ironic.common.tls_utils module

Shared TLS utilities for Ironic.

This module consolidates TLS-related constants, adapters, and helpers that were previously duplicated across image_service, agent_client, and wsgi_service.

class ironic.common.tls_utils.TLSHTTPAdapter(ssl_context=None, **kwargs)[source]

Bases: HTTPAdapter

HTTPS adapter with configurable TLS settings.

init_poolmanager(*args, **kwargs)[source]

Initializes a urllib3 PoolManager.

This method should not be called from user code, and is only exposed for use when subclassing the HTTPAdapter.

Parameters:

  • connections – The number of urllib3 connection pools to cache.

  • maxsize – The maximum number of connections to save in the pool.

  • block – Block when no free connections are available.

  • pool_kwargs – Extra keyword arguments used to initialize the Pool Manager.

ironic.common.tls_utils.build_ssl_context(tls_minimum_version=None, tls_ciphers=None)[source]

Create an ssl.SSLContext with the given TLS constraints.

Parameters:

  • tls_minimum_version – Minimum TLS version string (e.g. ‘1.2’, ‘1.3’) or None.

  • tls_ciphers – OpenSSL cipher string or None.

Returns:

A configured ssl.SSLContext, or None if both params are falsy.

ironic.common.tls_utils.check_tls_version_supported(version_str)[source]

Validate that the requested TLS version is available.

Checks both compile-time flags and runtime crypto policy to ensure the configured TLS version can actually be used. Raises RuntimeError with a clear message at startup rather than letting the service fail later with an opaque SSL error.