Fallback to standard TLS validation

If the caller provides no custom validation, use normal validation. Historically, this webclient has been used for internal networks where custom validation was more feasible than normal TLS validation. However, it is starting to be used to communicate with internet sites, so a change is required to work with that model sanely. Change-Id: I31dae103bfbe534aa326a648f9207ad86b86d550
2025-08-09 21:00:14 +00:00 · 2020-03-20 11:25:39 -04:00
parent 59f44fa9c8
commit 767efd60a8
1 changed files with 17 additions and 7 deletions
--- a/pyghmi/util/webclient.py
+++ b/pyghmi/util/webclient.py
@@ -130,7 +130,10 @@ class SecureHTTPConnection(httplib.HTTPConnection, object):
                                            **kwargs)
        except TypeError:
            httplib.HTTPConnection.__init__(self, host, port, **kwargs)
-        self.cert_reqs = ssl.CERT_NONE  # verification will be done ssh style..
+        if verifycallback:
+            self.cert_reqs = ssl.CERT_NONE  # use custom validation
+        else:
+            self.cert_reqs = ssl.CERT_REQUIRED  # use standard validation
        if clone:
            self._certverify = clone._certverify
            self.cookies = clone.cookies
@@ -173,12 +176,19 @@ class SecureHTTPConnection(httplib.HTTPConnection, object):
        except socket.error:
            pass
        plainsock.connect(addrinfo[4])
-        self.sock = ssl.wrap_socket(plainsock, cert_reqs=self.cert_reqs)
-        # txtcert = self.sock.getpeercert()  # currently not possible
-        bincert = self.sock.getpeercert(binary_form=True)
-        if not self._certverify(bincert):
-            raise pygexc.UnrecognizedCertificate('Unknown certificate',
-                                                 bincert)
+        if self._certverify:
+            self.sock = ssl.wrap_socket(plainsock, cert_reqs=self.cert_reqs)
+            bincert = self.sock.getpeercert(binary_form=True)
+            if not self._certverify(bincert):
+                raise pygexc.UnrecognizedCertificate('Unknown certificate',
+                                                     bincert)
+        else:
+            ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            ctx.load_default_certs()
+            ctx.verify_mode = ssl.CERT_REQUIRED
+            ctx.check_hostname = True
+            self.sock = ctx.wrap_socket(plainsock,
+                                        server_hostname=self.thehost)

    def getresponse(self):
        try: