diff --git a/azure-iot-device/azure/iot/device/common/http_transport.py b/azure-iot-device/azure/iot/device/common/http_transport.py index a4d3cebc1..d09629f0e 100644 --- a/azure-iot-device/azure/iot/device/common/http_transport.py +++ b/azure-iot-device/azure/iot/device/common/http_transport.py @@ -69,8 +69,7 @@ def _create_ssl_context(self): This method creates the SSLContext object used to authenticate the connection. The generated context is used by the http_client and is necessary when authenticating using a self-signed X509 cert or trusted X509 cert """ logger.debug("creating a SSL context") - # Note that PROTOCOL_TLS_CLIENT implies ssl.CERT_REQUIRED and check_hostname == true - ssl_context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLS_CLIENT) + ssl_context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2) if self._server_verification_cert: ssl_context.load_verify_locations(cadata=self._server_verification_cert) @@ -92,6 +91,9 @@ def _create_ssl_context(self): self._x509_cert.pass_phrase, ) + ssl_context.verify_mode = ssl.CERT_REQUIRED + ssl_context.check_hostname = True + return ssl_context @pipeline_thread.invoke_on_http_thread_nowait diff --git a/azure-iot-device/azure/iot/device/common/mqtt_transport.py b/azure-iot-device/azure/iot/device/common/mqtt_transport.py index 0d3b4dd76..cf54a0416 100644 --- a/azure-iot-device/azure/iot/device/common/mqtt_transport.py +++ b/azure-iot-device/azure/iot/device/common/mqtt_transport.py @@ -321,8 +321,7 @@ def _create_ssl_context(self): This method creates the SSLContext object used by Paho to authenticate the connection. """ logger.debug("creating a SSL context") - # Note that PROTOCOL_TLS_CLIENT implies ssl.CERT_REQUIRED and check_hostname == true - ssl_context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLS_CLIENT) + ssl_context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLSv1_2) if self._server_verification_cert: logger.debug("configuring SSL context with custom server verification cert") @@ -347,6 +346,9 @@ def _create_ssl_context(self): self._x509_cert.pass_phrase, ) + ssl_context.verify_mode = ssl.CERT_REQUIRED + ssl_context.check_hostname = True + return ssl_context def shutdown(self): diff --git a/tests/e2e/iothub_e2e/sync/conftest.py b/tests/e2e/iothub_e2e/sync/conftest.py index b271d8aea..d04d9c5cd 100644 --- a/tests/e2e/iothub_e2e/sync/conftest.py +++ b/tests/e2e/iothub_e2e/sync/conftest.py @@ -20,7 +20,7 @@ def brand_new_client(device_identity, client_kwargs, service_helper, device_id, # Keep this here. It is useful to see this info inside the inside devops pipeline test failures. logger.info( "Connecting device_id={}, module_id={}, to hub={} at {} (UTC)".format( - device_id, module_id, test_env.IOTHUB_HOSTNAME, datetime.datetime.now(datetime.UTC) + device_id, module_id, test_env.IOTHUB_HOSTNAME, datetime.datetime.utcnow() ) ) diff --git a/tests/unit/common/test_http_transport.py b/tests/unit/common/test_http_transport.py index 1dbee2d8b..9f89d14b9 100644 --- a/tests/unit/common/test_http_transport.py +++ b/tests/unit/common/test_http_transport.py @@ -100,13 +100,14 @@ def test_proxy_format(self, proxy_options): ) def test_configures_tls_context(self, mocker): mock_ssl_context_constructor = mocker.patch.object(ssl, "SSLContext") + mock_ssl_context = mock_ssl_context_constructor.return_value HTTPTransport(hostname=fake_hostname) # Verify correctness of TLS/SSL Context assert mock_ssl_context_constructor.call_count == 1 - assert mock_ssl_context_constructor.call_args == mocker.call( - protocol=ssl.PROTOCOL_TLS_CLIENT - ) + assert mock_ssl_context_constructor.call_args == mocker.call(protocol=ssl.PROTOCOL_TLSv1_2) + assert mock_ssl_context.check_hostname is True + assert mock_ssl_context.verify_mode == ssl.CERT_REQUIRED @pytest.mark.it( "Configures TLS/SSL context using default certificates if protocol wrapper not instantiated with a server verification certificate" diff --git a/tests/unit/common/test_mqtt_transport.py b/tests/unit/common/test_mqtt_transport.py index 12aea49ac..ee547d03a 100644 --- a/tests/unit/common/test_mqtt_transport.py +++ b/tests/unit/common/test_mqtt_transport.py @@ -267,9 +267,9 @@ def test_configures_tls_context(self, mocker): # Verify correctness of TLS/SSL Context assert mock_ssl_context_constructor.call_count == 1 - assert mock_ssl_context_constructor.call_args == mocker.call( - protocol=ssl.PROTOCOL_TLS_CLIENT - ) + assert mock_ssl_context_constructor.call_args == mocker.call(protocol=ssl.PROTOCOL_TLSv1_2) + assert mock_ssl_context.check_hostname is True + assert mock_ssl_context.verify_mode == ssl.CERT_REQUIRED # Verify context has been set assert mock_mqtt_client.tls_set_context.call_count == 1