From 55f1f8a636b13cbbf95f1e53481e73e7ac338751 Mon Sep 17 00:00:00 2001 From: Ben Noonan Date: Wed, 17 Sep 2025 12:49:35 +0100 Subject: [PATCH 1/7] try that one --- kmip/services/auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kmip/services/auth.py b/kmip/services/auth.py index a53af297..3739f1e8 100644 --- a/kmip/services/auth.py +++ b/kmip/services/auth.py @@ -231,4 +231,4 @@ def __init__(self, cipher_suites=None): suites. Optional, defaults to None. """ super(TLS12AuthenticationSuite, self).__init__(cipher_suites) - self._protocol = ssl.PROTOCOL_TLSv1_2 + self._protocol = ssl.PROTOCOL_TLS_SERVER From 58a0723df31947213a48c1f02a4ccf9c7b9e91d0 Mon Sep 17 00:00:00 2001 From: Ben Noonan Date: Wed, 17 Sep 2025 15:27:38 +0100 Subject: [PATCH 2/7] that? --- kmip/services/auth.py | 2 +- kmip/services/kmip_client.py | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/kmip/services/auth.py b/kmip/services/auth.py index 3739f1e8..a53af297 100644 --- a/kmip/services/auth.py +++ b/kmip/services/auth.py @@ -231,4 +231,4 @@ def __init__(self, cipher_suites=None): suites. Optional, defaults to None. """ super(TLS12AuthenticationSuite, self).__init__(cipher_suites) - self._protocol = ssl.PROTOCOL_TLS_SERVER + self._protocol = ssl.PROTOCOL_TLSv1_2 diff --git a/kmip/services/kmip_client.py b/kmip/services/kmip_client.py index b88f2c65..52192819 100644 --- a/kmip/services/kmip_client.py +++ b/kmip/services/kmip_client.py @@ -255,8 +255,7 @@ def open(self): "KMIPProxy cert_reqs: {0} (CERT_REQUIRED: {1})".format( self.cert_reqs, ssl.CERT_REQUIRED)) self.logger.debug( - "KMIPProxy ssl_version: {0} (PROTOCOL_SSLv23: {1})".format( - self.ssl_version, ssl.PROTOCOL_SSLv23)) + "KMIPProxy ssl_version: {0}".format(self.ssl_version)) self.logger.debug("KMIPProxy ca_certs: {0}".format(self.ca_certs)) self.logger.debug("KMIPProxy do_handshake_on_connect: {0}".format( self.do_handshake_on_connect)) From 680782462601b877318cf9ae3aa4650e5ef5e915 Mon Sep 17 00:00:00 2001 From: Ben Noonan Date: Wed, 17 Sep 2025 15:56:06 +0100 Subject: [PATCH 3/7] remove it --- kmip/pie/client.py | 5 ----- kmip/services/kmip_client.py | 15 ++++++--------- kmip/tests/unit/services/test_kmip_client.py | 3 +-- 3 files changed, 7 insertions(+), 16 deletions(-) diff --git a/kmip/pie/client.py b/kmip/pie/client.py index d27ad4b1..97323a8a 100644 --- a/kmip/pie/client.py +++ b/kmip/pie/client.py @@ -60,7 +60,6 @@ def __init__(self, cert=None, key=None, ca=None, - ssl_version=None, username=None, password=None, config='client', @@ -81,9 +80,6 @@ def __init__(self, Optional, defaults to None. ca (string): The path to the CA certificate used to verify the server's certificate. Optional, defaults to None. - ssl_version (string): The name of the ssl version to use for the - connection. Example: 'PROTOCOL_SSLv23'. Optional, defaults to - None. username (string): The username of the KMIP appliance account to use for operations. Optional, defaults to None. password (string): The password of the KMIP appliance account to @@ -112,7 +108,6 @@ def __init__(self, certfile=cert, keyfile=key, ca_certs=ca, - ssl_version=ssl_version, username=username, password=password, config=config, diff --git a/kmip/services/kmip_client.py b/kmip/services/kmip_client.py index 52192819..d513b9d9 100644 --- a/kmip/services/kmip_client.py +++ b/kmip/services/kmip_client.py @@ -77,7 +77,7 @@ class KMIPProxy(object): def __init__(self, host=None, port=None, keyfile=None, certfile=None, - cert_reqs=None, ssl_version=None, ca_certs=None, + cert_reqs=None, ca_certs=None, do_handshake_on_connect=None, suppress_ragged_eofs=None, username=None, password=None, timeout=30, config='client', @@ -109,7 +109,7 @@ def __init__(self, host=None, port=None, keyfile=None, ) self._set_variables(host, port, keyfile, certfile, - cert_reqs, ssl_version, ca_certs, + cert_reqs, ca_certs, do_handshake_on_connect, suppress_ragged_eofs, username, password, timeout, config_file) self.batch_items = [] @@ -254,8 +254,6 @@ def open(self): self.logger.debug( "KMIPProxy cert_reqs: {0} (CERT_REQUIRED: {1})".format( self.cert_reqs, ssl.CERT_REQUIRED)) - self.logger.debug( - "KMIPProxy ssl_version: {0}".format(self.ssl_version)) self.logger.debug("KMIPProxy ca_certs: {0}".format(self.ca_certs)) self.logger.debug("KMIPProxy do_handshake_on_connect: {0}".format( self.do_handshake_on_connect)) @@ -284,7 +282,9 @@ def open(self): six.reraise(*last_error) def _create_socket(self, sock): - context = ssl.SSLContext(self.ssl_version) + context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + context.minimum_version = ssl.TLSVersion.TLSv1_2 + context.maximum_version = ssl.TLSVersion.TLSv1_3 context.load_cert_chain( keyfile=self.keyfile, certfile=self.certfile) @@ -1736,7 +1736,7 @@ def _send_and_receive_message(self, request): return response def _set_variables(self, host, port, keyfile, certfile, - cert_reqs, ssl_version, ca_certs, + cert_reqs, ca_certs, do_handshake_on_connect, suppress_ragged_eofs, username, password, timeout, config_file): conf = ConfigHelper(config_file) @@ -1761,9 +1761,6 @@ def _set_variables(self, host, port, keyfile, certfile, self.cert_reqs = getattr(ssl, conf.get_valid_value( cert_reqs, self.config, 'cert_reqs', 'CERT_REQUIRED')) - self.ssl_version = getattr(ssl, conf.get_valid_value( - ssl_version, self.config, 'ssl_version', conf.DEFAULT_SSL_VERSION)) - self.ca_certs = conf.get_valid_value( ca_certs, self.config, 'ca_certs', conf.DEFAULT_CA_CERTS) diff --git a/kmip/tests/unit/services/test_kmip_client.py b/kmip/tests/unit/services/test_kmip_client.py index fa13a204..363d6cba 100644 --- a/kmip/tests/unit/services/test_kmip_client.py +++ b/kmip/tests/unit/services/test_kmip_client.py @@ -709,7 +709,6 @@ def test_host_list_import_string(self): keyfile=None, certfile=None, cert_reqs=None, - ssl_version=None, ca_certs=None, do_handshake_on_connect=False, suppress_ragged_eofs=None, @@ -729,7 +728,7 @@ def test_host_is_invalid_input(self): expected_error = TypeError kwargs = {'host': host, 'port': None, 'keyfile': None, - 'certfile': None, 'cert_reqs': None, 'ssl_version': None, + 'certfile': None, 'cert_reqs': None, 'ca_certs': None, 'do_handshake_on_connect': False, 'suppress_ragged_eofs': None, 'username': None, 'password': None, 'timeout': None} From dc32ae89615f7b274951bef497e2db19ef05a834 Mon Sep 17 00:00:00 2001 From: Ben Noonan Date: Thu, 18 Sep 2025 11:25:35 +0100 Subject: [PATCH 4/7] hostname --- kmip/services/kmip_client.py | 1 + 1 file changed, 1 insertion(+) diff --git a/kmip/services/kmip_client.py b/kmip/services/kmip_client.py index d513b9d9..52cb840e 100644 --- a/kmip/services/kmip_client.py +++ b/kmip/services/kmip_client.py @@ -292,6 +292,7 @@ def _create_socket(self, sock): context.load_verify_locations(cafile=self.ca_certs) self.socket = context.wrap_socket( sock, + server_hostname=self.host, do_handshake_on_connect=self.do_handshake_on_connect, suppress_ragged_eofs=self.suppress_ragged_eofs) self.socket.settimeout(self.timeout) From 2babcdd711f7ec0bfcc1aed9690722dc05c73d80 Mon Sep 17 00:00:00 2001 From: Ben Noonan Date: Thu, 18 Sep 2025 12:01:04 +0100 Subject: [PATCH 5/7] different context --- kmip/services/kmip_client.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/kmip/services/kmip_client.py b/kmip/services/kmip_client.py index 52cb840e..46affc24 100644 --- a/kmip/services/kmip_client.py +++ b/kmip/services/kmip_client.py @@ -282,17 +282,18 @@ def open(self): six.reraise(*last_error) def _create_socket(self, sock): - context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH, + cafile=self.ca_certs) + #context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) context.minimum_version = ssl.TLSVersion.TLSv1_2 context.maximum_version = ssl.TLSVersion.TLSv1_3 context.load_cert_chain( keyfile=self.keyfile, certfile=self.certfile) context.verify_mode = self.cert_reqs - context.load_verify_locations(cafile=self.ca_certs) + #context.load_verify_locations(cafile=self.ca_certs) self.socket = context.wrap_socket( sock, - server_hostname=self.host, do_handshake_on_connect=self.do_handshake_on_connect, suppress_ragged_eofs=self.suppress_ragged_eofs) self.socket.settimeout(self.timeout) From 6ac3fcd5c4b7717016dbdae82a1af99a1dad8fb3 Mon Sep 17 00:00:00 2001 From: Ben Noonan Date: Thu, 18 Sep 2025 12:06:23 +0100 Subject: [PATCH 6/7] go back and force check off --- kmip/services/kmip_client.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/kmip/services/kmip_client.py b/kmip/services/kmip_client.py index 46affc24..2cf727c1 100644 --- a/kmip/services/kmip_client.py +++ b/kmip/services/kmip_client.py @@ -282,16 +282,15 @@ def open(self): six.reraise(*last_error) def _create_socket(self, sock): - context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH, - cafile=self.ca_certs) - #context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) - context.minimum_version = ssl.TLSVersion.TLSv1_2 - context.maximum_version = ssl.TLSVersion.TLSv1_3 + context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + #context.minimum_version = ssl.TLSVersion.TLSv1_2 + #context.maximum_version = ssl.TLSVersion.TLSv1_3 context.load_cert_chain( keyfile=self.keyfile, certfile=self.certfile) context.verify_mode = self.cert_reqs - #context.load_verify_locations(cafile=self.ca_certs) + context.load_verify_locations(cafile=self.ca_certs) + context.check_hostname = False self.socket = context.wrap_socket( sock, do_handshake_on_connect=self.do_handshake_on_connect, From e673a9b860f3b6002b732c6c4319aad1a7b2c101 Mon Sep 17 00:00:00 2001 From: Ben Noonan Date: Thu, 18 Sep 2025 12:18:14 +0100 Subject: [PATCH 7/7] clean --- kmip/services/kmip_client.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/kmip/services/kmip_client.py b/kmip/services/kmip_client.py index 2cf727c1..bc13f4a1 100644 --- a/kmip/services/kmip_client.py +++ b/kmip/services/kmip_client.py @@ -283,8 +283,6 @@ def open(self): def _create_socket(self, sock): context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) - #context.minimum_version = ssl.TLSVersion.TLSv1_2 - #context.maximum_version = ssl.TLSVersion.TLSv1_3 context.load_cert_chain( keyfile=self.keyfile, certfile=self.certfile)