From 7e8fa46402ce688f4feb31e811d5fbff0e34732e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20=E2=80=9Cpep=E2=80=9D=20Buquet?= Date: Tue, 28 Dec 2021 18:29:58 +0100 Subject: [PATCH] Try to guess CA bundle path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maxime “pep” Buquet --- data/default_config.cfg | 6 ++++-- poezio/config.py | 13 ++++++++++++- poezio/connection.py | 6 +++++- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/data/default_config.cfg b/data/default_config.cfg index 9f284f07..d91ff36a 100644 --- a/data/default_config.cfg +++ b/data/default_config.cfg @@ -79,12 +79,14 @@ certificate = # value to the services default. #whitespace_interval = 300 -# Path to the certificate authenticating the Authority +# Path to the certificate authenticating the Authority. # A server may have several certificates, but if it uses a CA, it will often # keep the same for obvious reasons, so this is a good option if your server # does this, rather than skipping all verifications. # This is not affected by ignore_certificate -ca_cert_path = +# Poezio attempts to guess this value automatically. Set to override this +# behaviour, to the empty string for example, or to another path. +#ca_cert_path = # Auto-reconnects you when you get disconnected from the server #auto_reconnect = true diff --git a/poezio/config.py b/poezio/config.py index 9c2201e7..7bbc9268 100644 --- a/poezio/config.py +++ b/poezio/config.py @@ -30,6 +30,17 @@ ConfigDict = Dict[str, Dict[str, ConfigValue]] DEFSECTION = "Poezio" + +CA_CERT_DEFAULT_PATHS = { + '/etc/ssl/cert.pem', + '/etc/ssl/certs/ca-certificates.crt', + '/etc/ssl/certs/ca-bundle.crt', + '/etc/pki/tls/certs/ca-bundle.crt', + '/etc/ssl/certs/ca-certificates.crt', + '/etc/ca-certificates/extracted/tls-ca-bundle.pem', + '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', +} + DEFAULT_CONFIG: ConfigDict = { 'Poezio': { 'ack_message_receipts': True, @@ -40,7 +51,7 @@ DEFAULT_CONFIG: ConfigDict = { 'autorejoin_delay': '5', 'autorejoin': False, 'beep_on': 'highlight private invite disconnect', - 'ca_cert_path': '', + 'ca_cert_path': ':'.join(CA_CERT_DEFAULT_PATHS), 'certificate': '', 'certfile': '', 'ciphers': 'HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL', diff --git a/poezio/connection.py b/poezio/connection.py index c24dd913..55cf76e3 100644 --- a/poezio/connection.py +++ b/poezio/connection.py @@ -16,6 +16,7 @@ import subprocess import sys import base64 import random +from pathlib import Path import slixmpp from slixmpp import JID, InvalidJID @@ -117,7 +118,10 @@ class Connection(slixmpp.ClientXMPP): self.ciphers = config.getstr( 'ciphers', 'HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK' ':!SRP:!3DES:!aNULL') - self.ca_certs = config.getstr('ca_cert_path') or None + self.ca_certs = None + ca_certs = config.getlist('ca_cert_path') + if ca_certs and ca_certs != ['']: + self.ca_certs = list(map(Path, config.getlist('ca_cert_path'))) interval = config.getint('whitespace_interval') if int(interval) > 0: self.whitespace_keepalive_interval = int(interval)