fix python 3.12 ssl deprecation warnings

use the more specific protocol constants, which means we have to set the 'check_hostname' attribute before setting the verify mode
Xpra-org · Jan 16, 2024 · 111ec73 · 111ec73
1 parent c388d69
commit 111ec73
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/xpra/net/socket_util.py b/xpra/net/socket_util.py
@@ -1061,7 +1061,9 @@ def get_ssl_wrap_socket_context(cert=None, key=None, key_password=None, ca_certs
     ssllog(" ca-certs=%s", ca_certs)
     #parse protocol:
     import ssl
-    proto = getattr(ssl, "PROTOCOL_" + protocol.upper().replace("V", "v"), None)
+    if protocol.upper() == "TLS":
+        protocol = "TLS_SERVER" if server_side else "TLS_CLIENT"
+    proto = getattr(ssl, "PROTOCOL_" + protocol.upper().replace("TLSV", "TLSv"), None)
     if proto is None:
         values = [k[len("PROTOCOL_"):] for k in dir(ssl) if k.startswith("PROTOCOL_")]
         raise InitException(f"invalid ssl-protocol {protocol!r}, must be one of: "+csv(values))
@@ -1100,6 +1102,8 @@ def get_ssl_wrap_socket_context(cert=None, key=None, key_password=None, ca_certs
 
     context = ssl.SSLContext(proto)
     context.set_ciphers(ciphers)
+    if not server_side:
+        context.check_hostname = check_hostname
     context.verify_mode = ssl_cert_reqs
     context.verify_flags = ssl_verify_flags
     context.options = ssl_options
@@ -1125,7 +1129,6 @@ def get_ssl_wrap_socket_context(cert=None, key=None, key_password=None, ca_certs
             purpose = ssl.Purpose.CLIENT_AUTH   #@UndefinedVariable
         else:
             purpose = ssl.Purpose.SERVER_AUTH   #@UndefinedVariable
-            context.check_hostname = check_hostname
             ssllog(" check_hostname=%s, server_hostname=%s", check_hostname, server_hostname)
             if context.check_hostname and not server_hostname:
                 raise InitException("ssl error: check-hostname is set but server-hostname is not")