From d1452424beced04dc42bbadd68878d9e1c24da9c Mon Sep 17 00:00:00 2001
From: Kyle Morton <kylemorton@google.com>
Date: Sat, 20 Jun 2015 13:07:23 -0700
Subject: Cleaning up upstream server verification. Adding storage of
 cerificate verification errors on TCPClient object to enable warnings in
 downstream projects.

---
 netlib/tcp.py | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'netlib/tcp.py')

diff --git a/netlib/tcp.py b/netlib/tcp.py
index 61306e4e..2cae34ec 100644
--- a/netlib/tcp.py
+++ b/netlib/tcp.py
@@ -401,14 +401,13 @@ class _Connection(object):
         if options is not None:
             context.set_options(options)
 
-        # Verify Options (NONE/PEER/PEER|FAIL_IF_... and trusted CAs)
-        if verify_options is not None and verify_options is not SSL.VERIFY_NONE:
-            def verify_cert(conn_, cert_, errno, err_depth, is_cert_verified):
-                if is_cert_verified:
-                    return True
-                raise NetLibError(
-                    "Upstream certificate validation failed at depth: %s with error number: %s" %
-                    (err_depth, errno))
+        # Verify Options (NONE/PEER and trusted CAs)
+        if verify_options is not None:
+            def verify_cert(conn, x509, errno, err_depth, is_cert_verified):
+                if not is_cert_verified:
+                    self.ssl_verification_error = dict(errno=errno,
+                                                       depth=err_depth)
+                return is_cert_verified
 
             context.set_verify(verify_options, verify_cert)
             context.load_verify_locations(ca_pemfile, ca_path)
@@ -469,6 +468,7 @@ class TCPClient(_Connection):
         self.connection, self.rfile, self.wfile = None, None, None
         self.cert = None
         self.ssl_established = False
+        self.ssl_verification_error = None
         self.sni = None
 
     def create_ssl_context(self, cert=None, alpn_protos=None, **sslctx_kwargs):
-- 
cgit v1.2.3