SyntaxErrorRLt ImportErrort OpenSSL.SSLR@tpyasn1.codec.derRRt pyasn1.typeRRR3RRRrRHR>RRt__all__R RAt SSLv23_METHODtPROTOCOL_SSLv23t TLSv1_METHODtPROTOCOL_TLSv1Rotupdatet SSLv3_METHODtPROTOCOL_SSLv3tAttributeErrort VERIFY_NONERst VERIFY_PEERt CERT_OPTIONALtVERIFY_FAIL_IF_NO_PEER_CERTt CERT_REQUIREDRuR}RR R R R R1tobjectR2RmRw(((s=/usr/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt/sP    !       c