mirror of
https://github.com/Mikaela/Limnoria.git
synced 2024-12-28 05:32:51 +01:00
Add supybot.protocols.ssl.verifyCertificates.
And remove unused variable supybot.protocols.ssl.verifyMode.
This commit is contained in:
parent
e77e78e79e
commit
ae560dbd2a
18
src/conf.py
18
src/conf.py
@ -1174,18 +1174,12 @@ utils.web.proxy = supybot.protocols.http.proxy
|
||||
# supybot.protocols.ssl
|
||||
###
|
||||
registerGroup(supybot.protocols, 'ssl')
|
||||
class SSLVerifyMode(registry.OnlySomeStrings):
|
||||
validStrings = ('required', 'optional', 'none')
|
||||
def __call__(self):
|
||||
import ssl
|
||||
value = super(SSLVerifyMode, self).__call__()
|
||||
return getattr(ssl, 'CERT_' + value.upper())
|
||||
registerGlobalValue(supybot.protocols.ssl, 'verifyMode',
|
||||
SSLVerifyMode('required', _("""Determines whether server certificates '
|
||||
'will be verified. Valid values are "required", "optional", and "none". '
|
||||
'The default and recommended setting is "required", which checks the '
|
||||
'server certificate is signed by a known Certificate Authority, and '
|
||||
'aborts the connection if it is not.""")))
|
||||
registerGlobalValue(supybot.protocols.ssl, 'verifyCertificates',
|
||||
registry.Boolean(True, _("""Determines whether server certificates
|
||||
will be verified. Valid values are "required", "optional", and "none".
|
||||
The default and recommended setting is "required", which checks the
|
||||
server certificate is signed by a known Certificate Authority, and
|
||||
aborts the connection if it is not.""")))
|
||||
|
||||
|
||||
###
|
||||
|
@ -365,6 +365,7 @@ class SocketDriver(drivers.IrcDriver, drivers.ServersMixin):
|
||||
self.conn = utils.net.ssl_wrap_socket(self.conn,
|
||||
logger=drivers.log, hostname=self.server[0],
|
||||
certfile=certfile,
|
||||
verify=conf.supybot.protocols.ssl.verifyCertificates(),
|
||||
trusted_fingerprints=network_config.ssl.serverFingerprints(),
|
||||
)
|
||||
except ssl.CertificateError as e:
|
||||
|
@ -144,21 +144,22 @@ def check_certificate_fingerprint(conn, trusted_fingerprints):
|
||||
|
||||
if hasattr(ssl, 'create_default_context'):
|
||||
def ssl_wrap_socket(conn, hostname, logger, certfile=None,
|
||||
trusted_fingerprints=None,
|
||||
trusted_fingerprints=None, verify=True,
|
||||
**kwargs):
|
||||
context = ssl.create_default_context(**kwargs)
|
||||
if trusted_fingerprints:
|
||||
if trusted_fingerprints or not verify:
|
||||
# Do not use Certification Authorities
|
||||
context.check_hostname = False
|
||||
context.verify_mode = ssl.CERT_NONE
|
||||
if certfile:
|
||||
context.load_cert_chain(certfile)
|
||||
conn = context.wrap_socket(conn, server_hostname=hostname)
|
||||
if trusted_fingerprints:
|
||||
if verify and trusted_fingerprints:
|
||||
check_certificate_fingerprint(conn, trusted_fingerprints)
|
||||
return conn
|
||||
else:
|
||||
def ssl_wrap_socket(conn, hostname, logger, certfile=None,
|
||||
def ssl_wrap_socket(conn, hostname, logger, verify=True,
|
||||
certfile=None,
|
||||
ca_certs=None, trusted_fingerprints=None):
|
||||
# TLSv1.0 is the only TLS version Python < 2.7.9 supports
|
||||
# (besides SSLv2 and v3, which are known to be insecure)
|
||||
@ -166,7 +167,7 @@ else:
|
||||
ssl_version=ssl.ssl.PROTOCOL_TLSv1, verify_mode=ssl.CERT_NONE)
|
||||
if trusted_fingerprints:
|
||||
check_certificate_fingerprint(conn, trusted_fingerprints)
|
||||
else:
|
||||
elif verify:
|
||||
logger.critical('This Python version does not support SSL/TLS '
|
||||
'certification authority verification, which makes your '
|
||||
'connection vulnerable to man-in-the-middle attacks.'
|
||||
|
Loading…
Reference in New Issue
Block a user