def verify_callback( conn: SSL.Connection, x509: SSL.X509, errno: int, depth: int, is_cert_verified: bool ) -> bool: if is_cert_verified and depth == 0 and not sni: conn.cert_error = exceptions.InvalidCertificateException( f"Certificate verification error for {address}: Cannot validate hostname, SNI missing." ) is_cert_verified = False elif is_cert_verified: pass else: conn.cert_error = exceptions.InvalidCertificateException( "Certificate verification error for {}: {} (errno: {}, depth: {})".format( sni, SSL._ffi.string(SSL._lib.X509_verify_cert_error_string(errno)).decode(), errno, depth ) ) # SSL_VERIFY_NONE: The handshake will be continued regardless of the verification result. return is_cert_verified
def verify_callback( conn: SSL.Connection, x509: SSL.X509, errno: int, depth: int, is_cert_verified: bool ) -> bool: if is_cert_verified and depth == 0: # Verify hostname of leaf certificate. cert = certs.Cert(x509) try: crt: typing.Dict[str, typing.Any] = dict( subjectAltName=[("DNS", x.decode("ascii", "strict")) for x in cert.altnames] ) if cert.cn: crt["subject"] = [[["commonName", cert.cn.decode("ascii", "strict")]]] if sni: # SNI hostnames allow support of IDN by using ASCII-Compatible Encoding # Conversion algorithm is in RFC 3490 which is implemented by idna codec # https://docs.python.org/3/library/codecs.html#text-encodings # https://tools.ietf.org/html/rfc6066#section-3 # https://tools.ietf.org/html/rfc4985#section-3 hostname = sni.encode("idna").decode("ascii") else: hostname = "no-hostname" match_hostname(crt, hostname) except (ValueError, CertificateError) as e: conn.cert_error = exceptions.InvalidCertificateException( "Certificate verification error for {}: {}".format( sni or repr(address), str(e) ) ) is_cert_verified = False elif is_cert_verified: pass else: conn.cert_error = exceptions.InvalidCertificateException( "Certificate verification error for {}: {} (errno: {}, depth: {})".format( sni, SSL._ffi.string(SSL._lib.X509_verify_cert_error_string(errno)).decode(), errno, depth ) ) # SSL_VERIFY_NONE: The handshake will be continued regardless of the verification result. return is_cert_verified