Merge branch 'main' into support/3.2

zatosource · Nov 16, 2023 · e8d6a81 · e8d6a81
2 parents 354b7dc + 4411944
commit e8d6a81
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/code/zato-server/src/zato/server/ext/ws4py/client/__init__.py b/code/zato-server/src/zato/server/ext/ws4py/client/__init__.py
@@ -1,11 +1,13 @@
 # -*- coding: utf-8 -*-
 # flake8: noqa
 from base64 import b64encode
+from copy import deepcopy
 from hashlib import sha1
 import os
 import socket
 import ssl
 
+from zato.common.api import NotGiven
 from zato.server.ext.ws4py import WS_KEY, WS_VERSION
 from zato.server.ext.ws4py.exc import HandshakeError
 from zato.server.ext.ws4py.websocket import WebSocket
@@ -79,7 +81,6 @@ def __init__(self, url, protocols=None, extensions=None,
         self.resource = None
         self.ssl_options = ssl_options or {}
         self.extra_headers = headers or []
-
         self._parse_url()
 
         if self.unix_socket_path:
@@ -152,6 +153,10 @@ def _parse_url(self):
         else:
             raise ValueError("Invalid hostname from: %s", self.url)
 
+        # We have our host so we can set the TLS options accordingly
+        if not 'server_hostname' in self.ssl_options:
+            self.ssl_options['server_hostname'] = self.host
+
         if parsed.port:
             self.port = parsed.port
 
@@ -205,7 +210,19 @@ def connect(self):
         """
         if self.scheme == "wss":
             # default port is now 443; upgrade self.sender to send ssl
-            self.sock = ssl.wrap_socket(self.sock, **self.ssl_options)
+
+            # This may be specified if needed ..
+            check_hostname = os.environ.get('Zato_WSX_TLS_Check_Hostname', NotGiven)
+
+            # .. if there is no such environment variable, assume the host name needs to be checked.
+            if check_hostname is NotGiven:
+                check_hostname = True
+            else:
+                check_hostname = False
+
+            context = ssl.create_default_context()
+            context.check_hostname = check_hostname
+            self.sock = context.wrap_socket(self.sock, **self.ssl_options)
             self._is_secure = True
 
         self.sock.connect(self.bind_addr)

diff --git a/code/zato-server/src/zato/server/ext/ws4py/client/tornadoclient.py b/code/zato-server/src/zato/server/ext/ws4py/client/tornadoclient.py
@@ -36,7 +36,8 @@ def closed(self, code, reason=None):
         WebSocketBaseClient.__init__(self, url, protocols, extensions,
                                      ssl_options=ssl_options, headers=headers)
         if self.scheme == "wss":
-            self.sock = ssl.wrap_socket(self.sock, do_handshake_on_connect=False, **self.ssl_options)
+            context = ssl.create_default_context()
+            self.sock = context.wrap_socket(self.sock, do_handshake_on_connect=False, **self.ssl_options)
             self._is_secure = True
             self.io = iostream.SSLIOStream(self.sock, io_loop, ssl_options=self.ssl_options)
         else: