Merge pull request #83 from kyle-m/master

Fixing upstream certificate validation bugs

1 files changed, 8 insertions, 1 deletions

diff --git a/netlib/tcp.py b/netlib/tcp.py
index 38b77c9e..5c4094d7 100644
--- a/netlib/tcp.py
+++ b/netlib/tcp.py
@@ -422,7 +422,7 @@ class _Connection(object):
 
             context.set_verify(verify_options, verify_cert)
             if ca_path is None and ca_pemfile is None:
-                ca_path = certifi.where()
+                ca_pemfile = certifi.where()
             context.load_verify_locations(ca_pemfile, ca_path)
 
         # Workaround for
@@ -518,6 +518,13 @@ class TCPClient(_Connection):
             self.connection.do_handshake()
         except SSL.Error as v:
             raise NetLibError("SSL handshake error: %s" % repr(v))
+
+        # Fix for pre v1.0 OpenSSL, which doesn't throw an exception on
+        # certificate validation failure
+        verification_mode = sslctx_kwargs.get('verify_options', None)
+        if self.ssl_verification_error is not None and verification_mode == SSL.VERIFY_PEER:
+            raise NetLibError("SSL handshake error: certificate verify failed")
+
         self.ssl_established = True
         self.cert = certutils.SSLCert(self.connection.get_peer_certificate())
         self.rfile.set_descriptor(self.connection)