From 767efd60a80ad7b9509d70f61f3df9af98a9aa62 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Fri, 20 Mar 2020 11:25:39 -0400
Subject: [PATCH] Fallback to standard TLS validation

If the caller provides no custom validation, use normal validation.

Historically, this webclient has been used for internal networks where
custom validation was more feasible than normal TLS validation.

However, it is starting to be used to communicate with internet sites,
so a change is required to work with that model sanely.

Change-Id: I31dae103bfbe534aa326a648f9207ad86b86d550
---
 pyghmi/util/webclient.py | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/pyghmi/util/webclient.py b/pyghmi/util/webclient.py
index 8c6a58a8..017ef8c2 100644
--- a/pyghmi/util/webclient.py
+++ b/pyghmi/util/webclient.py
@@ -130,7 +130,10 @@ class SecureHTTPConnection(httplib.HTTPConnection, object):
                                             **kwargs)
         except TypeError:
             httplib.HTTPConnection.__init__(self, host, port, **kwargs)
-        self.cert_reqs = ssl.CERT_NONE  # verification will be done ssh style..
+        if verifycallback:
+            self.cert_reqs = ssl.CERT_NONE  # use custom validation
+        else:
+            self.cert_reqs = ssl.CERT_REQUIRED  # use standard validation
         if clone:
             self._certverify = clone._certverify
             self.cookies = clone.cookies
@@ -173,12 +176,19 @@ class SecureHTTPConnection(httplib.HTTPConnection, object):
         except socket.error:
             pass
         plainsock.connect(addrinfo[4])
-        self.sock = ssl.wrap_socket(plainsock, cert_reqs=self.cert_reqs)
-        # txtcert = self.sock.getpeercert()  # currently not possible
-        bincert = self.sock.getpeercert(binary_form=True)
-        if not self._certverify(bincert):
-            raise pygexc.UnrecognizedCertificate('Unknown certificate',
-                                                 bincert)
+        if self._certverify:
+            self.sock = ssl.wrap_socket(plainsock, cert_reqs=self.cert_reqs)
+            bincert = self.sock.getpeercert(binary_form=True)
+            if not self._certverify(bincert):
+                raise pygexc.UnrecognizedCertificate('Unknown certificate',
+                                                     bincert)
+        else:
+            ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            ctx.load_default_certs()
+            ctx.verify_mode = ssl.CERT_REQUIRED
+            ctx.check_hostname = True
+            self.sock = ctx.wrap_socket(plainsock,
+                                        server_hostname=self.thehost)
 
     def getresponse(self):
         try: