Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

patch: Add option to disable ssl.VERIFY_X509_STRICT #350

Merged
merged 1 commit into from
Feb 11, 2025
+53 −0
Merged

patch: Add option to disable ssl.VERIFY_X509_STRICT #350

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions kubernetes_asyncio/client/configuration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,14 @@ def __init__(self, host=None,
Set this to false to skip verifying SSL certificate when calling API
from https server.
"""
self.disable_strict_ssl_verification = False
"""Set to true, to accept certificates violate X509 strict certificate
verification requirements, like missing the following extensions:
- X509v3 Subject Key Identifier
- X509v3 Authority Key Identifier
- X509v3 Subject Alternative Name
(It is implemented by removing ssl.VERIFY_X509_STRICT from SSLContext.verify_flags)
"""
self.ssl_ca_cert = ssl_ca_cert
"""Set this to customize the certificate file to verify the peer.
"""
Expand Down
2 changes: 2 additions & 0 deletions kubernetes_asyncio/client/rest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ def __init__(self, configuration, pools_size=4, maxsize=None):
if not configuration.verify_ssl:
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE
if configuration.disable_strict_ssl_verification:
ssl_context.verify_flags &= ~ssl.VERIFY_X509_STRICT

connector = aiohttp.TCPConnector(
limit=maxsize,
Expand Down
8 changes: 8 additions & 0 deletions kubernetes_asyncio/client/test_rest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import asyncio
import ssl
import unittest
from unittest.mock import AsyncMock
import aiohttp
Expand Down Expand Up @@ -30,3 +31,10 @@ async def test_rest_request_timeout(self):
timeout=expected_timeout_arg,
headers={"Content-Type": "application/json"}
)

async def test_disable_ssl_verification(self):
configuration = Configuration()
configuration.disable_strict_ssl_verification = True
rest_api = RESTClientObject(configuration=configuration)
ssl_context = rest_api.pool_manager._connector._ssl
self.assertEqual(ssl_context.verify_flags & ssl.VERIFY_X509_STRICT, 0)
19 changes: 19 additions & 0 deletions scripts/client_configuration_disable_ssl_strict_verification_patch.diff
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
diff --git a/kubernetes_asyncio/client/configuration.py b/kubernetes_asyncio/client/configuration.py
index d0dd9f9e..facc9173 100644
--- a/kubernetes_asyncio/client/configuration.py
+++ b/kubernetes_asyncio/client/configuration.py
@@ -177,6 +177,14 @@ conf = client.Configuration(
Set this to false to skip verifying SSL certificate when calling API
from https server.
"""
+ self.disable_strict_ssl_verification = False
+ """Set to true, to accept certificates violate X509 strict certificate
+ verification requirements, like missing the following extensions:
+ - X509v3 Subject Key Identifier
+ - X509v3 Authority Key Identifier
+ - X509v3 Subject Alternative Name
+ (It is implemented by removing ssl.VERIFY_X509_STRICT from SSLContext.verify_flags)
+ """
self.ssl_ca_cert = ssl_ca_cert
"""Set this to customize the certificate file to verify the peer.
"""
13 changes: 13 additions & 0 deletions scripts/rest_client_disable_ssl_strict_verification_patch.diff
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
diff --git a/kubernetes_asyncio/client/rest.py b/kubernetes_asyncio/client/rest.py
index eca41107..ee30e26a 100644
--- a/kubernetes_asyncio/client/rest.py
+++ b/kubernetes_asyncio/client/rest.py
@@ -61,6 +61,8 @@ class RESTClientObject(object):
if not configuration.verify_ssl:
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE
+ if configuration.disable_strict_ssl_verification:
+ ssl_context.verify_flags &= ~ssl.VERIFY_X509_STRICT

connector = aiohttp.TCPConnector(
limit=maxsize,
3 changes: 3 additions & 0 deletions scripts/update-client.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,9 @@ patch "${CLIENT_ROOT}/client/rest.py" "${SCRIPT_ROOT}/rest_client_patch_read_buf
echo ">>> fix generated rest client and configuration to support customer server hostname TLS verification..."
patch "${CLIENT_ROOT}/client/rest.py" "${SCRIPT_ROOT}/rest_client_server_hostname_patch.diff"
patch "${CLIENT_ROOT}/client/configuration.py" "${SCRIPT_ROOT}/client_configuration_tls_server_name_patch.diff"
echo ">>> fix generated rest client and configuration to support disabling strict TLS verification..."
patch "${CLIENT_ROOT}/client/rest.py" "${SCRIPT_ROOT}/rest_client_disable_ssl_strict_verification_patch.diff"
patch "${CLIENT_ROOT}/client/configuration.py" "${SCRIPT_ROOT}/client_configuration_disable_ssl_strict_verification_patch.diff"
echo ">>> fix generated rest client by handling timeout correctly..."
patch -R "${CLIENT_ROOT}/client/rest.py" "${SCRIPT_ROOT}/rest_client_timeout.diff"

Expand Down