pep/slixmpp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Make the ca_certs option useful again (CA-based cert validation)

Browse source 
It was broken since the fork.
This commit is contained in:
mathieui 2014-12-17 19:03:49 +01:00
parent b5930ca958
commit 1b9b4199e8
No known key found for this signature in database
GPG key ID: C59F84CEEFD616E3
1 changed files with 11 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
slixmpp/xmlstream/xmlstream.py
View file

@ -481,6 +481,9 @@ class XMLStream(object):
else:
log.debug('Loaded cert file %s and key file %s',
self.certfile, self.keyfile)
if self.ca_certs is not None:
self.ssl_context.verify_mode = ssl.CERT_REQUIRED
self.ssl_context.load_verify_locations(cafile=self.ca_certs)
ssl_connect_routine = loop.create_connection(lambda: self, ssl=self.ssl_context,
sock=self.socket,
@ -488,12 +491,15 @@ class XMLStream(object):
def ssl_coro():
try:
transp, prot = yield from ssl_connect_routine
except ssl.SSLError:
import traceback
log.debug('SSL: Unable to connect:\n%s', exc_info=True)
self.event('ssl_invalid_chain', direct=True)
except ssl.SSLError as e:
log.error('CERT: Invalid certificate trust chain.')
log.debug('SSL: Unable to connect', exc_info=True)
if not self.event_handled('ssl_invalid_chain'):
self.disconnect()
else:
self.event('ssl_invalid_chain', e)
else:
der_cert = transp._sock.getpeercert(True)
der_cert = transp.get_extra_info("socket").getpeercert(True)
pem_cert = ssl.DER_cert_to_PEM_cert(der_cert)
self.event('ssl_cert', pem_cert)