From 1b9b4199e8ecfdc379a34b74dd9b3b197365d74a Mon Sep 17 00:00:00 2001 From: mathieui Date: Wed, 17 Dec 2014 19:03:49 +0100 Subject: Make the ca_certs option useful again (CA-based cert validation) It was broken since the fork. --- slixmpp/xmlstream/xmlstream.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/slixmpp/xmlstream/xmlstream.py b/slixmpp/xmlstream/xmlstream.py index c9261224..187bfbc5 100644 --- a/slixmpp/xmlstream/xmlstream.py +++ b/slixmpp/xmlstream/xmlstream.py @@ -481,6 +481,9 @@ class XMLStream(object): else: log.debug('Loaded cert file %s and key file %s', self.certfile, self.keyfile) + if self.ca_certs is not None: + self.ssl_context.verify_mode = ssl.CERT_REQUIRED + self.ssl_context.load_verify_locations(cafile=self.ca_certs) ssl_connect_routine = loop.create_connection(lambda: self, ssl=self.ssl_context, sock=self.socket, @@ -488,12 +491,15 @@ class XMLStream(object): def ssl_coro(): try: transp, prot = yield from ssl_connect_routine - except ssl.SSLError: - import traceback - log.debug('SSL: Unable to connect:\n%s', exc_info=True) - self.event('ssl_invalid_chain', direct=True) + except ssl.SSLError as e: + log.error('CERT: Invalid certificate trust chain.') + log.debug('SSL: Unable to connect', exc_info=True) + if not self.event_handled('ssl_invalid_chain'): + self.disconnect() + else: + self.event('ssl_invalid_chain', e) else: - der_cert = transp._sock.getpeercert(True) + der_cert = transp.get_extra_info("socket").getpeercert(True) pem_cert = ssl.DER_cert_to_PEM_cert(der_cert) self.event('ssl_cert', pem_cert) -- cgit v1.2.3