Added a fix for pre-1.0 OpenSSL which wasn't correctly erring on failed certificate validation

2025-01-30 14:58:38 +00:00 · 2015-07-21 19:06:20 -07:00 · 2015-07-21 19:06:20 -07:00 · c17af4162b
commit c17af4162b
parent 155bdeb123
1 changed files with 7 additions and 0 deletions
--- a/netlib/tcp.py
+++ b/netlib/tcp.py
@ -518,6 +518,13 @@ class TCPClient(_Connection):
            self.connection.do_handshake()
        except SSL.Error as v:
            raise NetLibError("SSL handshake error: %s" % repr(v))
+
+        # Fix for pre v1.0 OpenSSL, which doesn't throw an exception on
+        # certificate validation failure
+        verification_mode = sslctx_kwargs.get('verify_options', None)
+        if self.ssl_verification_error is not None and verification_mode == SSL.VERIFY_PEER:
+            raise NetLibError("SSL handshake error: certificate verify failed")
+
        self.ssl_established = True
        self.cert = certutils.SSLCert(self.connection.get_peer_certificate())
        self.rfile.set_descriptor(self.connection)