only verify fingerprint, dont do ca verification

2015-02-22 19:53:40 +05:30 · 2015-02-22 19:53:40 +05:30 · 14098e3c01
parent 08d30c2e67
commit 14098e3c01
1 changed files with 8 additions and 3 deletions
--- a/oml/ssl_request.py
+++ b/oml/ssl_request.py
@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 # vi:si:et:sw=4:sts=4:ts=4

+import ssl
 import http.client
 import urllib.request, urllib.error, urllib.parse
 import hashlib
@ -20,12 +21,15 @@ class InvalidCertificateException(http.client.HTTPException, urllib.error.URLErr

 class FingerprintHTTPSConnection(http.client.HTTPSConnection):

-    def __init__(self, host, port=None, fingerprint=None, check_hostname=None, **kwargs):
+    def __init__(self, host, port=None, fingerprint=None, check_hostname=None, context=None, **kwargs):
        self._fingerprint = fingerprint
        if self._fingerprint:
-            check_hostname = None
+            check_hostname = False
+            context = ssl._create_default_https_context()
+            context.check_hostname = False
+            context.verify_mode = ssl.CERT_NONE
        http.client.HTTPSConnection.__init__(self, host, port,
-                check_hostname=check_hostname, **kwargs)
+                check_hostname=check_hostname, context=context, **kwargs)

    def _check_fingerprint(self, cert):
        if len(self._fingerprint) == 40:
@ -38,6 +42,7 @@ class FingerprintHTTPSConnection(http.client.HTTPSConnection):
            logging.error('unkown _fingerprint length %s (%s)',
                self._fingerprint, len(self._fingerprint))
            return False
+        logger.debug('ssl fingerprint: %s (match: %s)', fingerprint, fingerprint == self._fingerprint)
        return fingerprint == self._fingerprint

    def connect(self):