refactor(Connection): explicitly use TLS client protocol for underlyi…

…ng connection socket. previously TLS protocol was used by default. resolves deprecation warnings in Python 3.11
aws · Dec 14, 2023 · ededb28 · ededb28
1 parent 053ad2b
commit ededb28
Showing 1 changed file with 6 additions and 9 deletions.
diff --git a/redshift_connector/core.py b/redshift_connector/core.py
@@ -563,9 +563,7 @@ def get_calling_module() -> str:
 
             if credentials_provider.split(".")[-1] in ("IdpTokenAuthPlugin",):
                 redshift_native_auth = True
-                self.set_idc_plugins_params(
-                    init_params, credentials_provider, identity_namespace, token_type
-                )
+                self.set_idc_plugins_params(init_params, credentials_provider, identity_namespace, token_type)
 
             if redshift_native_auth and provider_name:
                 init_params["provider_name"] = provider_name
@@ -635,18 +633,16 @@ def get_calling_module() -> str:
             # create ssl connection with Redshift CA certificates and check the hostname
             if ssl is True:
                 try:
-                    from ssl import CERT_REQUIRED, SSLContext
-
-                    # ssl_context = ssl.create_default_context()
+                    from ssl import PROTOCOL_TLS_CLIENT, SSLContext
 
                     path = os.path.abspath(__file__)
                     if os.name == "nt":
                         path = "\\".join(path.split("\\")[:-1]) + "\\files\\redshift-ca-bundle.crt"
                     else:
                         path = "/".join(path.split("/")[:-1]) + "/files/redshift-ca-bundle.crt"
 
-                    ssl_context: SSLContext = SSLContext()
-                    ssl_context.verify_mode = CERT_REQUIRED
+                    # The protocol enables CERT_REQUIRED and check_hostname by default.
+                    ssl_context: SSLContext = SSLContext(protocol=PROTOCOL_TLS_CLIENT)
                     ssl_context.load_default_certs()
                     _logger.debug("try to load Redshift CA certs from location %s", path)
                     ssl_context.load_verify_locations(path)
@@ -662,12 +658,13 @@ def get_calling_module() -> str:
 
                     if sslmode == "verify-ca":
                         _logger.debug("applying sslmode=%s to socket", sslmode)
+                        ssl_context.check_hostname = False
                         self._usock = ssl_context.wrap_socket(self._usock)
                     elif sslmode == "verify-full":
                         _logger.debug("applying sslmode=%s to socket and force check_hostname", sslmode)
-                        ssl_context.check_hostname = True
                         self._usock = ssl_context.wrap_socket(self._usock, server_hostname=host)
                     else:
+                        ssl_context.check_hostname = False
                         _logger.debug("unknown sslmode=%s is ignored", sslmode)
                     _logger.debug("Socket SSL details: %s", self._usock.cipher())  # type: ignore