utils.net: always check fingerprints if they are set, even if verifyCertificates is False.

It makes sense that manually configuring fingerprints overrides this value which defaults to False.
2024-11-26 12:49:24 +01:00 · 2020-08-01 21:45:08 +02:00 · 2020-08-01 21:45:08 +02:00 · 57da6d04e2
commit 57da6d04e2
parent 9317a67345
2 changed files with 3 additions and 2 deletions
--- a/src/conf.py
+++ b/src/conf.py
@ -1377,7 +1377,8 @@ registerGroup(supybot.protocols, 'ssl')
 registerGlobalValue(supybot.protocols.ssl, 'verifyCertificates',
    registry.Boolean(False, _("""Determines whether server certificates
    will be verified, which checks whether the server certificate is signed
-    by a known certificate authority, and aborts the connection if it is not.""")))
+    by a known certificate authority, and aborts the connection if it is not.
+    This is assumed to be True of serverFingerprints is set.""")))


 ###
--- a/src/utils/net.py
+++ b/src/utils/net.py
@ -187,7 +187,7 @@ def ssl_wrap_socket(conn, hostname, logger, certfile=None,
            context.load_cert_chain(certfile)
    with _prefix_ssl_error('establishing TLS connection'):
        conn = context.wrap_socket(conn, server_hostname=hostname)
-    if verify and trusted_fingerprints:
+    if trusted_fingerprints:
        check_certificate_fingerprint(conn, trusted_fingerprints)
    return conn