utils.net: always check fingerprints if they are set, even if verifyCertificates is False.

It makes sense that manually configuring fingerprints overrides this
value which defaults to False.
This commit is contained in:
Valentin Lorentz 2020-08-01 21:45:08 +02:00
parent 9317a67345
commit 57da6d04e2
2 changed files with 3 additions and 2 deletions

View File

@ -1377,7 +1377,8 @@ registerGroup(supybot.protocols, 'ssl')
registerGlobalValue(supybot.protocols.ssl, 'verifyCertificates', registerGlobalValue(supybot.protocols.ssl, 'verifyCertificates',
registry.Boolean(False, _("""Determines whether server certificates registry.Boolean(False, _("""Determines whether server certificates
will be verified, which checks whether the server certificate is signed will be verified, which checks whether the server certificate is signed
by a known certificate authority, and aborts the connection if it is not."""))) by a known certificate authority, and aborts the connection if it is not.
This is assumed to be True of serverFingerprints is set.""")))
### ###

View File

@ -187,7 +187,7 @@ def ssl_wrap_socket(conn, hostname, logger, certfile=None,
context.load_cert_chain(certfile) context.load_cert_chain(certfile)
with _prefix_ssl_error('establishing TLS connection'): with _prefix_ssl_error('establishing TLS connection'):
conn = context.wrap_socket(conn, server_hostname=hostname) conn = context.wrap_socket(conn, server_hostname=hostname)
if verify and trusted_fingerprints: if trusted_fingerprints:
check_certificate_fingerprint(conn, trusted_fingerprints) check_certificate_fingerprint(conn, trusted_fingerprints)
return conn return conn