Verify server certificate, and deprecate Python < 2.7.9. Closes GH-1031.

2025-01-25 19:44:13 +01:00 · 2016-02-21 13:20:09 +01:00 · 2016-02-21 13:20:09 +01:00 · d922af1043
commit d922af1043
parent c3dd5f8b64
4 changed files with 85 additions and 14 deletions
--- a/setup.py
+++ b/setup.py
@ -236,10 +236,11 @@ setup(
    )
-if sys.version_info < (2, 7, 0):
+if sys.version_info < (2, 7, 9):
-    sys.stderr.write('+-----------------------------------------------+\n')
+    sys.stderr.write('+------------------------------------------------+\n')
-    sys.stderr.write('| Running Limnoria on Python 2.6 is deprecated. |\n')
+    sys.stderr.write('| Running Limnoria on Python versions older than |\n')
-    sys.stderr.write('| Please consider upgrading to Python 3.x.      |\n')
+    sys.stderr.write('| 2.7.9 is deprecated.                           |\n')
-    sys.stderr.write('+-----------------------------------------------+\n')
+    sys.stderr.write('| Please consider upgrading to Python 3.x.       |\n')
    sys.stderr.write('+------------------------------------------------+\n')
 # vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79:
--- a/src/conf.py
+++ b/src/conf.py
@ -1163,6 +1163,23 @@ registerGlobalValue(supybot.protocols.http, 'proxy',
    through.  The value should be of the form 'host:port'.""")))
 utils.web.proxy = supybot.protocols.http.proxy
 ###
 # supybot.protocols.ssl
 ###
 registerGroup(supybot.protocols, 'ssl')
 class SSLVerifyMode(registry.OnlySomeStrings):
    validStrings = ('required', 'optional', 'none')
    def __call__(self):
        import ssl
        value = super(SSLVerifyMode, self).__call__()
        return getattr(ssl, 'CERT_' + value.upper())
 registerGlobalValue(supybot.protocols.ssl, 'verifyMode',
    SSLVerifyMode('required', _("""Determines whether server certificates '
    'will be verified. Valid values are "required", "optional", and "none". '
    'The default and recommended setting is "required", which checks the '
    'server certificate is signed by a known Certificate Authority, and '
    'aborts the connection if it is not.""")))
 ###
 # HTTP server
--- a/src/drivers/Socket.py
+++ b/src/drivers/Socket.py
@ -238,9 +238,9 @@ class SocketDriver(drivers.IrcDriver, drivers.ServersMixin):
        if wait:
            self.scheduleReconnect()
            return
-        server = self._getNextServer()
+        self.server = self._getNextServer()
-        socks_proxy = getattr(conf.supybot.networks, self.irc.network) \
+        network_config = getattr(conf.supybot.networks, self.irc.network)
-                .socksproxy()
+        socks_proxy = network_config.socksproxy()
        try:
            if socks_proxy:
                import socks
@ -249,16 +249,16 @@ class SocketDriver(drivers.IrcDriver, drivers.ServersMixin):
                    'using direct connection instead.')
            socks_proxy = ''
        if socks_proxy:
-            address = server[0]
+            address = self.server[0]
        else:
            try:
-                address = utils.net.getAddressFromHostname(server[0],
+                address = utils.net.getAddressFromHostname(self.server[0],
                        attempt=self._attempt)
            except (socket.gaierror, socket.error) as e:
                drivers.log.connectError(self.currentServer, e)
                self.scheduleReconnect()
                return
-        port = server[1]
+        port = self.server[1]
        drivers.log.connect(self.currentServer)
        try:
            self.conn = utils.net.getSocket(address, port=port,
@ -276,9 +276,17 @@ class SocketDriver(drivers.IrcDriver, drivers.ServersMixin):
        try:
            # Connect before SSL, otherwise SSL is disabled if we use SOCKS.
            # See http://stackoverflow.com/q/16136916/539465
-            self.conn.connect((address, server[1]))
+            self.conn.connect((address, port))
-            if getattr(conf.supybot.networks, self.irc.network).ssl():
+            if network_config.ssl():
                self.starttls()
            elif not network_config.requireStarttls():
                drivers.log.critical(('Connection to network %s'
                    'does not use SSL/TLS, which makes it vulnerable to '
                    'man-in-the-middle attacks and passive eavesdropping. '
                    'You should consider upgrading your connection to SSL/TLS '
                    '<http://doc.supybot.aperio.fr/en/latest/use/faq.html#how-to-make-a-connection-secure>')
                    % self.irc.network)
            def setTimeout():
                self.conn.settimeout(conf.supybot.drivers.poll())
            conf.supybot.drivers.poll.addCallback(setTimeout)
@ -353,7 +361,29 @@ class SocketDriver(drivers.IrcDriver, drivers.ServersMixin):
            drivers.log.warning('Could not find cert file %s.' %
                    certfile)
            certfile = None
-        self.conn = ssl.wrap_socket(self.conn, certfile=certfile)
+        try:
            self.conn = utils.net.ssl_wrap_socket(self.conn,
                    logger=drivers.log, hostname=self.server[0],
                    certfile=certfile,
                    verify_mode=conf.supybot.protocols.ssl.verifyMode())
        except ssl.CertificateError as e:
            drivers.log.critical(('Certificate validation failed when '
                'connecting to %s: %s\n'
                'This means someone is doing a man-in-the-middle attack '
                'on your connection.')
                % (self.irc.network, e.args[0]))
            raise ssl.SSLError('Aborting because of failed certificate '
                    'verification.')
        except ssl.SSLError as e:
            drivers.log.critical(('Certificate validation failed when '
                'connecting to %s: %s\n'
                'This means someone is doing a man-in-the-middle attack '
                'on your connection, or because the server\'s '
                'certificate is not trusted.')
                % (self.irc.network, e.args[1]))
            raise ssl.SSLError('Aborting because of failed certificate '
                    'verification.')
 Driver = SocketDriver
--- a/src/utils/net.py
+++ b/src/utils/net.py
@ -33,6 +33,7 @@ Simple utility modules.
 """
 import re
 import ssl
 import socket
 from .web import _ipAddr, _domain
@ -128,4 +129,26 @@ def isIPV6(s):
            return bruteIsIPV6(s)
        return False
 if hasattr(ssl, 'create_default_context'):
    def ssl_wrap_socket(conn, hostname, logger, certfile=None,
            verify_mode=ssl.CERT_REQUIRED, **kwargs):
        context = ssl.create_default_context(**kwargs)
        context.verify_mode = verify_mode
        if certfile:
            context.load_cert_chain(certfile)
        return context.wrap_socket(conn, server_hostname=hostname)
 else:
    def ssl_wrap_socket(conn, hostname, logger, certfile=None, ca_certs=None,
            verify_mode=ssl.CERT_REQUIRED):
        logger.critical('This Python version does not support SSL contexts, '
                'which makes your connection vulnerable to man-in-the-middle '
                'attacks. You should consider upgrading to Python 3 '
                '(or at least 2.7.9).')
        # TLSv1.0 is the only TLS version Python < 2.7.9 supports
        # (besides SSLv2 and v3, which are known to be insecure)
        return ssl.wrap_socket(conn, certfile=certfile, ca_certs=ca_certs,
                ssl_version=ssl.ssl.PROTOCOL_TLSv1, verify_mode=verify_mode)
 # vim:set shiftwidth=4 softtabstop=4 expandtab textwidth=79: