def verify_callback(
conn: SSL.Connection,
x509: SSL.X509,
errno: int,
depth: int,
is_cert_verified: bool
) -> bool:
if is_cert_verified and depth == 0 and not sni:
conn.cert_error = exceptions.InvalidCertificateException(
f"Certificate verification error for {address}: Cannot validate hostname, SNI missing."
)
is_cert_verified = False
elif is_cert_verified:
pass
else:
conn.cert_error = exceptions.InvalidCertificateException(
"Certificate verification error for {}: {} (errno: {}, depth: {})".format(
sni,
SSL._ffi.string(SSL._lib.X509_verify_cert_error_string(errno)).decode(),
errno,
depth
)
)
# SSL_VERIFY_NONE: The handshake will be continued regardless of the verification result.
return is_cert_verified
def verify_callback(
conn: SSL.Connection,
x509: SSL.X509,
errno: int,
depth: int,
is_cert_verified: bool
) -> bool:
if is_cert_verified and depth == 0:
# Verify hostname of leaf certificate.
cert = certs.Cert(x509)
try:
crt: typing.Dict[str, typing.Any] = dict(
subjectAltName=[("DNS", x.decode("ascii", "strict")) for x in cert.altnames]
)
if cert.cn:
crt["subject"] = [[["commonName", cert.cn.decode("ascii", "strict")]]]
if sni:
# SNI hostnames allow support of IDN by using ASCII-Compatible Encoding
# Conversion algorithm is in RFC 3490 which is implemented by idna codec
# https://docs.python.org/3/library/codecs.html#text-encodings
# https://tools.ietf.org/html/rfc6066#section-3
# https://tools.ietf.org/html/rfc4985#section-3
hostname = sni.encode("idna").decode("ascii")
else:
hostname = "no-hostname"
match_hostname(crt, hostname)
except (ValueError, CertificateError) as e:
conn.cert_error = exceptions.InvalidCertificateException(
"Certificate verification error for {}: {}".format(
sni or repr(address),
str(e)
)
)
is_cert_verified = False
elif is_cert_verified:
pass
else:
conn.cert_error = exceptions.InvalidCertificateException(
"Certificate verification error for {}: {} (errno: {}, depth: {})".format(
sni,
SSL._ffi.string(SSL._lib.X509_verify_cert_error_string(errno)).decode(),
errno,
depth
)
)
# SSL_VERIFY_NONE: The handshake will be continued regardless of the verification result.
return is_cert_verified
def verify_callback(
conn: SSL.Connection,
x509: SSL.X509,
errno: int,
depth: int,
is_cert_verified: bool
) -> bool:
if is_cert_verified and depth == 0:
# Verify hostname of leaf certificate.
cert = certs.Cert(x509)
try:
crt: typing.Dict[str, typing.Any] = dict(
subjectAltName=[("DNS", x.decode("ascii", "strict")) for x in cert.altnames]
)
if cert.cn:
crt["subject"] = [[["commonName", cert.cn.decode("ascii", "strict")]]]
if sni:
# SNI hostnames allow support of IDN by using ASCII-Compatible Encoding
# Conversion algorithm is in RFC 3490 which is implemented by idna codec
# https://docs.python.org/3/library/codecs.html#text-encodings
# https://tools.ietf.org/html/rfc6066#section-3
# https://tools.ietf.org/html/rfc4985#section-3
hostname = sni.encode("idna").decode("ascii")
else:
hostname = "no-hostname"
match_hostname(crt, hostname)
except (ValueError, CertificateError) as e:
conn.cert_error = exceptions.InvalidCertificateException(
"Certificate verification error for {}: {}".format(
sni or repr(address),
str(e)
)
)
is_cert_verified = False
elif is_cert_verified:
pass
else:
conn.cert_error = exceptions.InvalidCertificateException(
"Certificate verification error for {}: {} (errno: {}, depth: {})".format(
sni,
SSL._ffi.string(SSL._lib.X509_verify_cert_error_string(errno)).decode(),
errno,
depth
)
)
# SSL_VERIFY_NONE: The handshake will be continued regardless of the verification result.
return is_cert_verified
