Add supybot.protocols.ssl.verifyCertificates.

And remove unused variable supybot.protocols.ssl.verifyMode.
This commit is contained in:
Valentin Lorentz 2016-02-21 14:42:41 +01:00
parent e77e78e79e
commit ae560dbd2a
3 changed files with 13 additions and 17 deletions

View File

@ -1174,18 +1174,12 @@ utils.web.proxy = supybot.protocols.http.proxy
# supybot.protocols.ssl
###
registerGroup(supybot.protocols, 'ssl')
class SSLVerifyMode(registry.OnlySomeStrings):
validStrings = ('required', 'optional', 'none')
def __call__(self):
import ssl
value = super(SSLVerifyMode, self).__call__()
return getattr(ssl, 'CERT_' + value.upper())
registerGlobalValue(supybot.protocols.ssl, 'verifyMode',
SSLVerifyMode('required', _("""Determines whether server certificates '
'will be verified. Valid values are "required", "optional", and "none". '
'The default and recommended setting is "required", which checks the '
'server certificate is signed by a known Certificate Authority, and '
'aborts the connection if it is not.""")))
registerGlobalValue(supybot.protocols.ssl, 'verifyCertificates',
registry.Boolean(True, _("""Determines whether server certificates
will be verified. Valid values are "required", "optional", and "none".
The default and recommended setting is "required", which checks the
server certificate is signed by a known Certificate Authority, and
aborts the connection if it is not.""")))
###

View File

@ -365,6 +365,7 @@ class SocketDriver(drivers.IrcDriver, drivers.ServersMixin):
self.conn = utils.net.ssl_wrap_socket(self.conn,
logger=drivers.log, hostname=self.server[0],
certfile=certfile,
verify=conf.supybot.protocols.ssl.verifyCertificates(),
trusted_fingerprints=network_config.ssl.serverFingerprints(),
)
except ssl.CertificateError as e:

View File

@ -144,21 +144,22 @@ def check_certificate_fingerprint(conn, trusted_fingerprints):
if hasattr(ssl, 'create_default_context'):
def ssl_wrap_socket(conn, hostname, logger, certfile=None,
trusted_fingerprints=None,
trusted_fingerprints=None, verify=True,
**kwargs):
context = ssl.create_default_context(**kwargs)
if trusted_fingerprints:
if trusted_fingerprints or not verify:
# Do not use Certification Authorities
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
if certfile:
context.load_cert_chain(certfile)
conn = context.wrap_socket(conn, server_hostname=hostname)
if trusted_fingerprints:
if verify and trusted_fingerprints:
check_certificate_fingerprint(conn, trusted_fingerprints)
return conn
else:
def ssl_wrap_socket(conn, hostname, logger, certfile=None,
def ssl_wrap_socket(conn, hostname, logger, verify=True,
certfile=None,
ca_certs=None, trusted_fingerprints=None):
# TLSv1.0 is the only TLS version Python < 2.7.9 supports
# (besides SSLv2 and v3, which are known to be insecure)
@ -166,7 +167,7 @@ else:
ssl_version=ssl.ssl.PROTOCOL_TLSv1, verify_mode=ssl.CERT_NONE)
if trusted_fingerprints:
check_certificate_fingerprint(conn, trusted_fingerprints)
else:
elif verify:
logger.critical('This Python version does not support SSL/TLS '
'certification authority verification, which makes your '
'connection vulnerable to man-in-the-middle attacks.'