utils.net: Do not disable TLS certificate check when authorityCertificate is set.

It makes sense that manually configuring a CA overrides this
value which defaults to False.

src/conf.py

@@ -1378,7 +1378,8 @@ registerGlobalValue(supybot.protocols.ssl, 'verifyCertificates',
     registry.Boolean(False, _("""Determines whether server certificates
     will be verified, which checks whether the server certificate is signed
     by a known certificate authority, and aborts the connection if it is not.
-    This is assumed to be True of serverFingerprints is set.""")))
+    This is assumed to be True of serverFingerprints or authorityCertificate
+    is set.""")))
 
 
 ###

src/utils/net.py

@@ -175,20 +175,25 @@ def ssl_wrap_socket(conn, hostname, logger, certfile=None,
         **kwargs):
     with _prefix_ssl_error('creating SSL context'):
         context = ssl.create_default_context(**kwargs)
-    if trusted_fingerprints or not verify:
+
-        # Do not use Certification Authorities
-        context.check_hostname = False
-        context.verify_mode = ssl.CERT_NONE
     if ca_file:
         with _prefix_ssl_error('loading CA certificate'):
             context.load_verify_locations(cafile=ca_file)
+    elif trusted_fingerprints or not verify:
+        # Do not use Certification Authorities
+        context.check_hostname = False
+        context.verify_mode = ssl.CERT_NONE
+
     if certfile:
         with _prefix_ssl_error('loading client certfile'):
             context.load_cert_chain(certfile)
+
     with _prefix_ssl_error('establishing TLS connection'):
         conn = context.wrap_socket(conn, server_hostname=hostname)
+
     if trusted_fingerprints:
         check_certificate_fingerprint(conn, trusted_fingerprints)
+
     return conn
 
 # vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79: