Limnoria/src/utils/net.py

###
# Copyright (c) 2002-2005, Jeremiah Fincher
# Copyright (c) 2011, 2013, James McCoy
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
#   * Redistributions of source code must retain the above copyright notice,
#     this list of conditions, and the following disclaimer.
#   * Redistributions in binary form must reproduce the above copyright notice,
#     this list of conditions, and the following disclaimer in the
#     documentation and/or other materials provided with the distribution.
#   * Neither the name of the author of this software nor the name of
#     contributors to this software may be used to endorse or promote products
#     derived from this software without specific prior written consent.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
###

"""
Simple utility modules.
"""

import re
import ssl
import socket
import hashlib

from .web import _ipAddr, _domain

emailRe = re.compile(r"^(\w&.+-]+!)*[\w&.+-]+@(%s|%s)$" % (_domain, _ipAddr),
                     re.I)

def getAddressFromHostname(host, port=None, attempt=0):
    addrinfo = socket.getaddrinfo(host, port)
    addresses = []
    for (family, socktype, proto, canonname, sockaddr) in addrinfo:
        if sockaddr[0] not in addresses:
            addresses.append(sockaddr[0])
    return addresses[attempt % len(addresses)]

def getSocket(host, port=None, socks_proxy=None, vhost=None, vhostv6=None):
    """Returns a socket of the correct AF_INET type (v4 or v6) in order to
    communicate with host.
    """
    if not socks_proxy:
        addrinfo = socket.getaddrinfo(host, port)
        host = addrinfo[0][4][0]
    if socks_proxy:
        import socks
        s = socks.socksocket()
        hostname, port = socks_proxy.rsplit(':', 1)
        s.setproxy(socks.PROXY_TYPE_SOCKS5, hostname, int(port),
                rdns=True)
        return s
    if isIPV4(host):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        if vhost:
            s.bind((vhost, 0))
        return s
    elif isIPV6(host):
        s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
        if vhostv6:
            s.bind((vhostv6, 0))
        return s
    else:
        raise socket.error('Something wonky happened.')

def isIP(s):
    """Returns whether or not a given string is an IP address.

    >>> isIP('255.255.255.255')
    1

    >>> isIP('::1')
    0
    """
    return isIPV4(s) or isIPV6(s)

def isIPV4(s):
    """Returns whether or not a given string is an IPV4 address.

    >>> isIPV4('255.255.255.255')
    1

    >>> isIPV4('abc.abc.abc.abc')
    0
    """
    try:
        return bool(socket.inet_aton(str(s)))
    except socket.error:
        return False

def bruteIsIPV6(s):
    if s.count('::') <= 1:
        L = s.split(':')
        if len(L) <= 8:
            for x in L:
                if x:
                    try:
                        int(x, 16)
                    except ValueError:
                        return False
            return True
    return False

def isIPV6(s):
    """Returns whether or not a given string is an IPV6 address."""
    try:
        if hasattr(socket, 'inet_pton'):
            return bool(socket.inet_pton(socket.AF_INET6, s))
        else:
            return bruteIsIPV6(s)
    except socket.error:
        try:
            socket.inet_pton(socket.AF_INET6, '::')
        except socket.error:
            # We gotta fake it.
            return bruteIsIPV6(s)
        return False


normalize_fingerprint = lambda fp: fp.replace(':', '').lower()

FINGERPRINT_ALGORITHMS = ('md5', 'sha1', 'sha224', 'sha256', 'sha384',
        'sha512')
def check_certificate_fingerprint(conn, trusted_fingerprints):
    trusted_fingerprints = set(normalize_fingerprint(fp)
            for fp in trusted_fingerprints)
    cert = conn.getpeercert(binary_form=True)
    for algorithm in FINGERPRINT_ALGORITHMS:
        h = hashlib.new(algorithm)
        h.update(cert)
        if h.hexdigest() in trusted_fingerprints:
            return
    raise ssl.CertificateError('No matching fingerprint.')

if hasattr(ssl, 'create_default_context'):
    def ssl_wrap_socket(conn, hostname, logger, certfile=None,
            trusted_fingerprints=None, verify=True, ca_file=None,
            **kwargs):
        context = ssl.create_default_context(**kwargs)
        if trusted_fingerprints or not verify:
            # Do not use Certification Authorities
            context.check_hostname = False
            context.verify_mode = ssl.CERT_NONE
        if ca_file:
            context.load_verify_locations(cafile=ca_file)
        if certfile:
            context.load_cert_chain(certfile)
        conn = context.wrap_socket(conn, server_hostname=hostname)
        if verify and trusted_fingerprints:
            check_certificate_fingerprint(conn, trusted_fingerprints)
        return conn
else:
    def ssl_wrap_socket(conn, hostname, logger, verify=True,
            certfile=None,
            ca_file=None, trusted_fingerprints=None):
        # TLSv1.0 is the only TLS version Python < 2.7.9 supports
        # (besides SSLv2 and v3, which are known to be insecure)
        conn = ssl.wrap_socket(conn, certfile=certfile, ca_certs=ca_file,
                ssl_version=ssl.PROTOCOL_TLSv1)
        if trusted_fingerprints:
            check_certificate_fingerprint(conn, trusted_fingerprints)
        elif verify:
            logger.critical('This Python version does not support SSL/TLS '
                    'certification authority verification, which makes your '
                    'connection vulnerable to man-in-the-middle attacks. See: '
                    '<http://doc.supybot.aperio.fr/en/latest/use/security.html#ssl-python-versions>')
        return conn
# vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79:
Initial import. 2005-01-19 14:14:38 +01:00			`###`
Completely restructured our utils modules. Tons of changes. Here's the summary of things that matter most: * There is no more supybot.fix. * There is no more supybot.webutils; now there is supybot.utils.web. * It's no longer webutils.WebError, but just utils.web.Error. * You shouldn't import itertools, ideally, but instead import utils.iter. * No more using imap/ifilter in commands unless absolutely necessary. It's premature optimization and annoying. * utils.str.format isn't quite ready yet, but will be soon. That'll be the next big thing to fix in our code. 2005-01-27 07:59:08 +01:00			`# Copyright (c) 2002-2005, Jeremiah Fincher`
getSocket: Use returned family to create the socket The existing code was parsing the passed in host to determine what type of socket family to create. getaddrinfo already provides this for us, so there's no need to perform our own, potentially buggy, parsing. Signed-off-by: James McCoy <jamessan@users.sourceforge.net> 2013-08-23 05:40:28 +02:00			`# Copyright (c) 2011, 2013, James McCoy`
Initial import. 2005-01-19 14:14:38 +01:00			`# All rights reserved.`
			`#`
			`# Redistribution and use in source and binary forms, with or without`
			`# modification, are permitted provided that the following conditions are met:`
			`#`
			`# * Redistributions of source code must retain the above copyright notice,`
			`# this list of conditions, and the following disclaimer.`
			`# * Redistributions in binary form must reproduce the above copyright notice,`
			`# this list of conditions, and the following disclaimer in the`
			`# documentation and/or other materials provided with the distribution.`
			`# * Neither the name of the author of this software nor the name of`
			`# contributors to this software may be used to endorse or promote products`
			`# derived from this software without specific prior written consent.`
			`#`
			`# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"`
			`# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
			`# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE`
			`# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE`
			`# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR`
			`# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF`
			`# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS`
			`# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN`
			`# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)`
			`# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE`
			`# POSSIBILITY OF SUCH DAMAGE.`
			`###`

Completely restructured our utils modules. Tons of changes. Here's the summary of things that matter most: * There is no more supybot.fix. * There is no more supybot.webutils; now there is supybot.utils.web. * It's no longer webutils.WebError, but just utils.web.Error. * You shouldn't import itertools, ideally, but instead import utils.iter. * No more using imap/ifilter in commands unless absolutely necessary. It's premature optimization and annoying. * utils.str.format isn't quite ready yet, but will be soon. That'll be the next big thing to fix in our code. 2005-01-27 07:59:08 +01:00			`"""`
			`Simple utility modules.`
			`"""`
Initial import. 2005-01-19 14:14:38 +01:00
Added emailRe to utils.net. 2005-02-01 07:34:58 +01:00			`import re`
Verify server certificate, and deprecate Python < 2.7.9. Closes GH-1031. 2016-02-21 13:20:09 +01:00			`import ssl`
Completely restructured our utils modules. Tons of changes. Here's the summary of things that matter most: * There is no more supybot.fix. * There is no more supybot.webutils; now there is supybot.utils.web. * It's no longer webutils.WebError, but just utils.web.Error. * You shouldn't import itertools, ideally, but instead import utils.iter. * No more using imap/ifilter in commands unless absolutely necessary. It's premature optimization and annoying. * utils.str.format isn't quite ready yet, but will be soon. That'll be the next big thing to fix in our code. 2005-01-27 07:59:08 +01:00			`import socket`
Add support for using server certificate fingerprint instead of CA signature. 2016-02-21 14:18:14 +01:00			`import hashlib`
Initial import. 2005-01-19 14:14:38 +01:00
utils.net: Use _ipAddr and _domain from utils.web to define emailRe Signed-off-by: James McCoy <jamessan@users.sourceforge.net> 2012-10-21 01:43:11 +02:00			`from .web import _ipAddr, _domain`
Fix email regexp to be RFC-compliant 2011-05-03 20:23:20 +02:00
utils.net: Use _ipAddr and _domain from utils.web to define emailRe Signed-off-by: James McCoy <jamessan@users.sourceforge.net> 2012-10-21 01:43:11 +02:00			`emailRe = re.compile(r"^(\w&.+-]+!)*[\w&.+-]+@(%s\|%s)$" % (_domain, _ipAddr),`
			`re.I)`
Added emailRe to utils.net. 2005-02-01 07:34:58 +01:00
Add support for SRV records in domain name resolution. 2014-03-01 09:22:14 +01:00			`def getAddressFromHostname(host, port=None, attempt=0):`
			`addrinfo = socket.getaddrinfo(host, port)`
Add supybot.utils.net.getAddressFromHostname() and improve Socket driver to try successively all IP addresses. 2013-05-31 17:21:10 +02:00			`addresses = []`
			`for (family, socktype, proto, canonname, sockaddr) in addrinfo:`
			`if sockaddr[0] not in addresses:`
			`addresses.append(sockaddr[0])`
			`return addresses[attempt % len(addresses)]`

Add support for SRV records in domain name resolution. 2014-03-01 09:22:14 +01:00			`def getSocket(host, port=None, socks_proxy=None, vhost=None, vhostv6=None):`
Completely restructured our utils modules. Tons of changes. Here's the summary of things that matter most: * There is no more supybot.fix. * There is no more supybot.webutils; now there is supybot.utils.web. * It's no longer webutils.WebError, but just utils.web.Error. * You shouldn't import itertools, ideally, but instead import utils.iter. * No more using imap/ifilter in commands unless absolutely necessary. It's premature optimization and annoying. * utils.str.format isn't quite ready yet, but will be soon. That'll be the next big thing to fix in our code. 2005-01-27 07:59:08 +01:00			`"""Returns a socket of the correct AF_INET type (v4 or v6) in order to`
			`communicate with host.`
			`"""`
Socket: Forward DNS queries via the socks proxy (if any). 2013-08-17 15:47:27 +02:00			`if not socks_proxy:`
Add support for SRV records in domain name resolution. 2014-03-01 09:22:14 +01:00			`addrinfo = socket.getaddrinfo(host, port)`
Socket: Forward DNS queries via the socks proxy (if any). 2013-08-17 15:47:27 +02:00			`host = addrinfo[0][4][0]`
Socket driver: Add support for Socks proxies. 2012-10-07 13:13:08 +02:00			`if socks_proxy:`
			`import socks`
			`s = socks.socksocket()`
			`hostname, port = socks_proxy.rsplit(':', 1)`
Socket: Forward DNS queries via the socks proxy (if any). 2013-08-17 15:47:27 +02:00			`s.setproxy(socks.PROXY_TYPE_SOCKS5, hostname, int(port),`
			`rdns=True)`
Socket driver: Add support for Socks proxies. 2012-10-07 13:13:08 +02:00			`return s`
Add utils.net.isIPV4, with utils.net.isIP checking v4 or v6 Signed-off-by: James Vega <jamessan@users.sourceforge.net> 2011-06-07 03:44:15 +02:00			`if isIPV4(host):`
Add support of IP-binding in non-IRC connections. 2014-03-01 09:06:21 +01:00			`s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)`
			`if vhost:`
			`s.bind((vhost, 0))`
			`return s`
Completely restructured our utils modules. Tons of changes. Here's the summary of things that matter most: * There is no more supybot.fix. * There is no more supybot.webutils; now there is supybot.utils.web. * It's no longer webutils.WebError, but just utils.web.Error. * You shouldn't import itertools, ideally, but instead import utils.iter. * No more using imap/ifilter in commands unless absolutely necessary. It's premature optimization and annoying. * utils.str.format isn't quite ready yet, but will be soon. That'll be the next big thing to fix in our code. 2005-01-27 07:59:08 +01:00			`elif isIPV6(host):`
Add support of IP-binding in non-IRC connections. 2014-03-01 09:06:21 +01:00			`s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)`
			`if vhostv6:`
			`s.bind((vhostv6, 0))`
			`return s`
Completely restructured our utils modules. Tons of changes. Here's the summary of things that matter most: * There is no more supybot.fix. * There is no more supybot.webutils; now there is supybot.utils.web. * It's no longer webutils.WebError, but just utils.web.Error. * You shouldn't import itertools, ideally, but instead import utils.iter. * No more using imap/ifilter in commands unless absolutely necessary. It's premature optimization and annoying. * utils.str.format isn't quite ready yet, but will be soon. That'll be the next big thing to fix in our code. 2005-01-27 07:59:08 +01:00			`else:`
Continue accelerating the 2to3 step (remove fix_raise). 2014-01-20 15:43:55 +01:00			`raise socket.error('Something wonky happened.')`
Initial import. 2005-01-19 14:14:38 +01:00
Completely restructured our utils modules. Tons of changes. Here's the summary of things that matter most: * There is no more supybot.fix. * There is no more supybot.webutils; now there is supybot.utils.web. * It's no longer webutils.WebError, but just utils.web.Error. * You shouldn't import itertools, ideally, but instead import utils.iter. * No more using imap/ifilter in commands unless absolutely necessary. It's premature optimization and annoying. * utils.str.format isn't quite ready yet, but will be soon. That'll be the next big thing to fix in our code. 2005-01-27 07:59:08 +01:00			`def isIP(s):`
Add utils.net.isIPV4, with utils.net.isIP checking v4 or v6 Signed-off-by: James Vega <jamessan@users.sourceforge.net> 2011-06-07 03:44:15 +02:00			`"""Returns whether or not a given string is an IP address.`
Initial import. 2005-01-19 14:14:38 +01:00
Completely restructured our utils modules. Tons of changes. Here's the summary of things that matter most: * There is no more supybot.fix. * There is no more supybot.webutils; now there is supybot.utils.web. * It's no longer webutils.WebError, but just utils.web.Error. * You shouldn't import itertools, ideally, but instead import utils.iter. * No more using imap/ifilter in commands unless absolutely necessary. It's premature optimization and annoying. * utils.str.format isn't quite ready yet, but will be soon. That'll be the next big thing to fix in our code. 2005-01-27 07:59:08 +01:00			`>>> isIP('255.255.255.255')`
			`1`
Initial import. 2005-01-19 14:14:38 +01:00
Add utils.net.isIPV4, with utils.net.isIP checking v4 or v6 Signed-off-by: James Vega <jamessan@users.sourceforge.net> 2011-06-07 03:44:15 +02:00			`>>> isIP('::1')`
			`0`
			`"""`
			`return isIPV4(s) or isIPV6(s)`

			`def isIPV4(s):`
			`"""Returns whether or not a given string is an IPV4 address.`

			`>>> isIPV4('255.255.255.255')`
			`1`

			`>>> isIPV4('abc.abc.abc.abc')`
Completely restructured our utils modules. Tons of changes. Here's the summary of things that matter most: * There is no more supybot.fix. * There is no more supybot.webutils; now there is supybot.utils.web. * It's no longer webutils.WebError, but just utils.web.Error. * You shouldn't import itertools, ideally, but instead import utils.iter. * No more using imap/ifilter in commands unless absolutely necessary. It's premature optimization and annoying. * utils.str.format isn't quite ready yet, but will be soon. That'll be the next big thing to fix in our code. 2005-01-27 07:59:08 +01:00			`0`
			`"""`
			`try:`
core: force inet_aton argument to string to prevent occasional error on reconnect. it /should/ always be a string anyway, but sometimes things break with a TypeError that it is an int instead of the expected string and hangs up the bot. 2012-06-01 04:53:21 +02:00			`return bool(socket.inet_aton(str(s)))`
Completely restructured our utils modules. Tons of changes. Here's the summary of things that matter most: * There is no more supybot.fix. * There is no more supybot.webutils; now there is supybot.utils.web. * It's no longer webutils.WebError, but just utils.web.Error. * You shouldn't import itertools, ideally, but instead import utils.iter. * No more using imap/ifilter in commands unless absolutely necessary. It's premature optimization and annoying. * utils.str.format isn't quite ready yet, but will be soon. That'll be the next big thing to fix in our code. 2005-01-27 07:59:08 +01:00			`except socket.error:`
			`return False`
Initial import. 2005-01-19 14:14:38 +01:00
Completely restructured our utils modules. Tons of changes. Here's the summary of things that matter most: * There is no more supybot.fix. * There is no more supybot.webutils; now there is supybot.utils.web. * It's no longer webutils.WebError, but just utils.web.Error. * You shouldn't import itertools, ideally, but instead import utils.iter. * No more using imap/ifilter in commands unless absolutely necessary. It's premature optimization and annoying. * utils.str.format isn't quite ready yet, but will be soon. That'll be the next big thing to fix in our code. 2005-01-27 07:59:08 +01:00			`def bruteIsIPV6(s):`
			`if s.count('::') <= 1:`
			`L = s.split(':')`
			`if len(L) <= 8:`
			`for x in L:`
			`if x:`
			`try:`
			`int(x, 16)`
			`except ValueError:`
			`return False`
			`return True`
			`return False`

			`def isIPV6(s):`
			`"""Returns whether or not a given string is an IPV6 address."""`
			`try:`
			`if hasattr(socket, 'inet_pton'):`
			`return bool(socket.inet_pton(socket.AF_INET6, s))`
			`else:`
			`return bruteIsIPV6(s)`
			`except socket.error:`
			`try:`
			`socket.inet_pton(socket.AF_INET6, '::')`
			`except socket.error:`
			`# We gotta fake it.`
			`return bruteIsIPV6(s)`
			`return False`
Initial import. 2005-01-19 14:14:38 +01:00
Add support for using server certificate fingerprint instead of CA signature. 2016-02-21 14:18:14 +01:00
Normalize fingerprints to allow more formats. https://github.com/Limnoria/Limnoria-doc/issues/76#issuecomment-198794341 2016-03-20 10:28:33 +01:00			`normalize_fingerprint = lambda fp: fp.replace(':', '').lower()`

Add support for using server certificate fingerprint instead of CA signature. 2016-02-21 14:18:14 +01:00			`FINGERPRINT_ALGORITHMS = ('md5', 'sha1', 'sha224', 'sha256', 'sha384',`
			`'sha512')`
			`def check_certificate_fingerprint(conn, trusted_fingerprints):`
Normalize fingerprints to allow more formats. https://github.com/Limnoria/Limnoria-doc/issues/76#issuecomment-198794341 2016-03-20 10:28:33 +01:00			`trusted_fingerprints = set(normalize_fingerprint(fp)`
			`for fp in trusted_fingerprints)`
Add support for using server certificate fingerprint instead of CA signature. 2016-02-21 14:18:14 +01:00			`cert = conn.getpeercert(binary_form=True)`
			`for algorithm in FINGERPRINT_ALGORITHMS:`
			`h = hashlib.new(algorithm)`
			`h.update(cert)`
			`if h.hexdigest() in trusted_fingerprints:`
			`return`
			`raise ssl.CertificateError('No matching fingerprint.')`

Verify server certificate, and deprecate Python < 2.7.9. Closes GH-1031. 2016-02-21 13:20:09 +01:00			`if hasattr(ssl, 'create_default_context'):`
			`def ssl_wrap_socket(conn, hostname, logger, certfile=None,`
Add support for authority certificates. 2016-02-23 20:52:36 +01:00			`trusted_fingerprints=None, verify=True, ca_file=None,`
Add support for using server certificate fingerprint instead of CA signature. 2016-02-21 14:18:14 +01:00			`**kwargs):`
Verify server certificate, and deprecate Python < 2.7.9. Closes GH-1031. 2016-02-21 13:20:09 +01:00			`context = ssl.create_default_context(**kwargs)`
Add supybot.protocols.ssl.verifyCertificates. And remove unused variable supybot.protocols.ssl.verifyMode. 2016-02-21 14:42:41 +01:00			`if trusted_fingerprints or not verify:`
Add support for using server certificate fingerprint instead of CA signature. 2016-02-21 14:18:14 +01:00			`# Do not use Certification Authorities`
			`context.check_hostname = False`
			`context.verify_mode = ssl.CERT_NONE`
Add support for authority certificates. 2016-02-23 20:52:36 +01:00			`if ca_file:`
			`context.load_verify_locations(cafile=ca_file)`
Verify server certificate, and deprecate Python < 2.7.9. Closes GH-1031. 2016-02-21 13:20:09 +01:00			`if certfile:`
			`context.load_cert_chain(certfile)`
Add support for using server certificate fingerprint instead of CA signature. 2016-02-21 14:18:14 +01:00			`conn = context.wrap_socket(conn, server_hostname=hostname)`
Add supybot.protocols.ssl.verifyCertificates. And remove unused variable supybot.protocols.ssl.verifyMode. 2016-02-21 14:42:41 +01:00			`if verify and trusted_fingerprints:`
Add support for using server certificate fingerprint instead of CA signature. 2016-02-21 14:18:14 +01:00			`check_certificate_fingerprint(conn, trusted_fingerprints)`
			`return conn`
Verify server certificate, and deprecate Python < 2.7.9. Closes GH-1031. 2016-02-21 13:20:09 +01:00			`else:`
Add supybot.protocols.ssl.verifyCertificates. And remove unused variable supybot.protocols.ssl.verifyMode. 2016-02-21 14:42:41 +01:00			`def ssl_wrap_socket(conn, hostname, logger, verify=True,`
			`certfile=None,`
Add support for authority certificates. 2016-02-23 20:52:36 +01:00			`ca_file=None, trusted_fingerprints=None):`
Verify server certificate, and deprecate Python < 2.7.9. Closes GH-1031. 2016-02-21 13:20:09 +01:00			`# TLSv1.0 is the only TLS version Python < 2.7.9 supports`
			`# (besides SSLv2 and v3, which are known to be insecure)`
Add support for authority certificates. 2016-02-23 20:52:36 +01:00			`conn = ssl.wrap_socket(conn, certfile=certfile, ca_certs=ca_file,`
Remove unsupported option verify_mode to ssl.wrap_socket. 2016-02-24 07:43:21 +01:00			`ssl_version=ssl.PROTOCOL_TLSv1)`
Add support for using server certificate fingerprint instead of CA signature. 2016-02-21 14:18:14 +01:00			`if trusted_fingerprints:`
			`check_certificate_fingerprint(conn, trusted_fingerprints)`
Add supybot.protocols.ssl.verifyCertificates. And remove unused variable supybot.protocols.ssl.verifyMode. 2016-02-21 14:42:41 +01:00			`elif verify:`
Add support for using server certificate fingerprint instead of CA signature. 2016-02-21 14:18:14 +01:00			`logger.critical('This Python version does not support SSL/TLS '`
			`'certification authority verification, which makes your '`
Improve SSL-related version warnings. 2016-02-24 17:25:51 +01:00			`'connection vulnerable to man-in-the-middle attacks. See: '`
			`'<http://doc.supybot.aperio.fr/en/latest/use/security.html#ssl-python-versions>')`
Add support for using server certificate fingerprint instead of CA signature. 2016-02-21 14:18:14 +01:00			`return conn`
Change the modeline to use softtabstop instead of tabstop. 2006-02-11 16:52:51 +01:00			`# vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79:`