diff options
Diffstat (limited to 'kafka/conn.py')
| -rw-r--r-- | kafka/conn.py | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/kafka/conn.py b/kafka/conn.py index db56dda..cf5dce3 100644 --- a/kafka/conn.py +++ b/kafka/conn.py @@ -70,6 +70,7 @@ class BrokerConnection(object): 'ssl_cafile': None, 'ssl_certfile': None, 'ssl_keyfile': None, + 'ssl_crlfile': None, 'api_version': (0, 8, 2), # default to most restrictive 'state_change_callback': lambda conn: True, } @@ -228,6 +229,16 @@ class BrokerConnection(object): self._ssl_context.load_cert_chain( certfile=self.config['ssl_certfile'], keyfile=self.config['ssl_keyfile']) + if self.config['ssl_crlfile']: + if not hasattr(ssl, 'VERIFY_CRL_CHECK_LEAF'): + log.error('%s: No CRL support with this version of Python.' + ' Disconnecting.', self) + self.close() + return + log.info('%s: Loading SSL CRL from %s', str(self), self.config['ssl_crlfile']) + self._ssl_context.load_verify_locations(self.config['ssl_crlfile']) + # pylint: disable=no-member + self._ssl_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF log.debug('%s: wrapping socket in ssl context', str(self)) try: self._sock = self._ssl_context.wrap_socket( |