From 57da6d04e246c3b39298fcd48483fda091a4f3e5 Mon Sep 17 00:00:00 2001
From: Valentin Lorentz <progval+git@progval.net>
Date: Sat, 1 Aug 2020 21:45:08 +0200
Subject: [PATCH] utils.net: always check fingerprints if they are set, even if
 verifyCertificates is False.

It makes sense that manually configuring fingerprints overrides this
value which defaults to False.
---
 src/conf.py      | 3 ++-
 src/utils/net.py | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/conf.py b/src/conf.py
index 22110e537..8afdad0bb 100644
--- a/src/conf.py
+++ b/src/conf.py
@@ -1377,7 +1377,8 @@ registerGroup(supybot.protocols, 'ssl')
 registerGlobalValue(supybot.protocols.ssl, 'verifyCertificates',
     registry.Boolean(False, _("""Determines whether server certificates
     will be verified, which checks whether the server certificate is signed
-    by a known certificate authority, and aborts the connection if it is not.""")))
+    by a known certificate authority, and aborts the connection if it is not.
+    This is assumed to be True of serverFingerprints is set.""")))
 
 
 ###
diff --git a/src/utils/net.py b/src/utils/net.py
index e81965916..2f52eddb7 100644
--- a/src/utils/net.py
+++ b/src/utils/net.py
@@ -187,7 +187,7 @@ def ssl_wrap_socket(conn, hostname, logger, certfile=None,
             context.load_cert_chain(certfile)
     with _prefix_ssl_error('establishing TLS connection'):
         conn = context.wrap_socket(conn, server_hostname=hostname)
-    if verify and trusted_fingerprints:
+    if trusted_fingerprints:
         check_certificate_fingerprint(conn, trusted_fingerprints)
     return conn