diff --git a/pydle/connection.py b/pydle/connection.py index 9c1dd5b..76f67e6 100644 --- a/pydle/connection.py +++ b/pydle/connection.py @@ -66,36 +66,20 @@ def create_tls_context(self): # Set TLS verification options. if self.tls_verify: - # Set our custom verification callback, if the library supports it. - tls_context.set_servername_callback(self.verify_tls) - # Load certificate verification paths. tls_context.set_default_verify_paths() if sys.platform in DEFAULT_CA_PATHS and path.isdir(DEFAULT_CA_PATHS[sys.platform]): tls_context.load_verify_locations(capath=DEFAULT_CA_PATHS[sys.platform]) # If we want to verify the TLS connection, we first need a certicate. - # Check this certificate and its entire chain, if possible, against revocation lists. tls_context.verify_mode = ssl.CERT_REQUIRED - tls_context.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN - return tls_context + # And have python call match_hostname in do_handshake + tls_context.check_hostname = True - def verify_tls(self, socket, hostname, context): - """ - Verify a TLS connection. Return behaviour is dependent on the as_callback parameter: - - If True, a return value of None means verification succeeded, else it failed. - - If False, a return value of True means verification succeeded, an exception or False means it failed. - """ - cert = socket.getpeercert() - - try: - # Make sure the hostnames for which this certificate is valid include the one we're connecting to. - ssl.match_hostname(cert, hostname) - except ssl.CertificateError: - return ssl.ALERT_DESCRIPTION_BAD_CERTIFICATE - - return None + # We don't check for revocation, because that's impractical still (https://www.imperialviolet.org/2012/02/05/crlsets.html) + + return tls_context @async.coroutine def disconnect(self):