_XTc @sddlmZmZddlmZmZmZddlmZdZ e Z dZ ddlZddlZy0ddlmZmZmZddlm Z Wnek rnXy ddlmZmZmZWn#ek rd\ZZd ZnXydd lmZWnek r#d ZnXyddlm Z Wn3ek rmddlZdefdYZ nXdZdZdZdejdddZdddddddddZdS(i(thexlifyt unhexlify(tmd5tsha1tsha256i(tSSLErrorN(t wrap_sockett CERT_NONEtPROTOCOL_SSLv23(tHAS_SNI(t OP_NO_SSLv2t OP_NO_SSLv3tOP_NO_COMPRESSIONiii(t_DEFAULT_CIPHERSsECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:!eNULL:!MD5(t SSLContextRcBsGeZejdkZdZdZdZdZddZ RS( iicCsO||_t|_tj|_d|_d|_d|_ d|_ d|_ dS(Ni( tprotocoltFalsetcheck_hostnametsslRt verify_modetNonetca_certstoptionstcertfiletkeyfiletciphers(tselftprotocol_version((s5/usr/lib/python2.7/site-packages/urllib3/util/ssl_.pyt__init__,s       cCs||_||_dS(N(RR(RRR((s5/usr/lib/python2.7/site-packages/urllib3/util/ssl_.pytload_cert_chain7s cCs ||_dS(N(R(Rtlocation((s5/usr/lib/python2.7/site-packages/urllib3/util/ssl_.pytload_verify_locations;scCs%|jstdn||_dS(NsYour version of Python does not support setting a custom cipher suite. Please upgrade to Python 2.7, 3.2, or later if you need this functionality.(tsupports_set_cipherst TypeErrorR(Rt cipher_suite((s5/usr/lib/python2.7/site-packages/urllib3/util/ssl_.pyt set_ciphers>s  cCshi|jd6|jd6|jd6|jd6|jd6}|jrWt|d|j|St||SdS(NRRRt cert_reqst ssl_versionR(RRRRRR RR(Rtsockettserver_hostnametkwargs((s5/usr/lib/python2.7/site-packages/urllib3/util/ssl_.pyRGs      (iiN( t__name__t __module__tsyst version_infoR RRRR#RR(((s5/usr/lib/python2.7/site-packages/urllib3/util/ssl_.pyR)s    cCsitd6td6td6}|jddj}tt|d\}}|s`||krotdnt|j }||}||j }||kstdj t |t |nd S( s Checks if given fingerprint matches the supplied certificate. :param cert: Certificate as bytes object. :param fingerprint: Fingerprint as string of hexdigits, can be interspersed by colons. iii t:tis!Fingerprint is of invalid length.s6Fingerprints did not match. Expected "{0}", got "{1}".N( RRRtreplacetlowertdivmodtlenRRtencodetdigesttformatR(tcertt fingerprintt hashfunc_mapt digest_lengthtoddtfingerprint_bytesthashfunct cert_digest((s5/usr/lib/python2.7/site-packages/urllib3/util/ssl_.pytassert_fingerprintUs      cCs[|dkrtSt|trWtt|d}|dkrSttd|}n|S|S(s Resolves the argument to a numeric constant, which can be passed to the wrap_socket function/method from the ssl module. Defaults to :data:`ssl.CERT_NONE`. If given a string it is assumed to be the name of the constant in the :mod:`ssl` module or its abbrevation. (So you can specify `REQUIRED` instead of `CERT_REQUIRED`. If it's neither `None` nor a string we assume it is already the numeric constant which can directly be passed to wrap_socket. tCERT_N(RRt isinstancetstrtgetattrR(t candidatetres((s5/usr/lib/python2.7/site-packages/urllib3/util/ssl_.pytresolve_cert_reqszs  cCs[|dkrtSt|trWtt|d}|dkrSttd|}n|S|S(s like resolve_cert_reqs t PROTOCOL_N(RRR@RARBR(RCRD((s5/usr/lib/python2.7/site-packages/urllib3/util/ssl_.pytresolve_ssl_versions  cCst|ptj}|dkrHd}|tO}|tO}|tO}n|j|O_t|dt r|j |pxt n||_ t|dddk rt |_n|S(sAll arguments have the same meaning as ``ssl_wrap_socket``. By default, this function does a lot of the same work that ``ssl.create_default_context`` does on Python 3.4+. It: - Disables SSLv2, SSLv3, and compression - Sets a restricted set of server ciphers If you wish to enable SSLv3, you can do:: from urllib3.util import ssl_ context = ssl_.create_urllib3_context() context.options &= ~ssl_.OP_NO_SSLv3 You can do the same to enable compression (substituting ``COMPRESSION`` for ``SSLv3`` in the last line above). :param ssl_version: The desired protocol version to use. This will default to PROTOCOL_SSLv23 which will negotiate the highest protocol that both the server and your installation of OpenSSL support. :param cert_reqs: Whether to require the certificate verification. This defaults to ``ssl.CERT_REQUIRED``. :param options: Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``, ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``. :param ciphers: Which cipher suites to allow the server to select. :returns: Constructed SSLContext object with specified options :rtype: SSLContext iR RN(RRRRR R R RRBtTrueR#R RRR(R%R$RRtcontext((s5/usr/lib/python2.7/site-packages/urllib3/util/ssl_.pytcreate_urllib3_contexts#      c Cs|} | dkr*t||d|} n|ry| j|Wqtk rb} t| qtk r} | jtjkrt| nqXn|r| j||nt r| j |d|S| j |S(s0 All arguments except for server_hostname and ssl_context have the same meaning as they do when using :func:`ssl.wrap_socket`. :param server_hostname: When SNI is supported, the expected hostname of the certificate :param ssl_context: A pre-made :class:`SSLContext` object. If none is provided, one will be created using :func:`create_urllib3_context`. :param ciphers: A string of ciphers we wish the client to support. This is not supported on Python 2.6 as the ssl module does not support it. RR'N( RRJRtIOErrorRtOSErrorterrnotENOENTRR R( tsockRRR$RR'R%Rt ssl_contextRIte((s5/usr/lib/python2.7/site-packages/urllib3/util/ssl_.pytssl_wrap_sockets$    (ii( tbinasciiRRthashlibRRRt exceptionsRRRRR tcreate_default_contextRMRRRRt ImportErrorR R R R R+tobjectR>RERGt CERT_REQUIREDRJRR(((s5/usr/lib/python2.7/site-packages/urllib3/util/ssl_.pytsD           , %   ;