Make the ca_certs option useful again (CA-based cert validation)

It was broken since the fork.
This commit is contained in:
mathieui 2014-12-17 19:03:49 +01:00
parent b5930ca958
commit 1b9b4199e8
No known key found for this signature in database
GPG key ID: C59F84CEEFD616E3

View file

@ -481,6 +481,9 @@ class XMLStream(object):
else: else:
log.debug('Loaded cert file %s and key file %s', log.debug('Loaded cert file %s and key file %s',
self.certfile, self.keyfile) self.certfile, self.keyfile)
if self.ca_certs is not None:
self.ssl_context.verify_mode = ssl.CERT_REQUIRED
self.ssl_context.load_verify_locations(cafile=self.ca_certs)
ssl_connect_routine = loop.create_connection(lambda: self, ssl=self.ssl_context, ssl_connect_routine = loop.create_connection(lambda: self, ssl=self.ssl_context,
sock=self.socket, sock=self.socket,
@ -488,12 +491,15 @@ class XMLStream(object):
def ssl_coro(): def ssl_coro():
try: try:
transp, prot = yield from ssl_connect_routine transp, prot = yield from ssl_connect_routine
except ssl.SSLError: except ssl.SSLError as e:
import traceback log.error('CERT: Invalid certificate trust chain.')
log.debug('SSL: Unable to connect:\n%s', exc_info=True) log.debug('SSL: Unable to connect', exc_info=True)
self.event('ssl_invalid_chain', direct=True) if not self.event_handled('ssl_invalid_chain'):
self.disconnect()
else: else:
der_cert = transp._sock.getpeercert(True) self.event('ssl_invalid_chain', e)
else:
der_cert = transp.get_extra_info("socket").getpeercert(True)
pem_cert = ssl.DER_cert_to_PEM_cert(der_cert) pem_cert = ssl.DER_cert_to_PEM_cert(der_cert)
self.event('ssl_cert', pem_cert) self.event('ssl_cert', pem_cert)