From 877125c5cd3c98e46affaa382ffceef7f9403acb Mon Sep 17 00:00:00 2001
From: Jake Farrell <jfarrell@apache.org>
Date: Fri, 7 Jun 2013 23:47:22 -0400
Subject: [PATCH] THRIFT-1966:Support different files for SSL certificates and
 keys Client: py Patch: Michael Kaes

Change the TSSLSocket class to accept key parameters and pass them to the ssl.wrap_socket function
---
 lib/py/src/transport/TSSLSocket.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/py/src/transport/TSSLSocket.py b/lib/py/src/transport/TSSLSocket.py
index 0ab15023..81e09842 100644
--- a/lib/py/src/transport/TSSLSocket.py
+++ b/lib/py/src/transport/TSSLSocket.py
@@ -43,6 +43,8 @@ class TSSLSocket(TSocket.TSocket):
                port=9090,
                validate=True,
                ca_certs=None,
+               keyfile=None,
+               certfile=None,
                unix_socket=None):
     """Create SSL TSocket
 
@@ -52,7 +54,11 @@ class TSSLSocket(TSocket.TSocket):
     file downloaded from: http://curl.haxx.se/ca/cacert.pem  This is passed to
     the ssl_wrap function as the 'ca_certs' parameter.
     @type ca_certs: str
-
+    @param keyfile: The private key
+    @type keyfile: str
+    @param certfile: The cert file
+    @type certfile: str
+    
     Raises an IOError exception if validate is True and the ca_certs file is
     None, not present or unreadable.
     """
@@ -64,6 +70,8 @@ class TSSLSocket(TSocket.TSocket):
     else:
       self.cert_reqs = ssl.CERT_REQUIRED
     self.ca_certs = ca_certs
+    self.keyfile = keyfile
+    self.certfile = certfile
     if validate:
       if ca_certs is None or not os.access(ca_certs, os.R_OK):
         raise IOError('Certificate Authority ca_certs file "%s" '
@@ -82,6 +90,8 @@ class TSSLSocket(TSocket.TSocket):
                                       ssl_version=self.SSL_VERSION,
                                       do_handshake_on_connect=True,
                                       ca_certs=self.ca_certs,
+                                      keyfile=self.keyfile,
+                                      certfile=self.certfile,
                                       cert_reqs=self.cert_reqs)
         self.handle.settimeout(self._timeout)
         try:
@@ -129,6 +139,7 @@ class TSSLSocket(TSocket.TSocket):
       if cert_key != 'commonName':
         continue
       certhost = cert_value
+      # this check should be performed by some sort of Access Manager
       if certhost == self.host:
         # success, cert commonName matches desired hostname
         self.is_valid = True
-- 
2.17.1