Merge remote-tracking branch 'origin/patch-1' into drivers/logging

Conflicts:
	src/drivers/Socket.py

README.md

@@ -17,7 +17,7 @@ Master branch: [![Build Status (master branch)](https://travis-ci.org/ProgVal/Li
 Testing branch: [![Build Status (testing branch)](https://travis-ci.org/ProgVal/Limnoria.png?branch=testing)](https://travis-ci.org/ProgVal/Limnoria)
 
 Limnoria supports CPython 2.6, 2.7, 3.2, 3.3, 3.4, 3.5, nightly;
-and Pypy 2 and 3. It works best with CPython 3.3 and higher.
+and Pypy 2 and 3. It works best with CPython 3.4 and higher.
 Python 2.5 and older versions are not supported.
 
 # Support

plugins/Channel/plugin.py

@@ -663,7 +663,7 @@ class Channel(callbacks.Plugin):
 
         @internationalizeDocstring
         def remove(self, irc, msg, args, channel, banmask):
-            """[<channel>] <hostmask>
+            """[<channel>] <nick|hostmask>
 
             If you have the #channel,op capability, this will remove the
             persistent ignore on <hostmask> in the channel. <channel> is only
@@ -676,7 +676,7 @@ class Channel(callbacks.Plugin):
                 irc.replySuccess()
             except KeyError:
                 irc.error(_('There are no ignores for that hostmask.'))
-        remove = wrap(remove, ['op', 'hostmask'])
+        remove = wrap(remove, ['op', 'banmask'])
 
         @internationalizeDocstring
         def list(self, irc, msg, args, channel):

setup.py

@@ -237,10 +237,13 @@ setup(
     )
 
 if sys.version_info < (2, 7, 9):
-    sys.stderr.write('+------------------------------------------------+\n')
-    sys.stderr.write('| Running Limnoria on Python versions older than |\n')
-    sys.stderr.write('| 2.7.9 is deprecated.                           |\n')
-    sys.stderr.write('| Please consider upgrading to Python 3.x.       |\n')
-    sys.stderr.write('+------------------------------------------------+\n')
+    sys.stderr.write('+-----------------------------------------------------+\n')
+    sys.stderr.write('| Running Limnoria on Python versions older than      |\n')
+    sys.stderr.write('| 2.7.9 is deprecated.                                |\n')
+    sys.stderr.write('| Please consider upgrading to Python 3.4 or greater. |\n')
+    sys.stderr.write('+-----------------------------------------------------+\n')
+    sys.stderr.write('\n')
+    sys.stderr.write('See <http://doc.supybot.aperio.fr/en/latest/use/faq.html#how-to-make-limnoria-use-python-3-instead-of-python-2>\n')
+    sys.stderr.write('\n')
 
 # vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79:

src/conf.py

@@ -210,7 +210,7 @@ class VersionIfEmpty(registry.String):
     def __call__(self):
         ret = registry.String.__call__(self)
         if not ret:
-            ret = 'Supybot %s' % version
+            ret = 'Limnoria %s' % version
         return ret
 
 registerGlobalValue(supybot, 'user',
@@ -329,6 +329,9 @@ def registerNetwork(name, password='', ssl=True, sasl_username='',
         of fingerprints of trusted certificates for this network.
         If non-empty, Certification Authority signatures will not be used to
         verify certificates.""")))
+    registerGlobalValue(network.ssl, 'authorityCertificate',
+        registry.String('', _("""A certificate that is trusted to verify
+        certificates of this network (aka. Certificate Authority).""")))
     registerGlobalValue(network, 'requireStarttls', registry.Boolean(False,
         _("""Determines whether the bot will connect in plain text to %s
         but require STARTTLS before authentication. This is ignored if the
@@ -1176,10 +1179,8 @@ utils.web.proxy = supybot.protocols.http.proxy
 registerGroup(supybot.protocols, 'ssl')
 registerGlobalValue(supybot.protocols.ssl, 'verifyCertificates',
     registry.Boolean(False, _("""Determines whether server certificates
-    will be verified. Valid values are "required", "optional", and "none".
-    The default and recommended setting is "required", which checks the
-    server certificate is signed by a known Certificate Authority, and
-    aborts the connection if it is not.""")))
+    will be verified, which checks whether the server certificate is signed
+    by a known certificate authority, and aborts the connection if it is not.""")))
 
 
 ###

src/drivers/Socket.py

@@ -373,8 +373,11 @@ class SocketDriver(drivers.IrcDriver, drivers.ServersMixin):
                     certfile=certfile,
                     verify=verifyCertificates,
                     trusted_fingerprints=network_config.ssl.serverFingerprints(),
+                    ca_file=network_config.ssl.authorityCertificate(),
                     )
-        except ssl.CertificateError as e:
+        except getattr(ssl, 'CertificateError', None) as e:
+            # Default to None for old Python version, which do not have
+            # CertificateError
             drivers.log.error(('Certificate validation failed when '
                 'connecting to %s: %s\n'
                 'This means either someone is doing a man-in-the-middle '

src/utils/net.py

@@ -144,13 +144,15 @@ def check_certificate_fingerprint(conn, trusted_fingerprints):
 
 if hasattr(ssl, 'create_default_context'):
     def ssl_wrap_socket(conn, hostname, logger, certfile=None,
-            trusted_fingerprints=None, verify=True,
+            trusted_fingerprints=None, verify=True, ca_file=None,
             **kwargs):
         context = ssl.create_default_context(**kwargs)
         if trusted_fingerprints or not verify:
             # Do not use Certification Authorities
             context.check_hostname = False
             context.verify_mode = ssl.CERT_NONE
+        if ca_file:
+            context.load_verify_locations(cafile=ca_file)
         if certfile:
             context.load_cert_chain(certfile)
         conn = context.wrap_socket(conn, server_hostname=hostname)
@@ -160,18 +162,18 @@ if hasattr(ssl, 'create_default_context'):
 else:
     def ssl_wrap_socket(conn, hostname, logger, verify=True,
             certfile=None,
-            ca_certs=None, trusted_fingerprints=None):
+            ca_file=None, trusted_fingerprints=None):
         # TLSv1.0 is the only TLS version Python < 2.7.9 supports
         # (besides SSLv2 and v3, which are known to be insecure)
-        conn = ssl.wrap_socket(conn, certfile=certfile, ca_certs=ca_certs,
-                ssl_version=ssl.ssl.PROTOCOL_TLSv1, verify_mode=ssl.CERT_NONE)
+        conn = ssl.wrap_socket(conn, certfile=certfile, ca_certs=ca_file,
+                ssl_version=ssl.PROTOCOL_TLSv1)
         if trusted_fingerprints:
             check_certificate_fingerprint(conn, trusted_fingerprints)
         elif verify:
             logger.critical('This Python version does not support SSL/TLS '
                     'certification authority verification, which makes your '
                     'connection vulnerable to man-in-the-middle attacks.'
-                    'You should consider upgrading to Python 3 '
-                    '(or at least 2.7.9).')
+                    'You should consider upgrading to Python 3.4 or newer. '
+                    'See <http://doc.supybot.aperio.fr/en/latest/use/faq.html#how-to-make-limnoria-use-python-3-instead-of-python-2>')
         return conn
 # vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79: