diff options
author | Lance Stout <lancestout@gmail.com> | 2012-06-08 09:31:44 -0700 |
---|---|---|
committer | Lance Stout <lancestout@gmail.com> | 2012-06-08 09:31:44 -0700 |
commit | 48dd01b0bb7db1d93bf2d21e681939bfcd2f1297 (patch) | |
tree | a61d6c808825be9f3f554ef6f51f075de9dfb606 | |
parent | 7247efe05518ad9468dc52a6066f38f78cbc599e (diff) | |
download | slixmpp-48dd01b0bb7db1d93bf2d21e681939bfcd2f1297.tar.gz slixmpp-48dd01b0bb7db1d93bf2d21e681939bfcd2f1297.tar.bz2 slixmpp-48dd01b0bb7db1d93bf2d21e681939bfcd2f1297.tar.xz slixmpp-48dd01b0bb7db1d93bf2d21e681939bfcd2f1297.zip |
Ensure that all SSL cert error handling is overridable using event handlers.
Relevant events:
ssl_invalid_cert
ssl_invalid_chain
ssl_expired_cert
-rw-r--r-- | sleekxmpp/xmlstream/xmlstream.py | 37 |
1 files changed, 29 insertions, 8 deletions
diff --git a/sleekxmpp/xmlstream/xmlstream.py b/sleekxmpp/xmlstream/xmlstream.py index ac0fc256..7376d56d 100644 --- a/sleekxmpp/xmlstream/xmlstream.py +++ b/sleekxmpp/xmlstream/xmlstream.py @@ -493,7 +493,8 @@ class XMLStream(object): ssl_socket = ssl.wrap_socket(self.socket, ca_certs=self.ca_certs, - cert_reqs=cert_policy) + cert_reqs=cert_policy, + do_handshake_on_connect=False) if hasattr(self.socket, 'socket'): # We are using a testing socket, so preserve the top @@ -510,6 +511,17 @@ class XMLStream(object): log.debug("Connecting to %s:%s", domain, self.address[1]) self.socket.connect(self.address) + try: + self.socket.do_handshake() + except: + log.error('CERT: Invalid certificate trust chain.') + if not self.event_handled('ssl_invalid_chain'): + self.disconnect(self.auto_reconnect, send_close=False) + else: + self.event('ssl_invalid_chain', direct=True) + return False + + if self.use_ssl and self.ssl_support: self._der_cert = self.socket.getpeercert(binary_form=True) pem_cert = ssl.DER_cert_to_PEM_cert(self._der_cert) @@ -520,8 +532,10 @@ class XMLStream(object): cert.verify(self._expected_server_name, self._der_cert) except cert.CertificateError as err: log.error(err.message) - self.event('ssl_invalid_cert', cert, direct=True) - self.disconnect(send_close=False) + if not self.event_handled('ssl_invalid_cert'): + self.disconnect(send_close=False) + else: + self.event('ssl_invalid_cert', cert, direct=True) self.set_socket(self.socket, ignore=True) #this event is where you should set your application state @@ -790,8 +804,10 @@ class XMLStream(object): self.socket.do_handshake() except: log.error('CERT: Invalid certificate trust chain.') - self.event('ssl_invalid_chain', direct=True) - self.disconnect(self.auto_reconnect, send_close=False) + if not self.event_handled('ssl_invalid_chain'): + self.disconnect(self.auto_reconnect, send_close=False) + else: + self.event('ssl_invalid_chain', direct=True) return False self._der_cert = self.socket.getpeercert(binary_form=True) @@ -803,9 +819,10 @@ class XMLStream(object): cert.verify(self._expected_server_name, self._der_cert) except cert.CertificateError as err: log.error(err.message) - self.event('ssl_invalid_cert', cert, direct=True) if not self.event_handled('ssl_invalid_cert'): self.disconnect(self.auto_reconnect, send_close=False) + else: + self.event('ssl_invalid_cert', cert, direct=True) self.set_socket(self.socket) return True @@ -820,8 +837,12 @@ class XMLStream(object): return def restart(): - log.warn("The server certificate has expired. Restarting.") - self.reconnect() + if not self.event_handled('ssl_expired_cert'): + log.warn("The server certificate has expired. Restarting.") + self.reconnect() + else: + pem_cert = ssl.DER_cert_to_PEM_cert(self._der_cert) + self.event('ssl_expired_cert', pem_cert) cert_ttl = cert.get_ttl(self._der_cert) if cert_ttl is None: |