Add supybot.protocols.ssl.verifyCertificates.

And remove unused variable supybot.protocols.ssl.verifyMode.

src/conf.py

@@ -1174,18 +1174,12 @@ utils.web.proxy = supybot.protocols.http.proxy
 # supybot.protocols.ssl
 ###
 registerGroup(supybot.protocols, 'ssl')
-class SSLVerifyMode(registry.OnlySomeStrings):
+registerGlobalValue(supybot.protocols.ssl, 'verifyCertificates',
-    validStrings = ('required', 'optional', 'none')
+    registry.Boolean(True, _("""Determines whether server certificates
-    def __call__(self):
+    will be verified. Valid values are "required", "optional", and "none".
-        import ssl
+    The default and recommended setting is "required", which checks the
-        value = super(SSLVerifyMode, self).__call__()
+    server certificate is signed by a known Certificate Authority, and
-        return getattr(ssl, 'CERT_' + value.upper())
+    aborts the connection if it is not.""")))
-registerGlobalValue(supybot.protocols.ssl, 'verifyMode',
-    SSLVerifyMode('required', _("""Determines whether server certificates '
-    'will be verified. Valid values are "required", "optional", and "none". '
-    'The default and recommended setting is "required", which checks the '
-    'server certificate is signed by a known Certificate Authority, and '
-    'aborts the connection if it is not.""")))
 
 
 ###

src/drivers/Socket.py

@@ -365,6 +365,7 @@ class SocketDriver(drivers.IrcDriver, drivers.ServersMixin):
             self.conn = utils.net.ssl_wrap_socket(self.conn,
                     logger=drivers.log, hostname=self.server[0],
                     certfile=certfile,
+                    verify=conf.supybot.protocols.ssl.verifyCertificates(),
                     trusted_fingerprints=network_config.ssl.serverFingerprints(),
                     )
         except ssl.CertificateError as e:

src/utils/net.py

@@ -144,21 +144,22 @@ def check_certificate_fingerprint(conn, trusted_fingerprints):
 
 if hasattr(ssl, 'create_default_context'):
     def ssl_wrap_socket(conn, hostname, logger, certfile=None,
-            trusted_fingerprints=None,
+            trusted_fingerprints=None, verify=True,
             **kwargs):
         context = ssl.create_default_context(**kwargs)
-        if trusted_fingerprints:
+        if trusted_fingerprints or not verify:
             # Do not use Certification Authorities
             context.check_hostname = False
             context.verify_mode = ssl.CERT_NONE
         if certfile:
             context.load_cert_chain(certfile)
         conn = context.wrap_socket(conn, server_hostname=hostname)
-        if trusted_fingerprints:
+        if verify and trusted_fingerprints:
             check_certificate_fingerprint(conn, trusted_fingerprints)
         return conn
 else:
-    def ssl_wrap_socket(conn, hostname, logger, certfile=None,
+    def ssl_wrap_socket(conn, hostname, logger, verify=True,
+            certfile=None,
             ca_certs=None, trusted_fingerprints=None):
         # TLSv1.0 is the only TLS version Python < 2.7.9 supports
         # (besides SSLv2 and v3, which are known to be insecure)
@@ -166,7 +167,7 @@ else:
                 ssl_version=ssl.ssl.PROTOCOL_TLSv1, verify_mode=ssl.CERT_NONE)
         if trusted_fingerprints:
             check_certificate_fingerprint(conn, trusted_fingerprints)
-        else:
+        elif verify:
             logger.critical('This Python version does not support SSL/TLS '
                     'certification authority verification, which makes your '
                     'connection vulnerable to man-in-the-middle attacks.'