From 85d8b9270f176e5c0a43b5219e84f75690a016e6 Mon Sep 17 00:00:00 2001
From: Thom Nichols <tmnichols@gmail.com>
Date: Tue, 6 Jul 2010 17:37:57 -0400
Subject: client must validate the server's SSL certificate against the CA list
 if it is provided.

---
 sleekxmpp/xmlstream/xmlstream.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'sleekxmpp')

diff --git a/sleekxmpp/xmlstream/xmlstream.py b/sleekxmpp/xmlstream/xmlstream.py
index fd0b0fa0..f968fdb6 100644
--- a/sleekxmpp/xmlstream/xmlstream.py
+++ b/sleekxmpp/xmlstream/xmlstream.py
@@ -140,7 +140,9 @@ class XMLStream(object):
 
 				if self.use_ssl and self.ssl_support:
 					logging.debug("Socket Wrapped for SSL")
-					self.socket = ssl.wrap_socket(self.socket,ca_certs=self.ca_certs)
+					cert_policy = ssl.CERT_NONE if self.ca_certs is None else ssl.CERT_REQUIRED
+					self.socket = ssl.wrap_socket(self.socket,
+					        ca_certs=self.ca_certs, cert_reqs=cert_policy)
 				
 				self.socket.connect(self.address)
 				self.filesocket = self.socket.makefile('rb', 0)
-- 
cgit v1.2.3


From f3cf5f6080b484634e31edaa129c7922ebb62fb6 Mon Sep 17 00:00:00 2001
From: Thom Nichols <tmnichols@gmail.com>
Date: Wed, 7 Jul 2010 11:33:12 -0400
Subject: added SSL certificate verification to startTLS  method

---
 sleekxmpp/xmlstream/xmlstream.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'sleekxmpp')

diff --git a/sleekxmpp/xmlstream/xmlstream.py b/sleekxmpp/xmlstream/xmlstream.py
index f968fdb6..887edeff 100644
--- a/sleekxmpp/xmlstream/xmlstream.py
+++ b/sleekxmpp/xmlstream/xmlstream.py
@@ -171,12 +171,18 @@ class XMLStream(object):
 
 	def startTLS(self):
 		"Handshakes for TLS"
+		# TODO since this is not part of the 'connectTCP' method, it does not quiesce if 
+		# The TLS negotiation throws an SSLError.  It really should.  Worse yet, some 
+		# errors might be considered fatal (like certificate verification failure) in which
+		# case, should we even attempt to re-connect at all?
 		if self.ssl_support:
 			logging.info("Negotiating TLS")
 #			self.realsocket = self.socket # NOT USED
+			cert_policy = ssl.CERT_NONE if self.ca_certs is None else ssl.CERT_REQUIRED
 			self.socket = ssl.wrap_socket(self.socket, 
 					ssl_version=ssl.PROTOCOL_TLSv1, 
-					do_handshake_on_connect=False, 
+					do_handshake_on_connect=False,
+					cert_reqs=cert_policy,
 					ca_certs=self.ca_certs)
 			self.socket.do_handshake()
 			if sys.version_info < (3,0):
-- 
cgit v1.2.3