From 831195730f0114a73fbc1cdfae7db5f222821a85 Mon Sep 17 00:00:00 2001 From: Christophe Haen Date: Fri, 20 Dec 2019 14:19:48 +0100 Subject: [PATCH] Core: use M2Crypto API for allowing proxy certificates --- Core/DISET/private/Transports/SSL/M2Utils.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Core/DISET/private/Transports/SSL/M2Utils.py b/Core/DISET/private/Transports/SSL/M2Utils.py index 66edf2b8178..02578c09c4f 100644 --- a/Core/DISET/private/Transports/SSL/M2Utils.py +++ b/Core/DISET/private/Transports/SSL/M2Utils.py @@ -109,6 +109,16 @@ def getM2SSLContext(ctx=None, **kwargs): raise RuntimeError("CA path (%s) is not a valid directory" % caPath) ctx.load_verify_locations(capath=caPath) + # If the version of M2Crypto is recent enough, there is an API + # to accept proxy certificate, and we do not need to rely on + # OPENSSL_ALLOW_PROXY_CERT environment variable + # which was removed as of openssl 1.1 + # We need this to be merged in M2Crypto: https://gitlab.com/m2crypto/m2crypto/merge_requests/236 + # We set the proper verify flag to the X509Store of the context + # as described here https://www.openssl.org/docs/man1.1.1/man7/proxy-certificates.html + if hasattr(SSL, 'verify_allow_proxy_certs'): + ctx.get_cert_store().set_flags(SSL.verify_allow_proxy_certs) # pylint: disable=no-member + # Other parameters sslMethod = kwargs.get('sslMethod', None) if sslMethod: