mirror of
https://github.com/Mikaela/Limnoria.git
synced 2024-12-25 12:12:54 +01:00
Add support for authority certificates.
This commit is contained in:
parent
81a9d1fa39
commit
d163d1a1a3
@ -329,6 +329,9 @@ def registerNetwork(name, password='', ssl=True, sasl_username='',
|
|||||||
of fingerprints of trusted certificates for this network.
|
of fingerprints of trusted certificates for this network.
|
||||||
If non-empty, Certification Authority signatures will not be used to
|
If non-empty, Certification Authority signatures will not be used to
|
||||||
verify certificates.""")))
|
verify certificates.""")))
|
||||||
|
registerGlobalValue(network.ssl, 'authorityCertificate',
|
||||||
|
registry.String('', _("""A certificate that is trusted to verify
|
||||||
|
certificates of this network (aka. Certificate Authority).""")))
|
||||||
registerGlobalValue(network, 'requireStarttls', registry.Boolean(False,
|
registerGlobalValue(network, 'requireStarttls', registry.Boolean(False,
|
||||||
_("""Determines whether the bot will connect in plain text to %s
|
_("""Determines whether the bot will connect in plain text to %s
|
||||||
but require STARTTLS before authentication. This is ignored if the
|
but require STARTTLS before authentication. This is ignored if the
|
||||||
|
@ -373,6 +373,7 @@ class SocketDriver(drivers.IrcDriver, drivers.ServersMixin):
|
|||||||
certfile=certfile,
|
certfile=certfile,
|
||||||
verify=verifyCertificates,
|
verify=verifyCertificates,
|
||||||
trusted_fingerprints=network_config.ssl.serverFingerprints(),
|
trusted_fingerprints=network_config.ssl.serverFingerprints(),
|
||||||
|
ca_file=network_config.ssl.authorityCertificate(),
|
||||||
)
|
)
|
||||||
except getattr(ssl, 'CertificateError', None) as e:
|
except getattr(ssl, 'CertificateError', None) as e:
|
||||||
# Default to None for old Python version, which do not have
|
# Default to None for old Python version, which do not have
|
||||||
@ -389,7 +390,7 @@ class SocketDriver(drivers.IrcDriver, drivers.ServersMixin):
|
|||||||
drivers.log.critical(('Certificate validation failed when '
|
drivers.log.critical(('Certificate validation failed when '
|
||||||
'connecting to %s: %s\n'
|
'connecting to %s: %s\n'
|
||||||
'This means someone is doing a man-in-the-middle attack '
|
'This means someone is doing a man-in-the-middle attack '
|
||||||
'on your connection, or because the server\'s '
|
'on your connection, or that the server\'s '
|
||||||
'certificate is not trusted.')
|
'certificate is not trusted.')
|
||||||
% (self.irc.network, e.args[1]))
|
% (self.irc.network, e.args[1]))
|
||||||
raise ssl.SSLError('Aborting because of failed certificate '
|
raise ssl.SSLError('Aborting because of failed certificate '
|
||||||
|
@ -144,13 +144,15 @@ def check_certificate_fingerprint(conn, trusted_fingerprints):
|
|||||||
|
|
||||||
if hasattr(ssl, 'create_default_context'):
|
if hasattr(ssl, 'create_default_context'):
|
||||||
def ssl_wrap_socket(conn, hostname, logger, certfile=None,
|
def ssl_wrap_socket(conn, hostname, logger, certfile=None,
|
||||||
trusted_fingerprints=None, verify=True,
|
trusted_fingerprints=None, verify=True, ca_file=None,
|
||||||
**kwargs):
|
**kwargs):
|
||||||
context = ssl.create_default_context(**kwargs)
|
context = ssl.create_default_context(**kwargs)
|
||||||
if trusted_fingerprints or not verify:
|
if trusted_fingerprints or not verify:
|
||||||
# Do not use Certification Authorities
|
# Do not use Certification Authorities
|
||||||
context.check_hostname = False
|
context.check_hostname = False
|
||||||
context.verify_mode = ssl.CERT_NONE
|
context.verify_mode = ssl.CERT_NONE
|
||||||
|
if ca_file:
|
||||||
|
context.load_verify_locations(cafile=ca_file)
|
||||||
if certfile:
|
if certfile:
|
||||||
context.load_cert_chain(certfile)
|
context.load_cert_chain(certfile)
|
||||||
conn = context.wrap_socket(conn, server_hostname=hostname)
|
conn = context.wrap_socket(conn, server_hostname=hostname)
|
||||||
@ -160,10 +162,10 @@ if hasattr(ssl, 'create_default_context'):
|
|||||||
else:
|
else:
|
||||||
def ssl_wrap_socket(conn, hostname, logger, verify=True,
|
def ssl_wrap_socket(conn, hostname, logger, verify=True,
|
||||||
certfile=None,
|
certfile=None,
|
||||||
ca_certs=None, trusted_fingerprints=None):
|
ca_file=None, trusted_fingerprints=None):
|
||||||
# TLSv1.0 is the only TLS version Python < 2.7.9 supports
|
# TLSv1.0 is the only TLS version Python < 2.7.9 supports
|
||||||
# (besides SSLv2 and v3, which are known to be insecure)
|
# (besides SSLv2 and v3, which are known to be insecure)
|
||||||
conn = ssl.wrap_socket(conn, certfile=certfile, ca_certs=ca_certs,
|
conn = ssl.wrap_socket(conn, certfile=certfile, ca_certs=ca_file,
|
||||||
ssl_version=ssl.ssl.PROTOCOL_TLSv1, verify_mode=ssl.CERT_NONE)
|
ssl_version=ssl.ssl.PROTOCOL_TLSv1, verify_mode=ssl.CERT_NONE)
|
||||||
if trusted_fingerprints:
|
if trusted_fingerprints:
|
||||||
check_certificate_fingerprint(conn, trusted_fingerprints)
|
check_certificate_fingerprint(conn, trusted_fingerprints)
|
||||||
|
Loading…
Reference in New Issue
Block a user