QPID-4337: add SSL support for older python clients.

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1388544 13f79535-47bb-0310-9956-ffa450edef68

3 files changed, 52 insertions, 3 deletions

diff --git a/qpid/extras/qmf/src/py/qmf/console.py b/qpid/extras/qmf/src/py/qmf/console.py
index af5d1da5ca..1fb23a047d 100644
--- a/qpid/extras/qmf/src/py/qmf/console.py
+++ b/qpid/extras/qmf/src/py/qmf/console.py
@@ -25,6 +25,7 @@ import qpid
 import struct
 import socket
 import re
+import sys
 from qpid.datatypes  import UUID
 from qpid.datatypes  import timestamp
 from qpid.datatypes  import datetime
@@ -2423,7 +2424,14 @@ class Broker(Thread):
       oldTimeout = sock.gettimeout()
       sock.settimeout(self.connTimeout)
       connSock = None
+      force_blocking = False
       if self.ssl:
+        # Bug (QPID-4337): the "old" implementation of python SSL
+        # fails if the socket is set to non-blocking (which settimeout()
+        # may change).
+        if sys.version_info[:2] < (2, 6):  # 2.6+ uses openssl - it's ok
+          force_blocking = True
+          sock.setblocking(1)
         if 'ssl_certfile' in self.connectArgs:
           connSock = ssl(sock, certfile=self.connectArgs['ssl_certfile'])
         else:
@@ -2438,7 +2446,10 @@ class Broker(Thread):
       oldAborted = self.conn.aborted
       self.conn.aborted = aborted
       self.conn.start()
-      sock.settimeout(oldTimeout)
+      
+      # Bug (QPID-4337): don't enable non-blocking (timeouts) for old SSL
+      if not force_blocking:
+        sock.settimeout(oldTimeout)
       self.conn.aborted = oldAborted
       uid = self.conn.user_id
       if uid.__class__ == tuple and len(uid) == 2:
diff --git a/qpid/python/qpid/messaging/transports.py b/qpid/python/qpid/messaging/transports.py
index 532c365884..e901e98258 100644
--- a/qpid/python/qpid/messaging/transports.py
+++ b/qpid/python/qpid/messaging/transports.py
@@ -55,7 +55,41 @@ try:
   from ssl import wrap_socket, SSLError, SSL_ERROR_WANT_READ, \
       SSL_ERROR_WANT_WRITE
 except ImportError:
-  pass
+
+  ## try the older python SSL api:
+  from socket import ssl
+
+  class old_ssl(SocketTransport):
+    def __init__(self, conn, host, port):
+      SocketTransport.__init__(self, conn, host, port)
+      # Bug (QPID-4337): this is the "old" version of python SSL.
+      # The private key is required. If a certificate is given, but no
+      # keyfile, assume the key is contained in the certificate
+      ssl_keyfile = conn.ssl_keyfile
+      ssl_certfile = conn.ssl_certfile
+      if ssl_certfile and not ssl_keyfile:
+        ssl_keyfile = ssl_certfile
+      self.ssl = ssl(self.socket, keyfile=ssl_keyfile, certfile=ssl_certfile)
+      self.socket.setblocking(1)
+
+    def reading(self, reading):
+      return reading
+
+    def writing(self, writing):
+      return writing
+
+    def recv(self, n):
+      return self.ssl.read(n)
+
+    def send(self, s):
+      return self.ssl.write(s)
+
+    def close(self):
+      self.socket.close()
+
+  TRANSPORTS["ssl"] = old_ssl
+  TRANSPORTS["tcp+tls"] = old_ssl
+    
 else:
   class tls(SocketTransport):
 
diff --git a/qpid/python/qpid/util.py b/qpid/python/qpid/util.py
index 39ad1d830e..5b1a876c5e 100644
--- a/qpid/python/qpid/util.py
+++ b/qpid/python/qpid/util.py
@@ -24,8 +24,12 @@ try:
 except ImportError:
   from socket import ssl as wrap_socket
   class ssl:
-
     def __init__(self, sock, keyfile=None, certfile=None, trustfile=None):
+      # Bug (QPID-4337): this is the "old" version of python SSL.
+      # The private key is required. If a certificate is given, but no
+      # keyfile, assume the key is contained in the certificate
+      if certfile and not keyfile:
+        keyfile = certfile
       self.sock = sock
       self.ssl = wrap_socket(sock, keyfile=keyfile, certfile=certfile)