@@ -186,6 +186,9 @@ class _SslSocketWrapper(object):
186186# depend on always using python3. If I do switch it to use the standard
187187# HTTPSConnection class, remember to test what happens with timeouts and
188188# find an alternative to the vaulthostname override from --vaultalias.
189+ # This also implements switching between multiple IP addresses in a
190+ # round-robin after timeouts so that is something else that needs to be
191+ # preserved.
189192#
190193class CertValidatingHTTPSConnection (http_client .HTTPConnection ):
191194 default_port = http_client .HTTPS_PORT
@@ -197,7 +200,7 @@ class CertValidatingHTTPSConnection(http_client.HTTPConnection):
197200 http_client .HTTPConnection .__init__ (self , host , port , ** kwargs )
198201 self .host = host
199202 if port is None :
200- self .port = http_client . HTTPS_PORT
203+ self .port = self . default_port
201204 else :
202205 self .port = port
203206 self .key_file = key_file
@@ -240,7 +243,7 @@ class CertValidatingHTTPSConnection(http_client.HTTPConnection):
240243 context .load_cert_chain (self .cert_chain_file )
241244 # Note that m2crypto does not verify CRLs. There is an
242245 # extension package m2ext that does, but ignoring CRLs for the
243- # well-managed servers that cigetcert connects to is deemed to
246+ # well-managed servers that htgettoken connects to is deemed to
244247 # be an acceptable risk.
245248 context .set_verify (
246249 SSL .verify_peer | SSL .verify_fail_if_no_peer_cert , depth = 9 )
@@ -304,11 +307,12 @@ class CertValidatingHTTPSConnection(http_client.HTTPConnection):
304307 sslconn .clientPostConnectionCheck = overridecheck
305308 sslconn .connect ((ip , self .port ))
306309 except SSL .Checker .WrongHost as e :
307- # Also allow the vaultalias, although this doesn't work
308- # with wildcard host certs. The vaultalias is also used
309- # for the kerberos cluster name, so checking it after an
310- # exception like this avoids having to have separate
311- # options for kerberos and https aliases.
310+ # Also allow the vaultalias (via the derived vaulthostname),
311+ # although this doesn't work with wildcard host certs.
312+ # The vaultalias is also used for the kerberos cluster
313+ # name, so checking it after an exception like this
314+ # avoids having to have separate options for kerberos
315+ # and https aliases.
312316 if vaulthostname is None :
313317 raise e
314318 elif 'DNS:' + vaulthostname + ',' not in e .actualHost + ',' :
@@ -716,7 +720,8 @@ def main():
716720 default = "7d" ,
717721 help = "time (s, m, h, or d suffix) for new vault token to live" )
718722 parser .add_option ("--vaulttokenminttl" ,
719- metavar = "seconds" ,
723+ metavar = "time" ,
724+ default = "0s" ,
720725 help = "minimum time (s, m, h or d suffix) left in existing vault token before expiration" )
721726 parser .add_option ("--vaulttokenfile" ,
722727 metavar = "path" ,
@@ -928,9 +933,7 @@ def main():
928933 log ("Credkey from %s: %s" % (configfile , credkey ))
929934
930935 if (credkey is not None or options .nobearertoken ) and not options .registerssh :
931- fullsecretpath = ""
932- if not options .nobearertoken :
933- fullsecretpath = secretpath .replace ("%credkey" , credkey )
936+ fullsecretpath = secretpath .replace ("%credkey" , credkey )
934937
935938 # Check to see if a valid vault token already exists and works by
936939 # attempting to read a bearer token
0 commit comments