breaking: remove custom SSL adapter

`match_hostname` is gone in Python 3.12 and has been unused by Python since 3.7. The custom SSL adapter allows passing a specific SSL version; this was first introduced a looong time ago to handle some SSL issues at the time. Signed-off-by: Milas Bowman <[email protected]>
milas · Nov 20, 2023 · f04e77a · f04e77a
1 parent 711f72f
commit f04e77a
Show file tree

Hide file tree

Showing 14 changed files with 24 additions and 343 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG PYTHON_VERSION=3.10
+ARG PYTHON_VERSION=3.12
 
 FROM python:${PYTHON_VERSION}
 

diff --git a/Dockerfile-docs b/Dockerfile-docs
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG PYTHON_VERSION=3.10
+ARG PYTHON_VERSION=3.12
 
 FROM python:${PYTHON_VERSION}
 

diff --git a/Jenkinsfile b/Jenkinsfile
diff --git a/docker/api/client.py b/docker/api/client.py
@@ -4,6 +4,7 @@
 from functools import partial
 
 import requests
+import requests.adapters
 import requests.exceptions
 import websocket
 
@@ -15,7 +16,7 @@
 from ..errors import (DockerException, InvalidVersion, TLSParameterError,
                       create_api_error_from_http_exception)
 from ..tls import TLSConfig
-from ..transport import SSLHTTPAdapter, UnixHTTPAdapter
+from ..transport import UnixHTTPAdapter
 from ..utils import check_resource, config, update_headers, utils
 from ..utils.json_stream import json_stream
 from ..utils.proxy import ProxyConfig
@@ -184,7 +185,7 @@ def __init__(self, base_url=None, version=None,
             if isinstance(tls, TLSConfig):
                 tls.configure_client(self)
             elif tls:
-                self._custom_adapter = SSLHTTPAdapter(
+                self._custom_adapter = requests.adapters.HTTPAdapter(
                     pool_connections=num_pools)
                 self.mount('https://', self._custom_adapter)
             self.base_url = base_url

diff --git a/docker/client.py b/docker/client.py
@@ -71,8 +71,6 @@ def from_env(cls, **kwargs):
             timeout (int): Default timeout for API calls, in seconds.
             max_pool_size (int): The maximum number of connections
                 to save in the pool.
-            ssl_version (int): A valid `SSL version`_.
-            assert_hostname (bool): Verify the hostname of the server.
             environment (dict): The environment to read environment variables
                 from. Default: the value of ``os.environ``
             credstore_env (dict): Override environment variables when calling

diff --git a/docker/tls.py b/docker/tls.py
@@ -1,8 +1,6 @@
 import os
-import ssl
 
 from . import errors
-from .transport import SSLHTTPAdapter
 
 
 class TLSConfig:
@@ -15,35 +13,18 @@ class TLSConfig:
         verify (bool or str): This can be a bool or a path to a CA cert
             file to verify against. If ``True``, verify using ca_cert;
             if ``False`` or not specified, do not verify.
-        ssl_version (int): A valid `SSL version`_.
-        assert_hostname (bool): Verify the hostname of the server.
-
-    .. _`SSL version`:
-        https://docs.python.org/3.5/library/ssl.html#ssl.PROTOCOL_TLSv1
     """
     cert = None
     ca_cert = None
     verify = None
-    ssl_version = None
 
-    def __init__(self, client_cert=None, ca_cert=None, verify=None,
-                 ssl_version=None, assert_hostname=None,
-                 assert_fingerprint=None):
+    def __init__(self, client_cert=None, ca_cert=None, verify=None):
         # Argument compatibility/mapping with
         # https://docs.docker.com/engine/articles/https/
         # This diverges from the Docker CLI in that users can specify 'tls'
         # here, but also disable any public/default CA pool verification by
         # leaving verify=False
 
-        self.assert_hostname = assert_hostname
-        self.assert_fingerprint = assert_fingerprint
-
-        # If the user provides an SSL version, we should use their preference
-        if ssl_version:
-            self.ssl_version = ssl_version
-        else:
-            self.ssl_version = ssl.PROTOCOL_TLS_CLIENT
-
         # "client_cert" must have both or neither cert/key files. In
         # either case, Alert the user when both are expected, but any are
         # missing.
@@ -77,18 +58,10 @@ def configure_client(self, client):
         """
         Configure a client with these TLS options.
         """
-        client.ssl_version = self.ssl_version
-
         if self.verify and self.ca_cert:
             client.verify = self.ca_cert
         else:
             client.verify = self.verify
 
         if self.cert:
             client.cert = self.cert
-
-        client.mount('https://', SSLHTTPAdapter(
-            ssl_version=self.ssl_version,
-            assert_hostname=self.assert_hostname,
-            assert_fingerprint=self.assert_fingerprint,
-        ))
diff --git a/docker/transport/__init__.py b/docker/transport/__init__.py
@@ -1,5 +1,4 @@
 from .unixconn import UnixHTTPAdapter
-from .ssladapter import SSLHTTPAdapter
 try:
     from .npipeconn import NpipeHTTPAdapter
     from .npipesocket import NpipeSocket

diff --git a/docker/transport/ssladapter.py b/docker/transport/ssladapter.py
diff --git a/docker/utils/utils.py b/docker/utils/utils.py
@@ -341,7 +341,7 @@ def parse_devices(devices):
     return device_list
 
 
-def kwargs_from_env(ssl_version=None, assert_hostname=None, environment=None):
+def kwargs_from_env(environment=None):
     if not environment:
         environment = os.environ
     host = environment.get('DOCKER_HOST')
@@ -369,18 +369,11 @@ def kwargs_from_env(ssl_version=None, assert_hostname=None, environment=None):
     if not cert_path:
         cert_path = os.path.join(os.path.expanduser('~'), '.docker')
 
-    if not tls_verify and assert_hostname is None:
-        # assert_hostname is a subset of TLS verification,
-        # so if it's not set already then set it to false.
-        assert_hostname = False
-
     params['tls'] = TLSConfig(
         client_cert=(os.path.join(cert_path, 'cert.pem'),
                      os.path.join(cert_path, 'key.pem')),
         ca_cert=os.path.join(cert_path, 'ca.pem'),
         verify=tls_verify,
-        ssl_version=ssl_version,
-        assert_hostname=assert_hostname,
     )
 
     return params

diff --git a/tests/Dockerfile b/tests/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG PYTHON_VERSION=3.10
+ARG PYTHON_VERSION=3.12
 
 FROM python:${PYTHON_VERSION}
 

diff --git a/tests/Dockerfile-dind-certs b/tests/Dockerfile-dind-certs
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG PYTHON_VERSION=3.10
+ARG PYTHON_VERSION=3.12
 
 FROM python:${PYTHON_VERSION}
 RUN mkdir /tmp/certs