mirror of
https://github.com/Mikaela/Limnoria.git
synced 2024-11-26 20:59:27 +01:00
utils.net: Do not disable TLS certificate check when authorityCertificate is set.
It makes sense that manually configuring a CA overrides this value which defaults to False.
This commit is contained in:
parent
57da6d04e2
commit
761fc2353e
@ -1378,7 +1378,8 @@ registerGlobalValue(supybot.protocols.ssl, 'verifyCertificates',
|
|||||||
registry.Boolean(False, _("""Determines whether server certificates
|
registry.Boolean(False, _("""Determines whether server certificates
|
||||||
will be verified, which checks whether the server certificate is signed
|
will be verified, which checks whether the server certificate is signed
|
||||||
by a known certificate authority, and aborts the connection if it is not.
|
by a known certificate authority, and aborts the connection if it is not.
|
||||||
This is assumed to be True of serverFingerprints is set.""")))
|
This is assumed to be True of serverFingerprints or authorityCertificate
|
||||||
|
is set.""")))
|
||||||
|
|
||||||
|
|
||||||
###
|
###
|
||||||
|
@ -175,20 +175,25 @@ def ssl_wrap_socket(conn, hostname, logger, certfile=None,
|
|||||||
**kwargs):
|
**kwargs):
|
||||||
with _prefix_ssl_error('creating SSL context'):
|
with _prefix_ssl_error('creating SSL context'):
|
||||||
context = ssl.create_default_context(**kwargs)
|
context = ssl.create_default_context(**kwargs)
|
||||||
if trusted_fingerprints or not verify:
|
|
||||||
# Do not use Certification Authorities
|
|
||||||
context.check_hostname = False
|
|
||||||
context.verify_mode = ssl.CERT_NONE
|
|
||||||
if ca_file:
|
if ca_file:
|
||||||
with _prefix_ssl_error('loading CA certificate'):
|
with _prefix_ssl_error('loading CA certificate'):
|
||||||
context.load_verify_locations(cafile=ca_file)
|
context.load_verify_locations(cafile=ca_file)
|
||||||
|
elif trusted_fingerprints or not verify:
|
||||||
|
# Do not use Certification Authorities
|
||||||
|
context.check_hostname = False
|
||||||
|
context.verify_mode = ssl.CERT_NONE
|
||||||
|
|
||||||
if certfile:
|
if certfile:
|
||||||
with _prefix_ssl_error('loading client certfile'):
|
with _prefix_ssl_error('loading client certfile'):
|
||||||
context.load_cert_chain(certfile)
|
context.load_cert_chain(certfile)
|
||||||
|
|
||||||
with _prefix_ssl_error('establishing TLS connection'):
|
with _prefix_ssl_error('establishing TLS connection'):
|
||||||
conn = context.wrap_socket(conn, server_hostname=hostname)
|
conn = context.wrap_socket(conn, server_hostname=hostname)
|
||||||
|
|
||||||
if trusted_fingerprints:
|
if trusted_fingerprints:
|
||||||
check_certificate_fingerprint(conn, trusted_fingerprints)
|
check_certificate_fingerprint(conn, trusted_fingerprints)
|
||||||
|
|
||||||
return conn
|
return conn
|
||||||
|
|
||||||
# vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79:
|
# vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79:
|
||||||
|
Loading…
Reference in New Issue
Block a user