From 7b1564947d9ea05608862acec6ccfe96e7f52e01 Mon Sep 17 00:00:00 2001 From: Lance Stout Date: Fri, 8 Jun 2012 09:31:44 -0700 Subject: Ensure that all SSL cert error handling is overridable using event handlers. Relevant events: ssl_invalid_cert ssl_invalid_chain ssl_expired_cert --- sleekxmpp/xmlstream/xmlstream.py | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) (limited to 'sleekxmpp') diff --git a/sleekxmpp/xmlstream/xmlstream.py b/sleekxmpp/xmlstream/xmlstream.py index ac0fc256..7376d56d 100644 --- a/sleekxmpp/xmlstream/xmlstream.py +++ b/sleekxmpp/xmlstream/xmlstream.py @@ -493,7 +493,8 @@ class XMLStream(object): ssl_socket = ssl.wrap_socket(self.socket, ca_certs=self.ca_certs, - cert_reqs=cert_policy) + cert_reqs=cert_policy, + do_handshake_on_connect=False) if hasattr(self.socket, 'socket'): # We are using a testing socket, so preserve the top @@ -510,6 +511,17 @@ class XMLStream(object): log.debug("Connecting to %s:%s", domain, self.address[1]) self.socket.connect(self.address) + try: + self.socket.do_handshake() + except: + log.error('CERT: Invalid certificate trust chain.') + if not self.event_handled('ssl_invalid_chain'): + self.disconnect(self.auto_reconnect, send_close=False) + else: + self.event('ssl_invalid_chain', direct=True) + return False + + if self.use_ssl and self.ssl_support: self._der_cert = self.socket.getpeercert(binary_form=True) pem_cert = ssl.DER_cert_to_PEM_cert(self._der_cert) @@ -520,8 +532,10 @@ class XMLStream(object): cert.verify(self._expected_server_name, self._der_cert) except cert.CertificateError as err: log.error(err.message) - self.event('ssl_invalid_cert', cert, direct=True) - self.disconnect(send_close=False) + if not self.event_handled('ssl_invalid_cert'): + self.disconnect(send_close=False) + else: + self.event('ssl_invalid_cert', cert, direct=True) self.set_socket(self.socket, ignore=True) #this event is where you should set your application state @@ -790,8 +804,10 @@ class XMLStream(object): self.socket.do_handshake() except: log.error('CERT: Invalid certificate trust chain.') - self.event('ssl_invalid_chain', direct=True) - self.disconnect(self.auto_reconnect, send_close=False) + if not self.event_handled('ssl_invalid_chain'): + self.disconnect(self.auto_reconnect, send_close=False) + else: + self.event('ssl_invalid_chain', direct=True) return False self._der_cert = self.socket.getpeercert(binary_form=True) @@ -803,9 +819,10 @@ class XMLStream(object): cert.verify(self._expected_server_name, self._der_cert) except cert.CertificateError as err: log.error(err.message) - self.event('ssl_invalid_cert', cert, direct=True) if not self.event_handled('ssl_invalid_cert'): self.disconnect(self.auto_reconnect, send_close=False) + else: + self.event('ssl_invalid_cert', cert, direct=True) self.set_socket(self.socket) return True @@ -820,8 +837,12 @@ class XMLStream(object): return def restart(): - log.warn("The server certificate has expired. Restarting.") - self.reconnect() + if not self.event_handled('ssl_expired_cert'): + log.warn("The server certificate has expired. Restarting.") + self.reconnect() + else: + pem_cert = ssl.DER_cert_to_PEM_cert(self._der_cert) + self.event('ssl_expired_cert', pem_cert) cert_ttl = cert.get_ttl(self._der_cert) if cert_ttl is None: -- cgit v1.2.3 From 4b37a4706f62d4ac447d2e0e5127a9199075287d Mon Sep 17 00:00:00 2001 From: Lance Stout Date: Sat, 9 Jun 2012 10:32:25 -0700 Subject: Fix SSL handshake handling when not using legacy SSL. Fixes issue #172 --- sleekxmpp/xmlstream/xmlstream.py | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) (limited to 'sleekxmpp') diff --git a/sleekxmpp/xmlstream/xmlstream.py b/sleekxmpp/xmlstream/xmlstream.py index 7376d56d..8575c65b 100644 --- a/sleekxmpp/xmlstream/xmlstream.py +++ b/sleekxmpp/xmlstream/xmlstream.py @@ -511,18 +511,17 @@ class XMLStream(object): log.debug("Connecting to %s:%s", domain, self.address[1]) self.socket.connect(self.address) - try: - self.socket.do_handshake() - except: - log.error('CERT: Invalid certificate trust chain.') - if not self.event_handled('ssl_invalid_chain'): - self.disconnect(self.auto_reconnect, send_close=False) - else: - self.event('ssl_invalid_chain', direct=True) - return False - - if self.use_ssl and self.ssl_support: + try: + self.socket.do_handshake() + except (Socket.error, ssl.SSLError): + log.error('CERT: Invalid certificate trust chain.') + if not self.event_handled('ssl_invalid_chain'): + self.disconnect(self.auto_reconnect, send_close=False) + else: + self.event('ssl_invalid_chain', direct=True) + return False + self._der_cert = self.socket.getpeercert(binary_form=True) pem_cert = ssl.DER_cert_to_PEM_cert(self._der_cert) log.debug('CERT: %s', pem_cert) @@ -802,7 +801,7 @@ class XMLStream(object): try: self.socket.do_handshake() - except: + except (Socket.error, ssl.SSLError): log.error('CERT: Invalid certificate trust chain.') if not self.event_handled('ssl_invalid_chain'): self.disconnect(self.auto_reconnect, send_close=False) -- cgit v1.2.3 From e06368f8cdef7bee0bd648cadb4a9c26c2be6209 Mon Sep 17 00:00:00 2001 From: Lance Stout Date: Sat, 9 Jun 2012 10:43:57 -0700 Subject: Default use_tls to False for components. Issue #171 --- sleekxmpp/componentxmpp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sleekxmpp') diff --git a/sleekxmpp/componentxmpp.py b/sleekxmpp/componentxmpp.py index 348a08e0..1fb9c4d9 100644 --- a/sleekxmpp/componentxmpp.py +++ b/sleekxmpp/componentxmpp.py @@ -79,7 +79,7 @@ class ComponentXMPP(BaseXMPP): self._handle_probe) def connect(self, host=None, port=None, use_ssl=False, - use_tls=True, reattempt=True): + use_tls=False, reattempt=True): """Connect to the server. Setting ``reattempt`` to ``True`` will cause connection attempts to -- cgit v1.2.3 From 8567d6034f9668e68a15f7166c1df6999e646477 Mon Sep 17 00:00:00 2001 From: Lance Stout Date: Sat, 9 Jun 2012 10:47:27 -0700 Subject: Use False for use_tls for components. A log message is shown for those who try to set it to True. Fixes issue #171 --- sleekxmpp/componentxmpp.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'sleekxmpp') diff --git a/sleekxmpp/componentxmpp.py b/sleekxmpp/componentxmpp.py index 1fb9c4d9..33fc882d 100644 --- a/sleekxmpp/componentxmpp.py +++ b/sleekxmpp/componentxmpp.py @@ -104,10 +104,13 @@ class ComponentXMPP(BaseXMPP): self.server_name = self.boundjid.host + if use_tls: + log.info("XEP-0114 components can not use TLS") + log.debug("Connecting to %s:%s", host, port) return XMLStream.connect(self, host=host, port=port, use_ssl=use_ssl, - use_tls=use_tls, + use_tls=False, reattempt=reattempt) def incoming_filter(self, xml): -- cgit v1.2.3 From 6cfb5cb14c2904a36ea350046dfcabd1773613f7 Mon Sep 17 00:00:00 2001 From: Lance Stout Date: Sat, 9 Jun 2012 10:53:58 -0700 Subject: Add extra check for the cert in the expiration handler. --- sleekxmpp/xmlstream/xmlstream.py | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'sleekxmpp') diff --git a/sleekxmpp/xmlstream/xmlstream.py b/sleekxmpp/xmlstream/xmlstream.py index 8575c65b..6dfd5498 100644 --- a/sleekxmpp/xmlstream/xmlstream.py +++ b/sleekxmpp/xmlstream/xmlstream.py @@ -835,6 +835,10 @@ class XMLStream(object): if not self.use_tls and not self.use_ssl: return + if not self._der_cert: + log.warn("TLS or SSL was enabled, but no certificate was found.") + return + def restart(): if not self.event_handled('ssl_expired_cert'): log.warn("The server certificate has expired. Restarting.") -- cgit v1.2.3 From 6997261c6b3479260465a6c829a21152f9019b4d Mon Sep 17 00:00:00 2001 From: Lance Stout Date: Sat, 9 Jun 2012 11:32:03 -0700 Subject: Bump version for 1.1.3 --- sleekxmpp/version.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sleekxmpp') diff --git a/sleekxmpp/version.py b/sleekxmpp/version.py index 04aa3d59..37c2875e 100644 --- a/sleekxmpp/version.py +++ b/sleekxmpp/version.py @@ -9,5 +9,5 @@ # We don't want to have to import the entire library # just to get the version info for setup.py -__version__ = '1.1.2' -__version_info__ = (1, 1, 2, '', 0) +__version__ = '1.1.3' +__version_info__ = (1, 1, 3, '', 0) -- cgit v1.2.3