-
Notifications
You must be signed in to change notification settings - Fork 814
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable http_check to function with weak ciphers on SSL/TLS. #1975
Conversation
…red too. Session object has nearly identical request method. Default value for weakcipher is false. Adding debug logging for weak ciphers. Importing datetime differently to urllib3 code. Added Transport adapter for weak cyphers, requests lib sessions required too. Session object has nearly identical request method. Default value for weakcipher is false. Adding debug logging for weak ciphers. Importing datetime differently to urllib3 code. Changing cipherlist for weak ciphers, now it works.
|
||
is_time_off = datetime.today().date() < urllib3.connection.RECENT_DATE | ||
if is_time_off: | ||
warnings.warn(( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can assume that the system time is correct. If it's not, there are way more things that would be broken
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was actually part of the "parent" connect() method in urllib3, I had to overwrite it because I had to change the way we called ssl_wrap_socket
and add the ciphers
parameter to the call - the rest of the method is pretty much verbatim.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still we can remove it. It pollutes the code for a case that will cause more issues than this ssl connection not working if it happens and that will be caught in other parts of the agent.
fixing flake8 issue. More flake8 issue.
390258b
to
2926384
Compare
|
||
hostname = self.host | ||
if getattr(self, '_tunnel_host', None): | ||
# _tunnel_host was added in Python 2.6.3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can assume that python >= 2.6.3
Enable http_check to function with weak ciphers on SSL/TLS.
With this PR we enable the RSA+RC4+MD5 cipher which is considered weak. We can add further weak ciphers if needed. Disabled by default, the user must specify
weakciphers: true
in their http_check.yaml for this to have any real effect - otherwise weak ciphers are disabled.Session object has nearly identical request method.
Default value for weakcipher is false.
Adding debug logging for weak ciphers.
Importing datetime differently to urllib3 code.
Added Transport adapter for weak cyphers, requests lib sessions required too.
Session object has nearly identical request method.
Default value for weakcipher is false.
Adding debug logging for weak ciphers.
Importing datetime differently to urllib3 code.
Changing cipherlist for weak ciphers, now it works.