GitHub/PyLink
3
0
Fork 0
mirror of https://github.com/jlu5/PyLink.git synced 2024-11-01 01:09:22 +01:00
Code Issues Projects Releases Wiki Activity

clientbot: initial pass of TLS cert validation (#592)

Browse Source 
This works OK, but we should make the validation options built-in instead of clientbot-specific.
This commit is contained in:
James Lu 2018-06-15 02:47:12 -07:00
parent d3125d9a8f
commit 4524aebbac
3 changed files with 26 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
classes.py
View File

@ -1615,7 +1615,7 @@ class IRCNetwork(PyLinkNetworkCoreWithUtils):
self.name) self.name)
raise raise
self._socket = context.wrap_socket(self._socket) self._socket = context.wrap_socket(self._socket, server_hostname=self.serverdata.get('ip'))
def _verify_ssl(self): def _verify_ssl(self):
""" """

14
example-conf.yml
View File

@ -386,7 +386,7 @@ servers:
# Sample Clientbot configuration, if you want to connect PyLink as a bot to relay somewhere # Sample Clientbot configuration, if you want to connect PyLink as a bot to relay somewhere
# (or do other bot things). # (or do other bot things).
magicnet: magicnet:
ip: 1.2.3.4 ip: irc.somenet.local
port: 6697 port: 6697
# Optional server password. # Optional server password.
@ -405,12 +405,20 @@ servers:
# number of underscores. # number of underscores.
#pylink_altnicks: ["pybot`", "pybot-"] #pylink_altnicks: ["pybot`", "pybot-"]
# SSL options. Certfile and keyfile are optional, but can be used for CertFP/SASL external # TLS/SSL options. Certfile and keyfile are optional, but can be used for CertFP/SASL external
# if supported. # where supported.
ssl: true ssl: true
#ssl_certfile: mycert.pem #ssl_certfile: mycert.pem
#ssl_keyfile: mycert.pem #ssl_keyfile: mycert.pem
# New in 2.0: Determines whether the target server's TLS certificate hostnames should be
# checked against the hostname given. This defaults to true if not specified.
#ssl_validate_hostname: true
# New in 2.0: When enabled, this disables TLS certificate validation on the target network.
# This defaults to false if not specified.
#ssl_accept_invalid_certs: false
# Autoconnect works as usual. # Autoconnect works as usual.
autoconnect: 30 autoconnect: 30

14
protocols/clientbot.py
View File

@ -57,6 +57,20 @@ class ClientbotWrapperProtocol(IRCCommonProtocol):
self.hook_map = {'ACCOUNT': 'CLIENT_SERVICES_LOGIN'} self.hook_map = {'ACCOUNT': 'CLIENT_SERVICES_LOGIN'}
def _make_ssl_context(self):
"""
Returns a ssl.SSLContext instance with certificate validation enabled by default.
"""
context = ssl.create_default_context()
if self.serverdata.get('ssl_accept_invalid_certs', False):
# Note: we have to disable hostname checking before disabling cert validation
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
else:
context.check_hostname = self.serverdata.get('ssl_validate_hostname', True)
return context
def post_connect(self): def post_connect(self):
"""Initializes a connection to a server.""" """Initializes a connection to a server."""
# (Re)initialize counter-based pseudo UID generators # (Re)initialize counter-based pseudo UID generators