From 5c412a66b8c148852dbf8d5b9ca45d08c7865fb1 Mon Sep 17 00:00:00 2001 From: mathieui Date: Fri, 9 Mar 2012 00:48:49 +0100 Subject: [PATCH] Add a ca_cert_path option --- data/default_config.cfg | 9 ++++++++- doc/en/configure.txt | 8 ++++++++ src/connection.py | 1 + 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/data/default_config.cfg b/data/default_config.cfg index ac2e245e..5232eb06 100644 --- a/data/default_config.cfg +++ b/data/default_config.cfg @@ -14,11 +14,18 @@ port = 5222 # Do not touch this if you don’t know what you are doing certificate = -# Skip the SSL verification +# Skip the SSL certificate fingerprint verification # Should be true in most cases, as you want to check that the server keeps # the same certificate. ignore_certificate = false +# Path to the certificate authenticating the Authority +# A server may have several certificates, but if it uses a CA, it will often +# keep the same for obvious reasons, so this is a good option if your server +# does this, rather than skipping all verifications. +# This is not affected by ignore_certificate +ca_cert_path = + # Auto-reconnects you when you get disconnected from the server # defaults to false because it should not be necessary auto_reconnect = false diff --git a/doc/en/configure.txt b/doc/en/configure.txt index 4f69084e..b8ea04cb 100644 --- a/doc/en/configure.txt +++ b/doc/en/configure.txt @@ -59,6 +59,14 @@ section of this documentation. anonymous mode and changing servers often. Dangerous in other cases, from a security perspective. +*ca_cert_path*:: [empty] + + Path to the certificate of the Certification Authority. + As some services may keep different certificates, it is an alternative to + the Trust On First Use model provided by _certificate_. This option is not + affected by _ignore_certificate_ and boths checks may be active at the same + time. + *resource*:: [empty] the resource you will use diff --git a/src/connection.py b/src/connection.py index 8a7c1ea7..0e92755f 100644 --- a/src/connection.py +++ b/src/connection.py @@ -44,6 +44,7 @@ class Connection(sleekxmpp.ClientXMPP): self.core = None self.auto_reconnect = True if config.get('auto_reconnect', 'false').lower() in ('true', '1') else False self.auto_authorize = None + self.ca_certs = config.get('ca_cert_path', '') or None self.register_plugin('xep_0030') self.register_plugin('xep_0004') self.register_plugin('xep_0045')