mirror of
https://github.com/Mikaela/Limnoria.git
synced 2024-11-26 20:59:27 +01:00
utils.net: Do not disable TLS certificate check when authorityCertificate is set.
It makes sense that manually configuring a CA overrides this value which defaults to False.
This commit is contained in:
parent
57da6d04e2
commit
761fc2353e
@ -1378,7 +1378,8 @@ registerGlobalValue(supybot.protocols.ssl, 'verifyCertificates',
|
||||
registry.Boolean(False, _("""Determines whether server certificates
|
||||
will be verified, which checks whether the server certificate is signed
|
||||
by a known certificate authority, and aborts the connection if it is not.
|
||||
This is assumed to be True of serverFingerprints is set.""")))
|
||||
This is assumed to be True of serverFingerprints or authorityCertificate
|
||||
is set.""")))
|
||||
|
||||
|
||||
###
|
||||
|
@ -175,20 +175,25 @@ def ssl_wrap_socket(conn, hostname, logger, certfile=None,
|
||||
**kwargs):
|
||||
with _prefix_ssl_error('creating SSL context'):
|
||||
context = ssl.create_default_context(**kwargs)
|
||||
if trusted_fingerprints or not verify:
|
||||
# Do not use Certification Authorities
|
||||
context.check_hostname = False
|
||||
context.verify_mode = ssl.CERT_NONE
|
||||
|
||||
if ca_file:
|
||||
with _prefix_ssl_error('loading CA certificate'):
|
||||
context.load_verify_locations(cafile=ca_file)
|
||||
elif trusted_fingerprints or not verify:
|
||||
# Do not use Certification Authorities
|
||||
context.check_hostname = False
|
||||
context.verify_mode = ssl.CERT_NONE
|
||||
|
||||
if certfile:
|
||||
with _prefix_ssl_error('loading client certfile'):
|
||||
context.load_cert_chain(certfile)
|
||||
|
||||
with _prefix_ssl_error('establishing TLS connection'):
|
||||
conn = context.wrap_socket(conn, server_hostname=hostname)
|
||||
|
||||
if trusted_fingerprints:
|
||||
check_certificate_fingerprint(conn, trusted_fingerprints)
|
||||
|
||||
return conn
|
||||
|
||||
# vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79:
|
||||
|
Loading…
Reference in New Issue
Block a user