we must check host name if cert is signed by CA
This commit is contained in:
parent
889ac782c1
commit
52450289ff
|
@ -119,6 +119,31 @@ class TcpInterface(threading.Thread):
|
||||||
queue.put((self, {'method':method, 'params':params, 'result':result, 'id':_id}))
|
queue.put((self, {'method':method, 'params':params, 'result':result, 'id':_id}))
|
||||||
|
|
||||||
|
|
||||||
|
def check_host_name(self, peercert, name):
|
||||||
|
"""Simple certificate/host name checker. Returns True if the
|
||||||
|
certificate matches, False otherwise. Does not support
|
||||||
|
wildcards."""
|
||||||
|
# Check that the peer has supplied a certificate.
|
||||||
|
# None/{} is not acceptable.
|
||||||
|
if not peercert:
|
||||||
|
return False
|
||||||
|
if peercert.has_key("subjectAltName"):
|
||||||
|
for typ, val in peercert["subjectAltName"]:
|
||||||
|
if typ == "DNS" and val == name:
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
# Only check the subject DN if there is no subject alternative
|
||||||
|
# name.
|
||||||
|
cn = None
|
||||||
|
for attr, val in peercert["subject"]:
|
||||||
|
# Use most-specific (last) commonName attribute.
|
||||||
|
if attr == "commonName":
|
||||||
|
cn = val
|
||||||
|
if cn is not None:
|
||||||
|
return cn == name
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
def get_simple_socket(self):
|
def get_simple_socket(self):
|
||||||
try:
|
try:
|
||||||
l = socket.getaddrinfo(self.host, self.port, socket.AF_UNSPEC, socket.SOCK_STREAM)
|
l = socket.getaddrinfo(self.host, self.port, socket.AF_UNSPEC, socket.SOCK_STREAM)
|
||||||
|
@ -149,10 +174,11 @@ class TcpInterface(threading.Thread):
|
||||||
try:
|
try:
|
||||||
ca_certs = os.path.join(self.config.path, 'ca', 'ca-bundle.crt')
|
ca_certs = os.path.join(self.config.path, 'ca', 'ca-bundle.crt')
|
||||||
s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv3, cert_reqs=ssl.CERT_REQUIRED, ca_certs=ca_certs, do_handshake_on_connect=True)
|
s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv3, cert_reqs=ssl.CERT_REQUIRED, ca_certs=ca_certs, do_handshake_on_connect=True)
|
||||||
print_error("SSL with ca:", self.host)
|
|
||||||
return s
|
|
||||||
except ssl.SSLError, e:
|
except ssl.SSLError, e:
|
||||||
pass
|
s = None
|
||||||
|
if s and self.check_host_name(s.getpeercert(), self.host):
|
||||||
|
print_error("SSL certificate signed by CA:", self.host)
|
||||||
|
return s
|
||||||
|
|
||||||
# get server certificate.
|
# get server certificate.
|
||||||
# Do not use ssl.get_server_certificate because it does not work with proxy
|
# Do not use ssl.get_server_certificate because it does not work with proxy
|
||||||
|
|
Loading…
Reference in New Issue