Support setting "ssl_verify_flags" to override Python's default

eht16 · eht16 · commit 2935c0710538 · 2025-11-23T17:18:55.000+01:00
diff --git a/docs/config.rst b/docs/config.rst
@@ -90,6 +90,21 @@ Options for configuring the log handler
     *Default*: ``True``
 
 
+``ssl_verify_flags``
+
+    Specify verify flags for Python's `ssl.SSLContext`.
+    See the Python documentation for valid values.
+    This can be useful to override Python 3.13's strict verify flags by passing `0`.
+
+    Only used for `logstash_async.transport.TcpTransport`,
+    ``logstash_async.transport.BeatsTransport`` and
+    ``logstash_async.transport.HttpTransport``.
+
+    *Type*: ``integer``
+
+    *Default*: None
+
+
 ``keyfile``
 
     The path to client side SSL key file.
diff --git a/logstash_async/handler.py b/logstash_async/handler.py
@@ -21,6 +21,7 @@ class SynchronousLogstashHandler(Handler):
     :param transport: Callable or path to a compatible transport class.
     :param ssl_enable: Should SSL be enabled for the connection? Default is False.
     :param ssl_verify: Should the server's SSL certificate be verified?
+    :param ssl_verify_flags: Verification flags for ssl.SSLContext (Default: None)
     :param keyfile: The path to client side SSL key file (default is None).
     :param certfile: The path to client side SSL certificate file (default is None).
     :param ca_certs: The path to the file containing recognized CA certificates.
@@ -29,16 +30,17 @@ class SynchronousLogstashHandler(Handler):
     """
 
     # ----------------------------------------------------------------------
-    # pylint: disable=too-many-arguments
+    # pylint: disable=too-many-arguments,too-many-positional-arguments
     def __init__(self, host, port, transport='logstash_async.transport.TcpTransport',
-                 ssl_enable=False, ssl_verify=True, keyfile=None, certfile=None, ca_certs=None,
-                 enable=True, encoding='utf-8', **kwargs):
+                 ssl_enable=False, ssl_verify=True, ssl_verify_flags=None, keyfile=None,
+                 certfile=None, ca_certs=None, enable=True, encoding='utf-8', **kwargs):
         super().__init__()
         self._host = host
         self._port = port
         self._transport_path = transport
         self._ssl_enable = ssl_enable
         self._ssl_verify = ssl_verify
+        self._ssl_verify_flags = ssl_verify_flags
         self._keyfile = keyfile
         self._certfile = certfile
         self._ca_certs = ca_certs
@@ -72,6 +74,7 @@ def _setup_transport(self, **kwargs):
             timeout=constants.SOCKET_TIMEOUT,
             ssl_enable=self._ssl_enable,
             ssl_verify=self._ssl_verify,
+            ssl_verify_flags=self._ssl_verify_flags,
             keyfile=self._keyfile,
             certfile=self._certfile,
             ca_certs=self._ca_certs,
@@ -135,16 +138,17 @@ class AsynchronousLogstashHandler(SynchronousLogstashHandler):
     _worker_thread = None
 
     # ----------------------------------------------------------------------
-    # pylint: disable=too-many-arguments
+    # pylint: disable=too-many-arguments,too-many-positional-arguments
     def __init__(self, host, port, database_path, transport='logstash_async.transport.TcpTransport',
-                 ssl_enable=False, ssl_verify=True, keyfile=None, certfile=None, ca_certs=None,
-                 enable=True, event_ttl=None, encoding='utf-8', **kwargs):
+                 ssl_enable=False, ssl_verify=True, ssl_verify_flags=None, keyfile=None,
+                 certfile=None, ca_certs=None, enable=True, event_ttl=None, encoding='utf-8',
+                 **kwargs):
 
         self._database_path = database_path
         self._event_ttl = event_ttl
 
         super().__init__(host, port, transport,
-                 ssl_enable, ssl_verify, keyfile, certfile, ca_certs,
+                 ssl_enable, ssl_verify, ssl_verify_flags, keyfile, certfile, ca_certs,
                  enable, encoding, **kwargs)
 
     # ----------------------------------------------------------------------
@@ -178,6 +182,7 @@ def _start_worker_thread(self):
             transport=self._transport,
             ssl_enable=self._ssl_enable,
             ssl_verify=self._ssl_verify,
+            ssl_verify_flags=self._ssl_verify_flags,
             keyfile=self._keyfile,
             certfile=self._certfile,
             ca_certs=self._ca_certs,
diff --git a/logstash_async/transport.py b/logstash_async/transport.py
@@ -48,6 +48,8 @@ class Transport(ABC):
     :type ssl_enable: bool
     :param ssl_verify: Activates the TLS certificate verification.
     :type ssl_verify: bool or str
+    :param ssl_verify_flags: Verification flags for ssl.SSLContext or None
+    :type ssl_verify_flags: int
     :param use_logging: Use logging for debugging.
     :type use_logging: bool
     """
@@ -59,13 +61,15 @@ def __init__(
             timeout: Union[None, float],
             ssl_enable: bool,
             ssl_verify: Union[bool, str],
+            ssl_verify_flags: Union[None, int],
             use_logging: bool,
     ):
         self._host = host
         self._port = port
         self._timeout = None if timeout is TimeoutNotSet else timeout
         self._ssl_enable = ssl_enable
         self._ssl_verify = ssl_verify
+        self._ssl_verify_flags = ssl_verify_flags
         self._use_logging = use_logging
         super().__init__()
 
@@ -191,6 +195,7 @@ def __init__(  # pylint: disable=too-many-arguments
             port,
             ssl_enable,
             ssl_verify,
+            ssl_verify_flags,
             keyfile,
             certfile,
             ca_certs,
@@ -199,6 +204,7 @@ def __init__(  # pylint: disable=too-many-arguments
         super().__init__(host, port)
         self._ssl_enable = ssl_enable
         self._ssl_verify = ssl_verify
+        self._ssl_verify_flags = ssl_verify_flags
         self._keyfile = keyfile
         self._certfile = certfile
         self._ca_certs = ca_certs
@@ -227,6 +233,10 @@ def _create_socket(self):
 
             ssl_context.check_hostname = False
             ssl_context.verify_mode = cert_reqs
+
+            if self._ssl_verify_flags is not None:
+                ssl_context.verify_flags = self._ssl_verify_flags
+
             if self._certfile and self._keyfile:
                 ssl_context.load_cert_chain(self._certfile, self._keyfile)
             self._sock = ssl_context.wrap_socket(self._sock, server_side=False)
@@ -257,6 +267,7 @@ def __init__(  # pylint: disable=too-many-arguments
             port,
             ssl_enable,
             ssl_verify,
+            ssl_verify_flags,
             keyfile,
             certfile,
             ca_certs,
@@ -269,6 +280,7 @@ def __init__(  # pylint: disable=too-many-arguments
             timeout=timeout_,
             ssl_enable=ssl_enable,
             ssl_verify=ssl_verify,
+            ssl_verify_flags=ssl_verify_flags,
             keyfile=keyfile,
             certfile=certfile,
             ca_certs=ca_certs,
@@ -308,6 +320,8 @@ class HttpTransport(Transport):
     pass a string with a file location to CA certificate the class tries to
     validate it against it. (Default: True)
     :type ssl_verify: bool or str
+    :param ssl_verify_flags: Verification flags for ssl.SSLContext (Default: None)
+    :type ssl_verify_flags: int
     :param use_logging: Use logging for debugging.
     :type use_logging: bool
     :param username: Username for basic authorization. (Default: "")
@@ -319,18 +333,20 @@ class HttpTransport(Transport):
     :type max_content_length: int
     """
 
+    # pylint: disable=too-many-arguments,too-many-positional-arguments
     def __init__(
             self,
             host: str,
             port: int,
             timeout: Union[None, float] = TimeoutNotSet,
             ssl_enable: bool = True,
             ssl_verify: Union[bool, str] = True,
+            ssl_verify_flags: Union[None, int] = None,
             use_logging: bool = False,
             path: str = '',
             **kwargs
     ):
-        super().__init__(host, port, timeout, ssl_enable, ssl_verify, use_logging)
+        super().__init__(host, port, timeout, ssl_enable, ssl_verify, ssl_verify_flags, use_logging)
         self._username = kwargs.get('username')
         self._password = kwargs.get('password')
         self._max_content_length = kwargs.get('max_content_length', 100 * 1024 * 1024)
diff --git a/logstash_async/worker.py b/logstash_async/worker.py
@@ -49,6 +49,7 @@ def __init__(self, *args, **kwargs):
         self._transport = kwargs.pop('transport')
         self._ssl_enable = kwargs.pop('ssl_enable')
         self._ssl_verify = kwargs.pop('ssl_verify')
+        self._ssl_verify_flags = kwargs.pop('ssl_verify_flags')
         self._keyfile = kwargs.pop('keyfile')
         self._certfile = kwargs.pop('certfile')
         self._ca_certs = kwargs.pop('ca_certs')
diff --git a/setup.py b/setup.py
@@ -40,7 +40,7 @@
         'Documentation': 'https://python-logstash-async.readthedocs.io/en/stable/',
     },
     keywords='logging logstash asynchronous',
-    install_requires=['limits', 'pylogbeat', 'requests'],
+    install_requires=['limits', 'pylogbeat>=2.1.0', 'requests'],
     extras_require={
         'dev': ['django', 'flask'],
         'docs': ['sphinx-rtd-theme'],
