Brought in line with OpenKMIP#707

Author: ymeiron

kmip/services/kmip_client.py

@@ -285,16 +285,17 @@ def open(self):
             six.reraise(*last_error)
 
     def _create_socket(self, sock):
-        context = ssl.create_default_context()
+        context = ssl.SSLContext(self.ssl_version)
         context.verify_mode = self.cert_reqs
-        context.check_hostname = False
-        context.load_cert_chain(
-            keyfile=self.keyfile,
-            certfile=self.certfile
-        )
-        context.load_verify_locations(cafile=self.ca_certs)
+        if self.ca_certs:
+            context.load_verify_locations(self.ca_certs)
+        if self.keyfile and not self.certfile:
+            raise ValueError("certfile must be specified")
+        if self.certfile:
+            context.load_cert_chain(self.certfile, self.keyfile)
         self.socket = context.wrap_socket(
             sock,
+            server_side=False,
             do_handshake_on_connect=self.do_handshake_on_connect,
             suppress_ragged_eofs=self.suppress_ragged_eofs)
         self.socket.settimeout(self.timeout)

kmip/services/server/server.py

@@ -287,20 +287,22 @@ def interrupt_handler(trigger, frame):
         for cipher in auth_suite_ciphers:
             self._logger.debug(cipher)
 
-        context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
+        cafile = self.config.settings.get('ca_path')
+        context = ssl.SSLContext(self.auth_suite.protocol)
         context.verify_mode = ssl.CERT_REQUIRED
-        context.check_hostname = False
-        context.load_cert_chain(
-            certfile=self.config.settings.get('certificate_path'),
-            keyfile=self.config.settings.get('key_path'),
-        )
-        context.load_verify_locations(cafile=self.config.settings.get('ca_path'))
-        context.set_ciphers(self.auth_suite.ciphers)
+        if self.auth_suite.ciphers:
+            context.set_ciphers(self.auth_suite.ciphers)
+        if cafile:
+            context.load_verify_locations(cafile)
+        certfile = self.config.settings.get('certificate_path')
+        keyfile = self.config.settings.get('key_path')
+        context.load_cert_chain(certfile, keyfile=keyfile)
+
         self._socket = context.wrap_socket(
             self._socket,
             server_side=True,
             do_handshake_on_connect=False,
-            suppress_ragged_eofs=True,
+            suppress_ragged_eofs=True
         )
 
         try:

kmip/tests/unit/services/server/test_server.py

@@ -210,9 +210,10 @@ def test_start(self,
         # Test that in ideal cases no errors are generated and the right
         # log messages are.
         with mock.patch('socket.socket') as socket_mock:
-            with mock.patch('ssl.wrap_socket') as ssl_mock:
+            with mock.patch('ssl.SSLContext') as ssl_mock:
                 socket_mock.return_value = a_mock
-                ssl_mock.return_value = b_mock
+                ssl_mock.return_value.wrap_socket.return_value = b_mock
+                ssl_mock.return_value.load_cert_chain.return_value = None
 
                 manager_mock.assert_not_called()
                 monitor_mock.assert_not_called()
@@ -271,9 +272,10 @@ def test_start(self,
 
         # Test that a NetworkingError is generated if the socket bind fails.
         with mock.patch('socket.socket') as socket_mock:
-            with mock.patch('ssl.wrap_socket') as ssl_mock:
+            with mock.patch('ssl.SSLContext') as ssl_mock:
                 socket_mock.return_value = a_mock
-                ssl_mock.return_value = b_mock
+                ssl_mock.return_value.wrap_socket.return_value = b_mock
+                ssl_mock.return_value.load_cert_chain.return_value = None
 
                 test_exception = Exception()
                 b_mock.bind.side_effect = test_exception