From 761fc2353e2729f4331411ca333aaf8ec2657e62 Mon Sep 17 00:00:00 2001 From: Valentin Lorentz Date: Sat, 1 Aug 2020 21:46:03 +0200 Subject: [PATCH] utils.net: Do not disable TLS certificate check when authorityCertificate is set. It makes sense that manually configuring a CA overrides this value which defaults to False. --- src/conf.py | 3 ++- src/utils/net.py | 13 +++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/src/conf.py b/src/conf.py index 8afdad0bb..3d955917e 100644 --- a/src/conf.py +++ b/src/conf.py @@ -1378,7 +1378,8 @@ registerGlobalValue(supybot.protocols.ssl, 'verifyCertificates', registry.Boolean(False, _("""Determines whether server certificates will be verified, which checks whether the server certificate is signed by a known certificate authority, and aborts the connection if it is not. - This is assumed to be True of serverFingerprints is set."""))) + This is assumed to be True of serverFingerprints or authorityCertificate + is set."""))) ### diff --git a/src/utils/net.py b/src/utils/net.py index 2f52eddb7..22e7ccce7 100644 --- a/src/utils/net.py +++ b/src/utils/net.py @@ -175,20 +175,25 @@ def ssl_wrap_socket(conn, hostname, logger, certfile=None, **kwargs): with _prefix_ssl_error('creating SSL context'): context = ssl.create_default_context(**kwargs) - if trusted_fingerprints or not verify: - # Do not use Certification Authorities - context.check_hostname = False - context.verify_mode = ssl.CERT_NONE + if ca_file: with _prefix_ssl_error('loading CA certificate'): context.load_verify_locations(cafile=ca_file) + elif trusted_fingerprints or not verify: + # Do not use Certification Authorities + context.check_hostname = False + context.verify_mode = ssl.CERT_NONE + if certfile: with _prefix_ssl_error('loading client certfile'): context.load_cert_chain(certfile) + with _prefix_ssl_error('establishing TLS connection'): conn = context.wrap_socket(conn, server_hostname=hostname) + if trusted_fingerprints: check_certificate_fingerprint(conn, trusted_fingerprints) + return conn # vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79: