From 7afe44ba4ee8810e24abfa32f74dfac61e5551d3 Mon Sep 17 00:00:00 2001
From: Kyle Morton <kylemorton@google.com>
Date: Sat, 20 Jun 2015 12:54:03 -0700
Subject: Updating TCPServer to allow tests (and potentially other use cases)
 to serve certificate chains instead of only single certificates.

---
 netlib/tcp.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'netlib/tcp.py')

diff --git a/netlib/tcp.py b/netlib/tcp.py
index 77eb7b52..61306e4e 100644
--- a/netlib/tcp.py
+++ b/netlib/tcp.py
@@ -567,7 +567,8 @@ class BaseHandler(_Connection):
                            dhparams=None,
                            **sslctx_kwargs):
         """
-            cert: A certutils.SSLCert object.
+            cert: A certutils.SSLCert object or the path to a certificate
+            chain file.
 
             handle_sni: SNI handler, should take a connection object. Server
             name can be retrieved like this:
@@ -594,7 +595,10 @@ class BaseHandler(_Connection):
         context = self._create_ssl_context(**sslctx_kwargs)
 
         context.use_privatekey(key)
-        context.use_certificate(cert.x509)
+        if isinstance(cert, certutils.SSLCert):
+            context.use_certificate(cert.x509)
+        else:
+            context.use_certificate_chain_file(cert)
 
         if handle_sni:
             # SNI callback happens during do_handshake()
-- 
cgit v1.2.3


From d1452424beced04dc42bbadd68878d9e1c24da9c Mon Sep 17 00:00:00 2001
From: Kyle Morton <kylemorton@google.com>
Date: Sat, 20 Jun 2015 13:07:23 -0700
Subject: Cleaning up upstream server verification. Adding storage of
 cerificate verification errors on TCPClient object to enable warnings in
 downstream projects.

---
 netlib/tcp.py | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'netlib/tcp.py')

diff --git a/netlib/tcp.py b/netlib/tcp.py
index 61306e4e..2cae34ec 100644
--- a/netlib/tcp.py
+++ b/netlib/tcp.py
@@ -401,14 +401,13 @@ class _Connection(object):
         if options is not None:
             context.set_options(options)
 
-        # Verify Options (NONE/PEER/PEER|FAIL_IF_... and trusted CAs)
-        if verify_options is not None and verify_options is not SSL.VERIFY_NONE:
-            def verify_cert(conn_, cert_, errno, err_depth, is_cert_verified):
-                if is_cert_verified:
-                    return True
-                raise NetLibError(
-                    "Upstream certificate validation failed at depth: %s with error number: %s" %
-                    (err_depth, errno))
+        # Verify Options (NONE/PEER and trusted CAs)
+        if verify_options is not None:
+            def verify_cert(conn, x509, errno, err_depth, is_cert_verified):
+                if not is_cert_verified:
+                    self.ssl_verification_error = dict(errno=errno,
+                                                       depth=err_depth)
+                return is_cert_verified
 
             context.set_verify(verify_options, verify_cert)
             context.load_verify_locations(ca_pemfile, ca_path)
@@ -469,6 +468,7 @@ class TCPClient(_Connection):
         self.connection, self.rfile, self.wfile = None, None, None
         self.cert = None
         self.ssl_established = False
+        self.ssl_verification_error = None
         self.sni = None
 
     def create_ssl_context(self, cert=None, alpn_protos=None, **sslctx_kwargs):
-- 
cgit v1.2.3