pep/slixmpp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

CVE-2022-45197: Fix missing certificate hostname validation

Browse source 
Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>
This commit is contained in:
Maxime “pep” Buquet 2022-11-11 18:27:13 +01:00
parent e93e43df66
commit b60b1b985d
Signed by: pep
GPG key ID: DEDA74AEECA9D0F2
1 changed files with 7 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
slixmpp/xmlstream/xmlstream.py
View file

@ -299,8 +299,8 @@ class XMLStream(asyncio.BaseProtocol):
self.scheduled_events = {} self.scheduled_events = {}
self.ssl_context = ssl.create_default_context() self.ssl_context = ssl.create_default_context()
self.ssl_context.check_hostname = False self.ssl_context.check_hostname = True
self.ssl_context.verify_mode = ssl.CERT_NONE self.ssl_context.verify_mode = ssl.CERT_REQUIRED
self.event_when_connected = "connected" self.event_when_connected = "connected"
@ -484,11 +484,12 @@ class XMLStream(asyncio.BaseProtocol):
if self._current_connection_attempt is None: if self._current_connection_attempt is None:
return return
try: try:
server_hostname = self.default_domain if self.use_ssl else None
await self.loop.create_connection(lambda: self, await self.loop.create_connection(lambda: self,
self.address[0], self.address[0],
self.address[1], self.address[1],
ssl=ssl_context, ssl=ssl_context,
server_hostname=self.default_domain if self.use_ssl else None) server_hostname=server_hostname)
self._connect_loop_wait = 0 self._connect_loop_wait = 0
except Socket.gaierror as e: except Socket.gaierror as e:
self.event('connection_failed', self.event('connection_failed',
@ -827,15 +828,15 @@ class XMLStream(asyncio.BaseProtocol):
try: try:
if hasattr(self.loop, 'start_tls'): if hasattr(self.loop, 'start_tls'):
transp = await self.loop.start_tls(self.transport, transp = await self.loop.start_tls(self.transport,
self, ssl_context) self, ssl_context,
server_hostname=self.default_domain)
# Python < 3.7 # Python < 3.7
else: else:
transp, _ = await self.loop.create_connection( transp, _ = await self.loop.create_connection(
lambda: self, lambda: self,
ssl=self.ssl_context, ssl=self.ssl_context,
sock=self.socket, sock=self.socket,
server_hostname=self.default_domain server_hostname=self.default_domain)
)
except ssl.SSLError as e: except ssl.SSLError as e:
log.debug('SSL: Unable to connect', exc_info=True) log.debug('SSL: Unable to connect', exc_info=True)
log.error('CERT: Invalid certificate trust chain.') log.error('CERT: Invalid certificate trust chain.')