stream-ssl: Remove use of deprecated SSLv23_method.

SSLv23_method() is deprecated since OpenSSL 1.1.0. In practice, it is just renamed into TLS_method(). Use the new name instead. For the python version of the code, we can use PROTOCOL_TLS_CLIENT, since we only support client side of the connection. It turns on the hostname check by default, though. So, we need to turn it off, otherwise we would have to provide the server_hostname for every wrap_socket. We would just use generic PROTOCOL_TLS as we do in C, but unfortunately PROTOCOL_TLS is deprecated since Python 3.10. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-08-31 22:35:15 +00:00 · 2024-12-09 17:38:48 +01:00
parent 57d58b7999
commit 2b9cc5f1c4
2 changed files with 9 additions and 15 deletions
--- a/python/ovs/stream.py
+++ b/python/ovs/stream.py
@@ -790,9 +790,10 @@ class SSLStream(Stream):
        if sock is None:
            return family, sock

-        # Create an SSL context
-        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        # Create an SSL context.
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        ctx.verify_mode = ssl.CERT_REQUIRED
+        ctx.check_hostname = False
        ctx.options |= ssl.OP_NO_SSLv2
        ctx.options |= ssl.OP_NO_SSLv3
        ctx.options |= ssl.OP_NO_TLSv1