From 6cce934f723c0c77ae582500ac5d7910afc4dadc Mon Sep 17 00:00:00 2001 From: Paulus Schoutsen Date: Thu, 19 Oct 2017 01:47:57 -0700 Subject: [PATCH] Improve SSL certs used by aiohttp (#9958) * Improve SSL certs used by aiohttp * Add certifi package * Lint --- homeassistant/components/cloud/iot.py | 8 ++++---- homeassistant/helpers/aiohttp_client.py | 8 +++++++- homeassistant/package_constraints.txt | 1 + requirements_all.txt | 1 + setup.py | 1 + 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/homeassistant/components/cloud/iot.py b/homeassistant/components/cloud/iot.py index 0b3e7c5eada..92b517b570c 100644 --- a/homeassistant/components/cloud/iot.py +++ b/homeassistant/components/cloud/iot.py @@ -46,9 +46,6 @@ class CloudIoT: remove_hass_stop_listener = None session = async_get_clientsession(self.cloud.hass) - headers = { - hdrs.AUTHORIZATION: 'Bearer {}'.format(self.cloud.access_token) - } @asyncio.coroutine def _handle_hass_stop(event): @@ -63,7 +60,10 @@ class CloudIoT: yield from hass.async_add_job(auth_api.check_token, self.cloud) self.client = client = yield from session.ws_connect( - self.cloud.relayer, headers=headers) + self.cloud.relayer, headers={ + hdrs.AUTHORIZATION: + 'Bearer {}'.format(self.cloud.access_token) + }) self.tries = 0 remove_hass_stop_listener = hass.bus.async_listen_once( diff --git a/homeassistant/helpers/aiohttp_client.py b/homeassistant/helpers/aiohttp_client.py index 7816c334de0..239aaea64a0 100644 --- a/homeassistant/helpers/aiohttp_client.py +++ b/homeassistant/helpers/aiohttp_client.py @@ -1,5 +1,6 @@ """Helper for aiohttp webclient stuff.""" import asyncio +import ssl import sys import aiohttp @@ -7,6 +8,7 @@ from aiohttp.hdrs import USER_AGENT, CONTENT_TYPE from aiohttp import web from aiohttp.web_exceptions import HTTPGatewayTimeout, HTTPBadGateway import async_timeout +import certifi from homeassistant.core import callback from homeassistant.const import EVENT_HOMEASSISTANT_CLOSE, __version__ @@ -159,7 +161,11 @@ def _async_get_connector(hass, verify_ssl=True): if verify_ssl: if DATA_CONNECTOR not in hass.data: - connector = aiohttp.TCPConnector(loop=hass.loop) + ssl_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + ssl_context.load_verify_locations(cafile=certifi.where(), + capath=None) + connector = aiohttp.TCPConnector(loop=hass.loop, + ssl_context=ssl_context) hass.data[DATA_CONNECTOR] = connector is_new = True else: diff --git a/homeassistant/package_constraints.txt b/homeassistant/package_constraints.txt index c68c10008cb..783aca0ceac 100644 --- a/homeassistant/package_constraints.txt +++ b/homeassistant/package_constraints.txt @@ -9,6 +9,7 @@ aiohttp==2.2.5 async_timeout==2.0.0 chardet==3.0.4 astral==1.4 +certifi>=2017.4.17 # Breaks Python 3.6 and is not needed for our supported Pythons enum34==1000000000.0.0 diff --git a/requirements_all.txt b/requirements_all.txt index 1aa2142d060..8e8a05f834c 100644 --- a/requirements_all.txt +++ b/requirements_all.txt @@ -10,6 +10,7 @@ aiohttp==2.2.5 async_timeout==2.0.0 chardet==3.0.4 astral==1.4 +certifi>=2017.4.17 # homeassistant.components.nuimo_controller --only-binary=all https://github.com/getSenic/nuimo-linux-python/archive/29fc42987f74d8090d0e2382e8f248ff5990b8c9.zip#nuimo==1.0.0 diff --git a/setup.py b/setup.py index c3de5131717..9ced64df954 100755 --- a/setup.py +++ b/setup.py @@ -26,6 +26,7 @@ REQUIRES = [ 'async_timeout==2.0.0', 'chardet==3.0.4', 'astral==1.4', + 'certifi>=2017.4.17', ] setup(