summaryrefslogtreecommitdiff
path: root/kafka/conn.py
diff options
context:
space:
mode:
authorVincent Bernat <vincent@bernat.im>2016-05-19 16:19:34 +0200
committerDana Powers <dana.powers@gmail.com>2016-05-19 07:19:34 -0700
commit92f859d8da5c3f35ab3738ef2725fff05b6cf57f (patch)
treecc764c63116ed56fcb650dc21fc84aec66dd0151 /kafka/conn.py
parent254dcacb28f66c8426fb8ff161b88e2feb4c486a (diff)
downloadkafka-python-92f859d8da5c3f35ab3738ef2725fff05b6cf57f.tar.gz
Add CRL support to SSL support (#683)
A user can provide a CRL whose peer certificate will be checked against. This only works with Python 3.4+ and Python 2.7.9+.
Diffstat (limited to 'kafka/conn.py')
-rw-r--r--kafka/conn.py11
1 files changed, 11 insertions, 0 deletions
diff --git a/kafka/conn.py b/kafka/conn.py
index db56dda..cf5dce3 100644
--- a/kafka/conn.py
+++ b/kafka/conn.py
@@ -70,6 +70,7 @@ class BrokerConnection(object):
'ssl_cafile': None,
'ssl_certfile': None,
'ssl_keyfile': None,
+ 'ssl_crlfile': None,
'api_version': (0, 8, 2), # default to most restrictive
'state_change_callback': lambda conn: True,
}
@@ -228,6 +229,16 @@ class BrokerConnection(object):
self._ssl_context.load_cert_chain(
certfile=self.config['ssl_certfile'],
keyfile=self.config['ssl_keyfile'])
+ if self.config['ssl_crlfile']:
+ if not hasattr(ssl, 'VERIFY_CRL_CHECK_LEAF'):
+ log.error('%s: No CRL support with this version of Python.'
+ ' Disconnecting.', self)
+ self.close()
+ return
+ log.info('%s: Loading SSL CRL from %s', str(self), self.config['ssl_crlfile'])
+ self._ssl_context.load_verify_locations(self.config['ssl_crlfile'])
+ # pylint: disable=no-member
+ self._ssl_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
log.debug('%s: wrapping socket in ssl context', str(self))
try:
self._sock = self._ssl_context.wrap_socket(
View Lorry Controller Status