From b60b1b985db928532f97c4f61d6fbc801f0aa7fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20=E2=80=9Cpep=E2=80=9D=20Buquet?= Date: Fri, 11 Nov 2022 18:27:13 +0100 Subject: [PATCH] CVE-2022-45197: Fix missing certificate hostname validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maxime “pep” Buquet --- slixmpp/xmlstream/xmlstream.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/slixmpp/xmlstream/xmlstream.py b/slixmpp/xmlstream/xmlstream.py index 19c4ddcc..5e6a64ec 100644 --- a/slixmpp/xmlstream/xmlstream.py +++ b/slixmpp/xmlstream/xmlstream.py @@ -299,8 +299,8 @@ class XMLStream(asyncio.BaseProtocol): self.scheduled_events = {} self.ssl_context = ssl.create_default_context() - self.ssl_context.check_hostname = False - self.ssl_context.verify_mode = ssl.CERT_NONE + self.ssl_context.check_hostname = True + self.ssl_context.verify_mode = ssl.CERT_REQUIRED self.event_when_connected = "connected" @@ -484,11 +484,12 @@ class XMLStream(asyncio.BaseProtocol): if self._current_connection_attempt is None: return try: + server_hostname = self.default_domain if self.use_ssl else None await self.loop.create_connection(lambda: self, self.address[0], self.address[1], ssl=ssl_context, - server_hostname=self.default_domain if self.use_ssl else None) + server_hostname=server_hostname) self._connect_loop_wait = 0 except Socket.gaierror as e: self.event('connection_failed', @@ -827,15 +828,15 @@ class XMLStream(asyncio.BaseProtocol): try: if hasattr(self.loop, 'start_tls'): transp = await self.loop.start_tls(self.transport, - self, ssl_context) + self, ssl_context, + server_hostname=self.default_domain) # Python < 3.7 else: transp, _ = await self.loop.create_connection( lambda: self, ssl=self.ssl_context, sock=self.socket, - server_hostname=self.default_domain - ) + server_hostname=self.default_domain) except ssl.SSLError as e: log.debug('SSL: Unable to connect', exc_info=True) log.error('CERT: Invalid certificate trust chain.')