- Timestamp:
- Dec 22, 2008 5:58:25 PM (16 years ago)
- Branches:
- axis_example, compt_changes, info-ops, master, version-1.30, version-2.00, version-3.01, version-3.02
- Children:
- ca24951
- Parents:
- b09f346
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
fedd/federation/util.py
rb09f346 rfe157b9 7 7 from M2Crypto import SSL 8 8 from fedid import fedid 9 10 11 # If this is an old enough version of M2Crypto.SSL that has an 12 # ssl_verify_callback that doesn't allow 0-length signed certs, create a 13 # version of that callback that does. This is edited from the original in 14 # M2Crypto.SSL.cb. This version also elides the printing to stderr. 15 if not getattr(SSL.cb, 'ssl_verify_callback_allow_unknown_ca', None): 16 from M2Crypto.SSL.Context import map 17 from M2Crypto import m2 18 19 def ssl_verify_callback(ssl_ctx_ptr, x509_ptr, errnum, errdepth, ok): 20 unknown_issuer = [ 21 m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 22 m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, 23 m2.X509_V_ERR_CERT_UNTRUSTED, 24 m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 25 ] 26 ssl_ctx = map()[ssl_ctx_ptr] 27 28 if errnum in unknown_issuer: 29 if ssl_ctx.get_allow_unknown_ca(): 30 ok = 1 31 # CRL checking goes here... 32 if ok: 33 if ssl_ctx.get_verify_depth() >= errdepth: 34 ok = 1 35 else: 36 ok = 0 37 return ok 38 else: 39 def ssl_verify_callback(ssl_ctx_ptr, x509_ptr, errnum, errdepth, ok): 40 raise ValueError("This should never be called") 9 41 10 42 class fedd_ssl_context(SSL.Context): … … 48 80 # attribute. This should work under both regines. 49 81 callb = getattr(SSL.cb, 'ssl_verify_callback_allow_unknown_ca', 50 SSL.cb.ssl_verify_callback)82 ssl_verify_callback) 51 83 self.set_allow_unknown_ca(True) 52 84 self.set_verify(SSL.verify_peer, 10, callback=callb)
Note: See TracChangeset
for help on using the changeset viewer.