mirror of
https://github.com/jlu5/PyLink.git
synced 2025-01-11 12:42:34 +01:00
clientbot: initial pass of TLS cert validation (#592)
This works OK, but we should make the validation options built-in instead of clientbot-specific.
This commit is contained in:
parent
d3125d9a8f
commit
4524aebbac
@ -1615,7 +1615,7 @@ class IRCNetwork(PyLinkNetworkCoreWithUtils):
|
||||
self.name)
|
||||
raise
|
||||
|
||||
self._socket = context.wrap_socket(self._socket)
|
||||
self._socket = context.wrap_socket(self._socket, server_hostname=self.serverdata.get('ip'))
|
||||
|
||||
def _verify_ssl(self):
|
||||
"""
|
||||
|
@ -386,7 +386,7 @@ servers:
|
||||
# Sample Clientbot configuration, if you want to connect PyLink as a bot to relay somewhere
|
||||
# (or do other bot things).
|
||||
magicnet:
|
||||
ip: 1.2.3.4
|
||||
ip: irc.somenet.local
|
||||
port: 6697
|
||||
|
||||
# Optional server password.
|
||||
@ -405,12 +405,20 @@ servers:
|
||||
# number of underscores.
|
||||
#pylink_altnicks: ["pybot`", "pybot-"]
|
||||
|
||||
# SSL options. Certfile and keyfile are optional, but can be used for CertFP/SASL external
|
||||
# if supported.
|
||||
# TLS/SSL options. Certfile and keyfile are optional, but can be used for CertFP/SASL external
|
||||
# where supported.
|
||||
ssl: true
|
||||
#ssl_certfile: mycert.pem
|
||||
#ssl_keyfile: mycert.pem
|
||||
|
||||
# New in 2.0: Determines whether the target server's TLS certificate hostnames should be
|
||||
# checked against the hostname given. This defaults to true if not specified.
|
||||
#ssl_validate_hostname: true
|
||||
|
||||
# New in 2.0: When enabled, this disables TLS certificate validation on the target network.
|
||||
# This defaults to false if not specified.
|
||||
#ssl_accept_invalid_certs: false
|
||||
|
||||
# Autoconnect works as usual.
|
||||
autoconnect: 30
|
||||
|
||||
|
@ -57,6 +57,20 @@ class ClientbotWrapperProtocol(IRCCommonProtocol):
|
||||
|
||||
self.hook_map = {'ACCOUNT': 'CLIENT_SERVICES_LOGIN'}
|
||||
|
||||
def _make_ssl_context(self):
|
||||
"""
|
||||
Returns a ssl.SSLContext instance with certificate validation enabled by default.
|
||||
"""
|
||||
context = ssl.create_default_context()
|
||||
if self.serverdata.get('ssl_accept_invalid_certs', False):
|
||||
# Note: we have to disable hostname checking before disabling cert validation
|
||||
context.check_hostname = False
|
||||
context.verify_mode = ssl.CERT_NONE
|
||||
else:
|
||||
context.check_hostname = self.serverdata.get('ssl_validate_hostname', True)
|
||||
|
||||
return context
|
||||
|
||||
def post_connect(self):
|
||||
"""Initializes a connection to a server."""
|
||||
# (Re)initialize counter-based pseudo UID generators
|
||||
|
Loading…
Reference in New Issue
Block a user