spk
diff --git a/‎doc/examples/tls.rst‎
Lines changed: 13 additions & 3 deletions b/‎doc/examples/tls.rst‎
Lines changed: 13 additions & 3 deletions
diff --git a/‎pymongo/client_options.py‎
Lines changed: 3 additions & 1 deletion b/‎pymongo/client_options.py‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎pymongo/common.py‎
Lines changed: 1 addition & 0 deletions b/‎pymongo/common.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pymongo/mongo_client.py‎
Lines changed: 9 additions & 5 deletions b/‎pymongo/mongo_client.py‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎pymongo/ssl_support.py‎
Lines changed: 14 additions & 3 deletions b/‎pymongo/ssl_support.py‎
Lines changed: 14 additions & 3 deletions
diff --git a/‎test/certificates/client_encrypted.pem‎
Lines changed: 52 additions & 0 deletions b/‎test/certificates/client_encrypted.pem‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎test/test_ssl.py‎
Lines changed: 38 additions & 5 deletions b/‎test/test_ssl.py‎
Lines changed: 38 additions & 5 deletions
@@ -82,9 +82,9 @@ Or, in the URI::
 Specifying a certificate revocation list
 ........................................
 
-Python2 2.7.9+ (pypy 2.5.1+) and python3 3.4+ provide support for certificate
-revocation lists. The `ssl_crlfile` option takes a path to a CRL file. It can
-be passed as a keyword argument::
+Python 2.7.9+ (pypy 2.5.1+) and 3.4+ provide support for certificate revocation
+lists. The `ssl_crlfile` option takes a path to a CRL file. It can be passed as
+a keyword argument::
 
  >>> client = pymongo.MongoClient('example.com',
  ... ssl=True,
@@ -113,4 +113,14 @@ the `ssl_keyfile` option::
  ... ssl_certfile='/path/to/client.pem',
  ... ssl_keyfile='/path/to/key.pem')
 
+Python 2.7.9+ (pypy 2.5.1+) and 3.3+ support providing a password or passphrase
+to decrypt encrypted private keys. Use the `ssl_pem_passphrase` option::
+
+ >>> client = pymongo.MongoClient('example.com',
+ ... ssl=True,
+ ... ssl_certfile='/path/to/client.pem',
+ ... ssl_keyfile='/path/to/key.pem',
+ ... ssl_pem_passphrase=<passphrase>)
+
+
 These options can also be passed as part of the MongoDB URI.
@@ -70,6 +70,7 @@ def _parse_ssl_options(options):
 
  certfile = options.get('ssl_certfile')
  keyfile = options.get('ssl_keyfile')
+ passphrase = options.get('ssl_pem_passphrase')
  ca_certs = options.get('ssl_ca_certs')
  cert_reqs = options.get('ssl_cert_reqs')
  match_hostname = options.get('ssl_match_hostname', True)
@@ -88,7 +89,8 @@ def _parse_ssl_options(options):
  use_ssl = True
 
  if use_ssl is True:
- ctx = get_ssl_context(certfile, keyfile, ca_certs, cert_reqs, crlfile)
+ ctx = get_ssl_context(
+ certfile, keyfile, passphrase, ca_certs, cert_reqs, crlfile)
  return ctx, match_hostname
  return None, match_hostname
 
 
@@ -421,6 +421,7 @@ def validate_ok_for_update(update):
  'ssl': validate_boolean_or_string,
  'ssl_keyfile': validate_readable,
  'ssl_certfile': validate_readable,
+ 'ssl_pem_passphrase': validate_string_or_none,
  'ssl_cert_reqs': validate_cert_reqs,
  'ssl_ca_certs': validate_readable,
  'ssl_match_hostname': validate_boolean_or_string,
 
@@ -195,13 +195,17 @@ def __init__(
 
  - `ssl`: If ``True``, create the connection to the server using SSL.
  Defaults to ``False``.
+ - `ssl_certfile`: The certificate file used to identify the local
+ connection against mongod. Implies ``ssl=True``. Defaults to
+ ``None``.
  - `ssl_keyfile`: The private keyfile used to identify the local
  connection against mongod. If included with the ``certfile`` then
  only the ``ssl_certfile`` is needed. Implies ``ssl=True``.
  Defaults to ``None``.
- - `ssl_certfile`: The certificate file used to identify the local
- connection against mongod. Implies ``ssl=True``. Defaults to
- ``None``.
+ - `ssl_pem_passphrase`: The password or passphrase for decrypting
+ the private key in ``ssl_certfile`` or ``ssl_keyfile``. Only
+ necessary if the private key is encrypted. Only supported by python
+ 2.7.9+ (pypy 2.5.1+) and 3.3+. Defaults to ``None``.
  - `ssl_cert_reqs`: Specifies whether a certificate is required from
  the other side of the connection, and whether it will be validated
  if provided. It must be one of the three values ``ssl.CERT_NONE``
@@ -219,8 +223,8 @@ def __init__(
  certificates passed from the other end of the connection.
  Implies ``ssl=True``. Defaults to ``None``.
  - `ssl_crlfile`: The path to a PEM or DER formatted certificate
- revocation list. Only supported by python 2.9.7+ and python 3.4+.
- Defaults to ``None``.
+ revocation list. Only supported by python 2.7.9+ (pypy 2.5.1+)
+ and 3.4+. Defaults to ``None``.
  - `ssl_match_hostname`: If ``True`` (the default), and
  `ssl_cert_reqs` is not ``ssl.CERT_NONE``, enables hostname
  verification using the :func:`~ssl.match_hostname` function from
 
@@ -88,7 +88,7 @@ def _load_wincerts():
  # parameter.
  def get_ssl_context(*args):
  """Create and return an SSLContext object."""
- certfile, keyfile, ca_certs, cert_reqs, crlfile = args
+ certfile, keyfile, passphrase, ca_certs, cert_reqs, crlfile = args
  # Note PROTOCOL_SSLv23 is about the most misleading name imaginable.
  # This configures the server and client to negotiate the
  # highest protocol version they both support. A very good thing.
@@ -102,12 +102,23 @@ def get_ssl_context(*args):
  ctx.options |= getattr(ssl, "OP_NO_SSLv2", 0)
  ctx.options |= getattr(ssl, "OP_NO_SSLv3", 0)
  if certfile is not None:
- ctx.load_cert_chain(certfile, keyfile)
+ if passphrase is not None:
+ vi = sys.version_info
+ # Since python just added a new parameter to an existing method
+ # this seems to be about the best we can do.
+ if (vi[0] == 2 and vi < (2, 7, 9) or
+ vi[0] == 3 and vi < (3, 3)):
+ raise ConfigurationError(
+ "Support for ssl_pem_passphrase requires "
+ "python 2.7.9+ (pypy 2.5.1+) or 3.3+")
+ ctx.load_cert_chain(certfile, keyfile, passphrase)
+ else:
+ ctx.load_cert_chain(certfile, keyfile)
  if crlfile is not None:
  if not hasattr(ctx, "verify_flags"):
  raise ConfigurationError(
  "Support for ssl_crlfile requires "
- "python2 2.7.9+ (pypy 2.5.1+) or python3 3.4+")
+ "python 2.7.9+ (pypy 2.5.1+) or 3.4+")
  # Match the server's behavior.
  ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
  ctx.load_verify_locations(crlfile)
 
@@ -0,0 +1,52 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIXVpiOphzP48CAggA
+MB0GCWCGSAFlAwQBAgQQCrPjZvdtfdmb5FnflM2QaQSCBNDwm1fRI4HsJ988MS6P
+7xRkA8fscD/krgMsnG3g47NjgM+CtYRbUfKNMrgidajQVC74P7z1pQ+uHCz9Py7U
+5Ge0uFFqkPyQl2RcnVjCdsx6ElCfdDLEnizVL1ERHMYTq0AXnYXyPN45Qpq9UfQG
+DPtoOAWpe6FSrQ0UFYZ3hTJIXK8A2J7phkPzrFz9CYtzaLv4ShD0osAOK0hN1hSp
+k258lb1oGifGc3BXv1atiXZI7R8tFhY5GlG/F6BksFHslOc01/Iix+rb04jV6aKB
+L1yyoUqjwO0Qt365FfUw/ZODwkW7n5gAT1hJ/qJc0Tkh92pv7ISnMpT5h40k4Q9L
+tkCm4aOymhSNWLjkBrgIVbLPgUo59bNZAgPrDz2Wjwt7rU3t5TyXPiScDYfxQyhj
+dhI7NkpC/nMGc/VRir8+zUSRvR6xIlkHM8glpVHWOU8gIRDv1RYQFhhecEFgoSMO
+oP54SK3a6A0BzrFZIRqMeVDXl1DXuA9tdgF7N2CIMdKTtAgOohTcTRESIk5ysFNm
+dY15ptDtj3woGsBffMgfa7AWxDq/97Gfp0leMdV7DTLHQWM/hjsmDaz7E5jRt36Z
+Qql2/SdUX3A91u4lvcCDgzcMe6YY1jJ3oPsuQRoMeZrj1jivR2TY0LUo474mxq3Y
+IxyP8wrGEhDDc3Tfq2TeFwyS2u1cxYu1JocRi1qxtbG/cdK340KXvdVJKl5mosys
+qUW0MdTyEAzzf77k14AqSOyXeVarttY4ZLMQd2qbW4kgBP7ZZ+Jz0YXPz4Pc0fiG
+ONeF8Q1LVVkneURHmvGXEoP+6rRk59neVtW1An5hxZkmeL9VPUm+q+cXAwLEJIxN
+tEzC6liIhzpMbyUFht6HbCaHvl6U4Zap56SqMfPXl6V6L3MDQC0uenQoPHmprYGP
+WcM1/F7BviQclHuyhdmkE/dbutJ8Dj7gKdv6qVYm4zS5BYcPfzqR/v4t4pXX+ubS
+Ng5GPZkrBCG4+D97/zSS4w6KPImbOsrQh6D0aJZKoRHcEgmEBaN0tDcwZQsSXQRs
+wB/ATl2sgebIRkNxABTqUyG3hnMMFNxoGPicv1P73Ai29056KrA5kq3Xz6PfOgI7
+ZwfMgvwKNPewyzQ6cIoJHKCZellBeAm8B6SPI6fes4nLBvTJi6khjpK489nnZqYz
+MDIzu1eFPQLAVM2XB9ABTdZJJVM8f2OrjUMuXAiqj3eKV9A0lVUd7YfCjPmat3+3
+JLlvJb7ePnVR7/O/4AgQatfIUyVRuqovR6s+j2KHu3iVEMUZvpEuQZpIzj+jptfC
+fSbaFoTjSGii97YKQ5OoZqnZiy3gkprY/SCkXa7Jlx7cb8h5pktbqEpAjlLd1MMd
+mES8HUiJpYSrseLCNJkbU5dKK1DqNj1UgAKRtU55HGYRGtpxx9zqPBqTiBkW7FwR
+qaBYhvM4STPj3cD0JqCE9TuJDG5/7jSKKKm342j1VyPN2VUXinreNDUFE2WePRdV
+OhyIa5zB4xuH5rLfqb3MJlxeuM7sMX/6Nor0+F7XfVn3HHEGGdjkclaJlFonmRTk
++/xpROQ/iPCVWr85adnfkgBzIZOYDKFHqpXS0G4W0p09+eDfQWuHw1Nu5D3Gb9Y6
+CrGuA90yQPSULpuE+GBjv8Od+Q==
+-----END ENCRYPTED PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIDAmB0MA0GCSqGSIb3DQEBBQUAMHUxGTAXBgNVBAMTEFB5
+dGhvbiBEcml2ZXIgQ0ExEDAOBgNVBAsTB0RyaXZlcnMxEDAOBgNVBAoTB01vbmdv
+REIxEjAQBgNVBAcTCVBhbG8gQWx0bzETMBEGA1UECBMKQ2FsaWZvcm5pYTELMAkG
+A1UEBhMCVVMwHhcNMTYwNTI0MDAyMTQ4WhcNMzYwNTI0MDAyMTQ4WjBkMQ8wDQYD
+VQQDEwZjbGllbnQxEDAOBgNVBAsTB0RyaXZlcnMxCTAHBgNVBAoTADESMBAGA1UE
+BxMJUGFsbyBBbHRvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQGEwJVUzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALuWTvDI4CRfGVGkvRnGfwEp
+j2U/fwMvZoJW3LT0w2nQRUsa/hrf74Ggm9FbhaaM9bxA6eS5vWEaaJX9gfEEqOaj
+FlF8O++7+8+CrxsBWRK6yNT8nkB9rg3VCv5gqXJr9rpRhWAeq3QuFhunACrk+Mt4
+5KL+ueYerJyhJwx87LiwGAMxasdr+U8j/s5kc+SIhwQxWXYVOSgdweJd4FlEGYvZ
+0WR/oheEWp1ayZzf4cE8K2aD0YC6CS2ErFke6W4ZsdqtwGRjLwz71SMG0tSEpOjg
+NkNJBqNju3FU9AtFJFS7t9wPzMG/2LIioSXKe+RW4/SBjhc0LM7xgDM9oFYqZ3sC
+AwEAAaM3MDUwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBEGA1Ud
+EQQKMAiCBmNsaWVudDANBgkqhkiG9w0BAQUFAAOCAQEAMJgtYqm4cgOCmFiacwYy
+ZtpWJHLk1zFwBLrNdQu9GKlYhC+903yV/VypnRjOd0McdopMZ+4aQut4CE01PLty
+FEZ6UrpqXbEFniGh5PKaouhqrX896iBwPRn5eeFKf40sFgdNReJ3KDyGt6kqTWn6
+rY13wgopMy0A3NfCqmBHHXYRBRl9GS0O2bOOLMR49o7iBW+Ga638/Z3+4xx8T9Mh
++ejauV8EWZFKfg43soXuGHLDfDl3BMqH4iP12y+e8NtBEMRl6RPbZcO3X9Zkavba
+rmlcdR/01UK9/FiWP2rPNNxk2ypqZDxkPzT8sCDBQXtRgemxTlxgeKryDgXlF1iD
+Pw==
+-----END CERTIFICATE-----
@@ -43,6 +43,7 @@
 CERT_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)),
  'certificates')
 CLIENT_PEM = os.path.join(CERT_PATH, 'client.pem')
+CLIENT_ENCRYPTED_PEM = os.path.join(CERT_PATH, 'client_encrypted.pem')
 CA_PEM = os.path.join(CERT_PATH, 'ca.pem')
 CRL_PEM = os.path.join(CERT_PATH, 'crl.pem')
 SIMPLE_SSL = False
@@ -224,6 +225,38 @@ def test_simple_ssl(self):
  self.assertTrue(db.test.find_one()['ssl'])
  client.drop_database('pymongo_ssl_test')
 
+ def test_ssl_pem_passphrase(self):
+ # Expects the server to be running with server.pem and ca.pem
+ #
+ # --sslPEMKeyFile=/path/to/pymongo/test/certificates/server.pem
+ # --sslCAFile=/path/to/pymongo/test/certificates/ca.pem
+ if not CERT_SSL:
+ raise SkipTest("No mongod available over SSL with certs")
+
+ vi = sys.version_info
+ if vi[0] == 2 and vi < (2, 7, 9) or vi[0] == 3 and vi < (3, 3):
+ self.assertRaises(
+ ConfigurationError,
+ MongoClient,
+ 'server',
+ ssl=True,
+ ssl_certfile=CLIENT_ENCRYPTED_PEM,
+ ssl_pem_passphrase="clientpassword",
+ ssl_ca_certs=CA_PEM,
+ serverSelectionTimeoutMS=100)
+ else:
+ connected(MongoClient('server',
+ ssl=True,
+ ssl_certfile=CLIENT_ENCRYPTED_PEM,
+ ssl_pem_passphrase="clientpassword",
+ ssl_ca_certs=CA_PEM,
+ serverSelectionTimeoutMS=100))
+
+ uri_fmt = ("mongodb://server/?ssl=true"
+ "&ssl_certfile=%s&ssl_pem_passphrase=clientpassword"
+ "&ssl_ca_certs=%s&serverSelectionTimeoutMS=100")
+ connected(MongoClient(uri_fmt % (CLIENT_ENCRYPTED_PEM, CA_PEM)))
+
  def test_cert_ssl(self):
  # Expects the server to be running with server.pem and ca.pem.
  #
@@ -515,7 +548,7 @@ def test_validation_with_system_ca_certs(self):
  os.environ.pop('SSL_CERT_FILE')
 
  def test_system_certs_config_error(self):
- ctx = get_ssl_context(None, None, None, ssl.CERT_NONE, None)
+ ctx = get_ssl_context(None, None, None, None, ssl.CERT_NONE, None)
  if ((sys.platform != "win32"
  and hasattr(ctx, "set_default_verify_paths"))
  or hasattr(ctx, "load_default_certs")):
@@ -547,11 +580,11 @@ def test_certifi_support(self):
  # Force the test on Windows, regardless of environment.
  ssl_support.HAVE_WINCERTSTORE = False
  try:
- ctx = get_ssl_context(None, None, CA_PEM, ssl.CERT_REQUIRED, None)
+ ctx = get_ssl_context(None, None, None, CA_PEM, ssl.CERT_REQUIRED, None)
  ssl_sock = ctx.wrap_socket(socket.socket())
  self.assertEqual(ssl_sock.ca_certs, CA_PEM)
 
- ctx = get_ssl_context(None, None, None, None, None)
+ ctx = get_ssl_context(None, None, None, None, None, None)
  ssl_sock = ctx.wrap_socket(socket.socket())
  self.assertEqual(ssl_sock.ca_certs, ssl_support.certifi.where())
  finally:
@@ -568,11 +601,11 @@ def test_wincertstore(self):
  if not ssl_support.HAVE_WINCERTSTORE:
  raise SkipTest("Need wincertstore to test wincertstore.")
 
- ctx = get_ssl_context(None, None, CA_PEM, ssl.CERT_REQUIRED, None)
+ ctx = get_ssl_context(None, None, None, CA_PEM, ssl.CERT_REQUIRED, None)
  ssl_sock = ctx.wrap_socket(socket.socket())
  self.assertEqual(ssl_sock.ca_certs, CA_PEM)
 
- ctx = get_ssl_context(None, None, None, None, None)
+ ctx = get_ssl_context(None, None, None, None, None, None)
  ssl_sock = ctx.wrap_socket(socket.socket())
  self.assertEqual(ssl_sock.ca_certs, ssl_support._WINCERTS.name)