From 4b57b8131f424c0b3fc0ad616e3c48322e3f7e6e Mon Sep 17 00:00:00 2001
From: Lance Stout <lancestout@gmail.com>
Date: Thu, 16 Dec 2010 17:30:08 -0500
Subject: Added support for using SSL CA certificates.

Originally provided by Brian Beggs (macdiesel)
and Thom Nichols (tomstrummer).
---
 sleekxmpp/xmlstream/xmlstream.py | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/sleekxmpp/xmlstream/xmlstream.py b/sleekxmpp/xmlstream/xmlstream.py
index fc7aff34..9e91b5d8 100644
--- a/sleekxmpp/xmlstream/xmlstream.py
+++ b/sleekxmpp/xmlstream/xmlstream.py
@@ -94,6 +94,8 @@ class XMLStream(object):
         ssl_support   -- Indicates if a SSL library is available for use.
         ssl_version   -- The version of the SSL protocol to use.
                          Defaults to ssl.PROTOCOL_TLSv1.
+        ca_certs      -- File path to a CA certificate to verify the
+                         server's identity.
         state         -- A state machine for managing the stream's
                          connection state.
         stream_footer -- The start tag and any attributes for the stream's
@@ -163,6 +165,7 @@ class XMLStream(object):
 
         self.ssl_support = SSL_SUPPORT
         self.ssl_version = ssl.PROTOCOL_TLSv1
+        self.ca_certs = None
 
         self.response_timeout = RESPONSE_TIMEOUT
 
@@ -283,7 +286,15 @@ class XMLStream(object):
         self.socket.settimeout(None)
         if self.use_ssl and self.ssl_support:
             log.debug("Socket Wrapped for SSL")
-            ssl_socket = ssl.wrap_socket(self.socket)
+            if self.ca_certs is None:
+                cert_policy = ssl.CERT_NONE
+            else:
+                cert_policy = ssl.CERT_REQUIRED
+
+            ssl_socket = ssl.wrap_socket(self.socket,
+                                         ca_certs=self.ca_certs,
+                                         certs_reqs=cert_policy)
+
             if hasattr(self.socket, 'socket'):
                 # We are using a testing socket, so preserve the top
                 # layer of wrapping.
@@ -387,9 +398,17 @@ class XMLStream(object):
         if self.ssl_support:
             log.info("Negotiating TLS")
             log.info("Using SSL version: %s" % str(self.ssl_version))
+            if self.ca_certs is None:
+                cert_policy = ssl.CERT_NONE
+            else:
+                cert_policy = ssl.CERT_REQUIRED
+
             ssl_socket = ssl.wrap_socket(self.socket,
                                          ssl_version=self.ssl_version,
-                                         do_handshake_on_connect=False)
+                                         do_handshake_on_connect=False,
+                                         ca_certs=self.ca_certs,
+                                         cert_reqs=cert_policy)
+
             if hasattr(self.socket, 'socket'):
                 # We are using a testing socket, so preserve the top
                 # layer of wrapping.
-- 
cgit v1.2.3