|
|
|
@ -119,6 +119,31 @@ class TcpInterface(threading.Thread): |
|
|
|
queue.put((self, {'method':method, 'params':params, 'result':result, 'id':_id})) |
|
|
|
|
|
|
|
|
|
|
|
def check_host_name(self, peercert, name): |
|
|
|
"""Simple certificate/host name checker. Returns True if the |
|
|
|
certificate matches, False otherwise. Does not support |
|
|
|
wildcards.""" |
|
|
|
# Check that the peer has supplied a certificate. |
|
|
|
# None/{} is not acceptable. |
|
|
|
if not peercert: |
|
|
|
return False |
|
|
|
if peercert.has_key("subjectAltName"): |
|
|
|
for typ, val in peercert["subjectAltName"]: |
|
|
|
if typ == "DNS" and val == name: |
|
|
|
return True |
|
|
|
else: |
|
|
|
# Only check the subject DN if there is no subject alternative |
|
|
|
# name. |
|
|
|
cn = None |
|
|
|
for attr, val in peercert["subject"]: |
|
|
|
# Use most-specific (last) commonName attribute. |
|
|
|
if attr == "commonName": |
|
|
|
cn = val |
|
|
|
if cn is not None: |
|
|
|
return cn == name |
|
|
|
return False |
|
|
|
|
|
|
|
|
|
|
|
def get_simple_socket(self): |
|
|
|
try: |
|
|
|
l = socket.getaddrinfo(self.host, self.port, socket.AF_UNSPEC, socket.SOCK_STREAM) |
|
|
|
@ -149,10 +174,11 @@ class TcpInterface(threading.Thread): |
|
|
|
try: |
|
|
|
ca_certs = os.path.join(self.config.path, 'ca', 'ca-bundle.crt') |
|
|
|
s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv3, cert_reqs=ssl.CERT_REQUIRED, ca_certs=ca_certs, do_handshake_on_connect=True) |
|
|
|
print_error("SSL with ca:", self.host) |
|
|
|
return s |
|
|
|
except ssl.SSLError, e: |
|
|
|
pass |
|
|
|
s = None |
|
|
|
if s and self.check_host_name(s.getpeercert(), self.host): |
|
|
|
print_error("SSL certificate signed by CA:", self.host) |
|
|
|
return s |
|
|
|
|
|
|
|
# get server certificate. |
|
|
|
# Do not use ssl.get_server_certificate because it does not work with proxy |
|
|
|
|
ThomasV
11 years ago