Comments (7)
retzkek
commented on August 23, 2024
I started diving into the rabbit hole and hit a brick wall called M2Crypto and its wonderful documentation. So I backed up and tried changing to the standard HTTPSConnection, which worked wonderfully. Note that as of Python 3.7 cert hostnames are checked so I don't think there's any reason to not use the standard library.
@DrDaveD what do you think, put in a version check to decide which HTTPSConnection to use?
For testing I just patched VerifiedHTTPSHandler, but probably needs a bit more thought:
diff --git a/htgettoken b/htgettoken
index febb9f1..57714b8 100755
--- a/htgettoken
+++ b/htgettoken
@@ -272,7 +272,7 @@ class VerifiedHTTPSHandler(urllib_request.HTTPSHandler):
full_kwargs = dict(self._connection_args)
full_kwargs.update(kwargs)
p = urllib_parse.urlsplit('https://'+netloc)
- return CertValidatingHTTPSConnection(p.hostname, p.port, **full_kwargs)
+ return http_client.HTTPSConnection(p.hostname, p.port, **full_kwargs)
return self.do_open(http_class_wrapper, req)
@@ -627,8 +627,10 @@ def main():
parseargs(parser, envargs + sys.argv[1:])
- httpshandler = VerifiedHTTPSHandler(
- cafile=options.cafile, capath=options.capath)
+ context = ssl.SSLContext(cafile=options.cafile,
+ capath=options.capath,
+ verify_mode=ssl.CERT_REQUIRED)
+ httpshandler = VerifiedHTTPSHandler(context=context)
if options.debug:
httpshandler.set_http_debuglevel(1)
opener = urllib_request.build_opener(httpshandler)
from htgettoken.
retzkek
commented on August 23, 2024
Here's a more more fleshed out patch with version check, verified to work with 3.8 and 3.6.
diff --git a/htgettoken b/htgettoken
index febb9f1..c8de02f 100755
--- a/htgettoken
+++ b/htgettoken
@@ -272,7 +272,17 @@ class VerifiedHTTPSHandler(urllib_request.HTTPSHandler):
full_kwargs = dict(self._connection_args)
full_kwargs.update(kwargs)
p = urllib_parse.urlsplit('https://'+netloc)
- return CertValidatingHTTPSConnection(p.hostname, p.port, **full_kwargs)
+ if sys.version_info.major > 3 or \
+ (sys.version_info.major == 3 and sys.version_info.minor >= 7):
+ context = ssl.SSLContext(cafile=full_kwargs['cafile'],
+ capath=full_kwargs['capath'],
+ verify_mode=ssl.CERT_REQUIRED)
+ del full_kwargs['cafile']
+ del full_kwargs['capath']
+ full_kwargs['context'] = context
+ return http_client.HTTPSConnection(p.hostname, p.port, **full_kwargs)
+ else:
+ return CertValidatingHTTPSConnection(p.hostname, p.port, **full_kwargs)
return self.do_open(http_class_wrapper, req)
I don't actually think whatever python 4 is it will have any semblance of compatibility, but may as well be optimistic.
from htgettoken.
DrDaveD
commented on August 23, 2024
It turns out that just a week ago I merged pr #18 (not yet in a tagged release) which added another use into CertValidatingHTTPSConnection, to override the host name that is verified to be different than anything in the Subject Alternate Names list on the host cert. That is useful when testing with a multi-host installation without making a new host cert for each of the servers which includes the cluster name as well as the individual host name. That's kind of a niche use case so I don't think that the python library supports that, but on the other hand I'd hate to give it up at this point.
Doesn't 3.8 work by just changing that 'is' into '=='?
from htgettoken.
DrDaveD
commented on August 23, 2024
Also the comment on CertValidatingHTTPSConnection says to make sure timeouts work as desired. I think that's going to at least take some additional configuration.
from htgettoken.
retzkek
commented on August 23, 2024
Doesn't 3.8 work by just changing that 'is' into '=='?
That just fixes the warning.
from htgettoken.
DrDaveD
commented on August 23, 2024
I have been able to reproduce the problem using the rh-python38-python package on el7, and found another workaround for the problem. Please see if #20 fixes the problem for you.
from htgettoken.
retzkek
commented on August 23, 2024
@DrDaveD thanks, yes that does work for me (tested with 3.8.11 on Darwin/arm64).
from htgettoken.
Related Issues (20)
- Disable calling xdg-open by default when running under ssh HOT 1
- Add an option for minimum lifetime of vault token HOT 2
- Catch un-writeable areas HOT 1
- httokendecode depends on jq but jq is not a package requirement HOT 1
- Improve support for round-robin vault server HOT 1
- Consider adding option for specifying pubkeys to register
- certificate verify failed running htgettoken from laptop HOT 6
- Tag/release for 1.9.1? HOT 1
- Add setuptools/poetry build script HOT 5
- kerberos workflow requires initial pass of OIDC workflow HOT 2
- Add support for default issuer and vaultserver options HOT 3
- Accept wildcard certs HOT 1
- Add htdestroytoken command HOT 2
- Provide Python library interface HOT 23
- Add CI pipeline
- Should examples use real vault server? HOT 1
- httokendecode -H sometimes cannot parse htgettoken-obtained token HOT 2
- Replace fatal() Python function with exception HOT 2
- htgettoken tries to write tempfile in `/` if -o is not full path HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from htgettoken.