Added a fix for pre-1.0 OpenSSL which wasn't correctly erring on failed certificate validation

author: Kyle Morton <kylemorton@google.com> 2015-07-21 19:06:20 -0700
committer: Kyle Morton <kylemorton@google.com> 2015-07-21 19:15:11 -0700
commit: c17af4162b5a2946c4bf53bf1d17fca41dc68da7 (patch)
tree: cdaa68b11f08a4ca3cb4655feefef3f049f2b8e2 /netlib/tcp.py
parent: 155bdeb12352065bc36256ba8014003480361a0c (diff)
download: mitmproxy-c17af4162b5a2946c4bf53bf1d17fca41dc68da7.tar.gz
mitmproxy-c17af4162b5a2946c4bf53bf1d17fca41dc68da7.tar.bz2
mitmproxy-c17af4162b5a2946c4bf53bf1d17fca41dc68da7.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/netlib/tcp.py b/netlib/tcp.py
index 47ce8c0e..5c4094d7 100644
--- a/netlib/tcp.py
+++ b/netlib/tcp.py
@@ -518,6 +518,13 @@ class TCPClient(_Connection):
             self.connection.do_handshake()
         except SSL.Error as v:
             raise NetLibError("SSL handshake error: %s" % repr(v))
+
+        # Fix for pre v1.0 OpenSSL, which doesn't throw an exception on
+        # certificate validation failure
+        verification_mode = sslctx_kwargs.get('verify_options', None)
+        if self.ssl_verification_error is not None and verification_mode == SSL.VERIFY_PEER:
+            raise NetLibError("SSL handshake error: certificate verify failed")
+
         self.ssl_established = True
         self.cert = certutils.SSLCert(self.connection.get_peer_certificate())
         self.rfile.set_descriptor(self.connection)
author	Kyle Morton <kylemorton@google.com>	2015-07-21 19:06:20 -0700
committer	Kyle Morton <kylemorton@google.com>	2015-07-21 19:15:11 -0700
commit	c17af4162b5a2946c4bf53bf1d17fca41dc68da7 (patch)
tree	cdaa68b11f08a4ca3cb4655feefef3f049f2b8e2 /netlib/tcp.py
parent	155bdeb12352065bc36256ba8014003480361a0c (diff)
download	mitmproxy-c17af4162b5a2946c4bf53bf1d17fca41dc68da7.tar.gz mitmproxy-c17af4162b5a2946c4bf53bf1d17fca41dc68da7.tar.bz2 mitmproxy-c17af4162b5a2946c4bf53bf1d17fca41dc68da7.zip