diff --git a/pikatasks/settings.py b/pikatasks/settings.py
index 15d997ad62beb446fbed6d67773f303e7de33846..46b322f895c3b7d1685d3ad702e75e11817d2b24 100644
--- a/pikatasks/settings.py
+++ b/pikatasks/settings.py
@@ -31,7 +31,7 @@ SSL_CONF = {
# NOTE: The following values are not meant to be changed through settings
# because this would be a mess in deployment!
"ssl_version": ssl.PROTOCOL_TLSv1_2,
- "cert_reqs": ssl.CERT_NONE,
+ "cert_reqs": ssl.CERT_REQUIRED,
}
# stuff you might want to change sometimes:
diff --git a/pikatasks/utils.py b/pikatasks/utils.py
index cacf23158f7ea0fc3e81f20f936d2b15e60d6f30..51d60388d463abc2e79659533f58e8bb5daffd74 100644
--- a/pikatasks/utils.py
+++ b/pikatasks/utils.py
@@ -1,6 +1,7 @@
import json
import pika
import logging
+import ssl
from . import settings
@@ -15,6 +16,15 @@ def deserialize(binary):
return json.loads(binary.decode("utf-8"))
+def get_ssl_options(ssl_settings):
+ """ Create pika.SSLOptions based on pikatasks settings. """
+ context = ssl.SSLContext(ssl_settings.get('ssl_version'))
+ context.verify_mode = (ssl_settings.get('cert_reqs'))
+ context.load_verify_locations(ssl_settings.get('ca_certs'))
+ context.load_cert_chain(ssl_settings.get('certfile'), ssl_settings.get('keyfile'))
+ return pika.SSLOptions(context)
+
+
def get_pika_connection_parameters():
return pika.ConnectionParameters(
host=settings.BROKER_HOST,
@@ -24,9 +34,9 @@ def get_pika_connection_parameters():
username=settings.USERNAME,
password=settings.PASSWORD
),
- blocked_connection_timeout=settings.BLOCKED_CONNECTION_TIMEOUT.total_seconds(), # TODO: causes a warning when closing connections
- ssl=settings.SSL_ENABLED,
- ssl_options=settings.SSL_CONF,
+ # TODO: causes a warning when closing connections
+ blocked_connection_timeout=settings.BLOCKED_CONNECTION_TIMEOUT.total_seconds(),
+ ssl_options=get_ssl_options(settings.SSL_CONF) if settings.SSL_ENABLED else None,
)