From 06c6762c0dd242daf55d0ac2722b36eb0ebd0eb8 Mon Sep 17 00:00:00 2001 From: Luke Childs Date: Mon, 20 Apr 2020 08:13:50 +0700 Subject: [PATCH] Always check is_main_server() when getting fingerprint --- electrum/interface.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/electrum/interface.py b/electrum/interface.py index d04053eaa..15e6706e6 100644 --- a/electrum/interface.py +++ b/electrum/interface.py @@ -353,7 +353,7 @@ class Interface(Logger): async def _try_saving_ssl_cert_for_first_time(self, ca_ssl_context): ca_signed = await self.is_server_ca_signed(ca_ssl_context) if ca_signed: - if self.network.config.get("serverfingerprint"): + if self.get_expected_fingerprint(): raise InvalidOptionCombination("cannot use --serverfingerprint with CA signed servers") with open(self.cert_path, 'w') as f: # empty file means this is CA signed, not self-signed @@ -367,7 +367,7 @@ class Interface(Logger): with open(self.cert_path, 'r') as f: contents = f.read() if contents == '': # CA signed - if self.network.config.get("serverfingerprint"): + if self.get_expected_fingerprint(): raise InvalidOptionCombination("cannot use --serverfingerprint with CA signed servers") return True # pinned self-signed cert @@ -501,9 +501,13 @@ class Interface(Logger): ssl_object = asyncio_transport.get_extra_info("ssl_object") # type: ssl.SSLObject return ssl_object.getpeercert(binary_form=True) + def get_expected_fingerprint(self): + if self.is_main_server(): + return self.network.config.get("serverfingerprint") + def verify_certificate_fingerprint(self, certificate): - expected_fingerprint = self.network.config.get("serverfingerprint") - if not expected_fingerprint or not self.is_main_server(): + expected_fingerprint = self.get_expected_fingerprint() + if not expected_fingerprint: return fingerprint = hashlib.sha256(certificate).hexdigest() fingerprints_match = fingerprint.lower() == expected_fingerprint.lower()