Use ssl.SSLContext in ib3.connection.SSL

HISTORY.rst

@@ -1,5 +1,9 @@
-v0.3.0
+UNRELEASED
 ----------
+* Use ssl.SSLContext in ib3.connection.SSL
+
+v0.3.0
+------
 * [BREAKING] Drop support for Python versions before 3.7
 * Require irc>=20.0.0
 * Convert to hatchling build system backend

src/ib3/connection.py

@@ -1,4 +1,3 @@
-#
 # This file is part of IRC Bot Behavior Bundle (IB3)
 # Copyright (C) 2017 Bryan Davis and contributors
 #
@@ -14,7 +13,6 @@
 #
 # You should have received a copy of the GNU General Public License along with
 # this program.  If not, see <http://www.gnu.org/licenses/>.
-
 import logging
 import ssl
 
@@ -27,7 +25,15 @@ class SSL:
     """Use SSL connections."""
 
     def __init__(self, *args, **kwargs):
+        self._ssl_context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLS_CLIENT)
+        self._ssl_context.load_default_certs()
+        # Unfortunately the upstream library doesn't give us a simple way to
+        # pass the IRC server hostname to the socket factory for SNI and cert
+        # verification. See https://github.com/jaraco/irc/issues/216
+        self._ssl_context.check_hostname = False
+        self._ssl_context.verify_mode = ssl.CERT_NONE
+
         kwargs["connect_factory"] = irc.connection.Factory(
-            wrapper=ssl.wrap_socket,
+            wrapper=self._ssl_context.wrap_socket,
         )
         super().__init__(*args, **kwargs)

tests/connection_test.py

@@ -13,8 +13,6 @@
 #
 # You should have received a copy of the GNU General Public License along with
 # this program.  If not, see <http://www.gnu.org/licenses/>.
-import ssl
-
 import ib3
 import ib3.connection
 
@@ -33,6 +31,6 @@ def test_ssl(mocker):
     )
     assert isinstance(bot, ib3.connection.SSL)
     assert isinstance(bot, ib3.Bot)
-    conn_factory.assert_called_once_with(wrapper=ssl.wrap_socket)
+    conn_factory.assert_called_once_with(wrapper=bot._ssl_context.wrap_socket)
     args, kwargs = mock_init.call_args
     assert kwargs["connect_factory"] is conn_factory.return_value