From 341db26a28f3594c0def19c7521a60f3aa4c5f89 Mon Sep 17 00:00:00 2001
From: Steve Kowalik <steven@wedontsleep.org>
Date: Wed, 20 Sep 2023 11:42:25 +1000
Subject: [PATCH 1/2] Remove use of ssl.wrap_socket

ssl.wrap_socket() has been deprecated since Python 3.7, and isn't
recommended for use, and further, has been removed in Python 3.12.
ssl.SSLContext().wrap_socket() is the new path forward, so switch the
one callsite and the two test cases to use it instead.
---
 proxy/core/connection/client.py                             | 3 ++-
 tests/http/proxy/test_http_proxy_tls_interception.py        | 6 ++++--
 .../plugin/test_http_proxy_plugins_with_tls_interception.py | 4 ++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/proxy/core/connection/client.py b/proxy/core/connection/client.py
index f241c56a06..82f8194795 100644
--- a/proxy/core/connection/client.py
+++ b/proxy/core/connection/client.py
@@ -42,7 +42,8 @@ def connection(self) -> TcpOrTlsSocket:
     def wrap(self, keyfile: str, certfile: str) -> None:
         self.connection.setblocking(True)
         self.flush()
-        self._conn = ssl.wrap_socket(
+        ssl_context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLS_CLIENT)
+        self._conn = ssl_context.wrap_socket(
             self.connection,
             server_side=True,
             certfile=certfile,
diff --git a/tests/http/proxy/test_http_proxy_tls_interception.py b/tests/http/proxy/test_http_proxy_tls_interception.py
index 654bbc5fcd..b75f5cf356 100644
--- a/tests/http/proxy/test_http_proxy_tls_interception.py
+++ b/tests/http/proxy/test_http_proxy_tls_interception.py
@@ -62,9 +62,9 @@ async def test_e2e(self, mocker: MockerFixture) -> None:
         self.mock_ssl_context.return_value.wrap_socket.return_value = upstream_tls_sock
 
         # Used for client wrapping
-        self.mock_ssl_wrap = mocker.patch('ssl.wrap_socket')
+        self.mock_ssl_wrap = mocker.patch('ssl.SSLContext')
         client_tls_sock = mock.MagicMock(spec=ssl.SSLSocket)
-        self.mock_ssl_wrap.return_value = client_tls_sock
+        self.mock_ssl_wrap.return_value.wrap_socket.return_value = client_tls_sock
 
         plain_connection = mock.MagicMock(spec=socket.socket)
 
@@ -251,6 +251,8 @@ async def asyncReturn(val: T) -> T:
         )
         assert self.flags.ca_cert_dir is not None
         self.mock_ssl_wrap.assert_called_with(
+            protocol=ssl.PROTOCOL_TLS_CLIENT)
+        self.mock_ssl_wrap.return_value.wrap_socket.assert_called_with(
             self._conn,
             server_side=True,
             keyfile=self.flags.ca_signing_key_file,
diff --git a/tests/plugin/test_http_proxy_plugins_with_tls_interception.py b/tests/plugin/test_http_proxy_plugins_with_tls_interception.py
index 3d8d6a28f4..a0a05b61f8 100644
--- a/tests/plugin/test_http_proxy_plugins_with_tls_interception.py
+++ b/tests/plugin/test_http_proxy_plugins_with_tls_interception.py
@@ -46,7 +46,7 @@ def _setUp(self, request: Any, mocker: MockerFixture) -> None:
             'proxy.http.proxy.server.TcpServerConnection',
         )
         self.mock_ssl_context = mocker.patch('ssl.create_default_context')
-        self.mock_ssl_wrap = mocker.patch('ssl.wrap_socket')
+        self.mock_ssl_wrap = mocker.patch('ssl.SSLContext')
 
         self.mock_sign_csr.return_value = True
         self.mock_gen_csr.return_value = True
@@ -82,7 +82,7 @@ def _setUp(self, request: Any, mocker: MockerFixture) -> None:
         self.server_ssl_connection = mocker.MagicMock(spec=ssl.SSLSocket)
         self.mock_ssl_context.return_value.wrap_socket.return_value = self.server_ssl_connection
         self.client_ssl_connection = mocker.MagicMock(spec=ssl.SSLSocket)
-        self.mock_ssl_wrap.return_value = self.client_ssl_connection
+        self.mock_ssl_wrap.return_value.wrap_socket.return_value = self.client_ssl_connection
 
         def has_buffer() -> bool:
             return cast(bool, self.server.queue.called)

From 74b77247873c54fb04d535760084f3b0351aa0d7 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Wed, 20 Sep 2023 01:48:51 +0000
Subject: [PATCH 2/2] [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci
---
 tests/http/proxy/test_http_proxy_tls_interception.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/http/proxy/test_http_proxy_tls_interception.py b/tests/http/proxy/test_http_proxy_tls_interception.py
index b75f5cf356..699cc22cfc 100644
--- a/tests/http/proxy/test_http_proxy_tls_interception.py
+++ b/tests/http/proxy/test_http_proxy_tls_interception.py
@@ -251,7 +251,8 @@ async def asyncReturn(val: T) -> T:
         )
         assert self.flags.ca_cert_dir is not None
         self.mock_ssl_wrap.assert_called_with(
-            protocol=ssl.PROTOCOL_TLS_CLIENT)
+            protocol=ssl.PROTOCOL_TLS_CLIENT,
+        )
         self.mock_ssl_wrap.return_value.wrap_socket.assert_called_with(
             self._conn,
             server_side=True,