Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
Patch Available
Description
The python TSSLSocket.py module has TSSLSocket and TSSLServerSocket for outbound and inbound SSL connection wrapping.
This ticket is for a patch that makes several improvements:
- adds Apache license at top of file
- for outbound sockets, SSL certificate validation is now performed by default
- but may be disabled with validate=False in the constructor
- instructs python's ssl library to perform CERT_REQUIRED validation of the certificate
- also checks to make sure the certificate's commonName matches the hostname we tried to connect to
- raises TTransportExceptions when the certificate fails validation - tested using google's www.gmail.com (doesnt match) versus mail.google.com (matched cert commonName)
- puts a copy of the peer certificate in self.peercert, regardless of validation status
- sets a public boolean self.is_valid member variable to indicate whether the certificate was validated or not
- adds a configurable server certificate file, as a constructor argument certfile
- allows runtime changing of server cert with setCertfile() on the server, that changes the certfile used in subsequent ssl_wrap() calls
- exposes a class-level variable SSL_PROTOCOL to let the user select ssl.PROTOCOL_TLSv1 or other versions of SSL, instead of hard-coding TLSv1. Defaults to TLSv1 though.
- removes unnecessary sys.path modification
- adds lots of docstrings
In a somewhat unrelated change, this patch changes two lines in TSocket.py where self.handle is compared to None using != instead of: is not.