refs #2054 send client cert to ogcore, optionally verify ogcore's cert

tls-again
Natalia Serrano 2025-05-21 17:30:11 +02:00
parent 3ae4471d5d
commit 63944cef0e
1 changed files with 30 additions and 17 deletions

View File

@ -109,21 +109,22 @@ class REST(object):
logger.debug ('TLS not available: python requests library is old')
self.use_tls = url.startswith ('https')
#if self.use_tls:
# if not ca_file or not crt_file or not key_file:
# raise Exception ('missing TLS parameters in REST constructor')
#
# errs = 0
# for f in [ca_file, crt_file, key_file]:
# if not os.path.exists (f):
# logger.error (f'{f}: No such file or directory')
# errs += 1
# if errs:
# raise Exception ('TLS files not found')
#
#self.ca_file = ca_file
#self.crt_file = crt_file
#self.key_file = key_file
if self.use_tls:
if not ca_file or not crt_file or not key_file:
raise Exception ('missing TLS parameters in REST constructor')
errs = 0
for f in [ca_file, crt_file, key_file]:
if not os.path.exists (f):
logger.error (f'{f}: No such file or directory')
errs += 1
if errs:
raise Exception ('TLS files not found')
self.ca_file = ca_file
self.crt_file = crt_file
self.key_file = key_file
self.verify_tls = False
# Disable logging requests messages except for errors, ...
logging.getLogger("requests").setLevel(logging.CRITICAL)
@ -156,7 +157,13 @@ class REST(object):
# Old requests version does not support verify, but it do not checks ssl certificate by default
if self.newerRequestLib:
if self.use_tls:
r = requests.get(url, verify=False, timeout=TIMEOUT)
if self.verify_tls:
logger.debug ('nati: using TLS for GET')
v = self.ca_file
else:
logger.warning ('using insecure TLS for GET')
v = False
r = requests.get(url, cert=(self.crt_file, self.key_file), verify=v, timeout=TIMEOUT)
else:
r = requests.get(url, timeout=TIMEOUT)
else:
@ -165,7 +172,13 @@ class REST(object):
logger.debug('Requesting using POST {}, data: {}'.format(url, data))
if self.newerRequestLib:
if self.use_tls:
r = requests.post(url, data=data, headers={'content-type': 'application/json'}, verify=False, timeout=TIMEOUT)
if self.verify_tls:
logger.debug ('nati: using TLS for POST')
v = self.ca_file
else:
logger.warning ('using insecure TLS for POST')
v = False
r = requests.post(url, data=data, headers={'content-type': 'application/json'}, cert=(self.crt_file, self.key_file), verify=v, timeout=TIMEOUT)
else:
r = requests.post(url, data=data, headers={'content-type': 'application/json'}, timeout=TIMEOUT)
else: