From 85d8b9270f176e5c0a43b5219e84f75690a016e6 Mon Sep 17 00:00:00 2001 From: Thom Nichols Date: Tue, 6 Jul 2010 17:37:57 -0400 Subject: client must validate the server's SSL certificate against the CA list if it is provided. --- sleekxmpp/xmlstream/xmlstream.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'sleekxmpp') diff --git a/sleekxmpp/xmlstream/xmlstream.py b/sleekxmpp/xmlstream/xmlstream.py index fd0b0fa0..f968fdb6 100644 --- a/sleekxmpp/xmlstream/xmlstream.py +++ b/sleekxmpp/xmlstream/xmlstream.py @@ -140,7 +140,9 @@ class XMLStream(object): if self.use_ssl and self.ssl_support: logging.debug("Socket Wrapped for SSL") - self.socket = ssl.wrap_socket(self.socket,ca_certs=self.ca_certs) + cert_policy = ssl.CERT_NONE if self.ca_certs is None else ssl.CERT_REQUIRED + self.socket = ssl.wrap_socket(self.socket, + ca_certs=self.ca_certs, cert_reqs=cert_policy) self.socket.connect(self.address) self.filesocket = self.socket.makefile('rb', 0) -- cgit v1.2.3 From f3cf5f6080b484634e31edaa129c7922ebb62fb6 Mon Sep 17 00:00:00 2001 From: Thom Nichols Date: Wed, 7 Jul 2010 11:33:12 -0400 Subject: added SSL certificate verification to startTLS method --- sleekxmpp/xmlstream/xmlstream.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'sleekxmpp') diff --git a/sleekxmpp/xmlstream/xmlstream.py b/sleekxmpp/xmlstream/xmlstream.py index f968fdb6..887edeff 100644 --- a/sleekxmpp/xmlstream/xmlstream.py +++ b/sleekxmpp/xmlstream/xmlstream.py @@ -171,12 +171,18 @@ class XMLStream(object): def startTLS(self): "Handshakes for TLS" + # TODO since this is not part of the 'connectTCP' method, it does not quiesce if + # The TLS negotiation throws an SSLError. It really should. Worse yet, some + # errors might be considered fatal (like certificate verification failure) in which + # case, should we even attempt to re-connect at all? if self.ssl_support: logging.info("Negotiating TLS") # self.realsocket = self.socket # NOT USED + cert_policy = ssl.CERT_NONE if self.ca_certs is None else ssl.CERT_REQUIRED self.socket = ssl.wrap_socket(self.socket, ssl_version=ssl.PROTOCOL_TLSv1, - do_handshake_on_connect=False, + do_handshake_on_connect=False, + cert_reqs=cert_policy, ca_certs=self.ca_certs) self.socket.do_handshake() if sys.version_info < (3,0): -- cgit v1.2.3