--- a/src/common/xmpp/tls_nb.py
+++ b/src/common/xmpp/tls_nb.py
@@ -255,6 +255,8 @@ class NonBlockingTLS(PlugIn):
PlugIn.__init__(self)
self.cacerts = cacerts
self.mycerts = mycerts
+ self.correct_verification = 0
+ self.total_verification = 0
# from ssl.h (partial extract)
ssl_h_bits = { "SSL_ST_CONNECT": 0x1000, "SSL_ST_ACCEPT": 0x2000,
@@ -411,7 +413,11 @@ class NonBlockingTLS(PlugIn):
tcpsock._sslObj = OpenSSL.SSL.Connection(tcpsock._sslContext,
tcpsock._sock)
+ if not self.correct_verification == self.total_verification :
+ log.error("certificates are NOT completely validated, discarding connection for security reasons...")
+ return False
tcpsock._sslObj.set_connect_state() # set to client mode
+
wrapper = PyOpenSSLWrapper(tcpsock._sslObj)
tcpsock._recv = wrapper.recv
tcpsock._send = wrapper.send
@@ -447,6 +453,7 @@ class NonBlockingTLS(PlugIn):
def _ssl_verify_callback(self, sslconn, cert, errnum, depth, ok):
# Exceptions can't propagate up through this callback, so print them here.
+ self.total_verification += 1
try:
self._owner.ssl_fingerprint_sha1 = cert.digest('sha1')
if errnum == 0:
@@ -454,6 +461,8 @@ class NonBlockingTLS(PlugIn):
self._owner.ssl_errnum = errnum
self._owner.ssl_cert_pem = OpenSSL.crypto.dump_certificate(
OpenSSL.crypto.FILETYPE_PEM, cert)
+ if errnum == 0 :
+ self.correct_verification += 1
return True
except:
log.error("Exception caught in _ssl_info_callback:", exc_info=True)
--- a/src/common/connection.py
+++ b/src/common/connection.py
@@ -130,6 +130,8 @@ class CommonConnection:
self.time_to_reconnect = None
self.bookmarks = []
+ self.ssl_errnum = []
+
self.blocked_list = []
self.blocked_contacts = []
self.blocked_groups = []
@@ -1232,21 +1234,20 @@ class Connection(CommonConnection, Conne
name = gajim.config.get_per('accounts', self.name, 'name')
hostname = gajim.config.get_per('accounts', self.name, 'hostname')
self.connection = con
- try:
- errnum = con.Connection.ssl_errnum
- except AttributeError:
- errnum = -1 # we don't have an errnum
- if errnum > 0 and str(errnum) not in gajim.config.get_per('accounts',
- self.name, 'ignore_ssl_errors'):
- text = _('The authenticity of the %s certificate could be invalid.') %\
- hostname
- if errnum in ssl_error:
- text += _('\nSSL Error: <b>%s</b>') % ssl_error[errnum]
- else:
- text += _('\nUnknown SSL error: %d') % errnum
- self.dispatch('SSL_ERROR', (text, errnum, con.Connection.ssl_cert_pem,
- con.Connection.ssl_fingerprint_sha1))
- return True
+ errnum = con.Connection.ssl_errnum
+ for er in errnum:
+ if er > 0 and str(errnum) not in gajim.config.get_per('accounts',
+ self.name, 'ignore_ssl_errors').split():
+ if er in ssl_error:
+ text += _('\nSSL Error: <b>%s</b>') % ssl_error[er]
+ else:
+ text += _('\nUnknown SSL error: %d') % er
+ gajim.nec.push_incoming_event(SSLErrorEvent(None, conn=self,
+ error_text=text, error_num=er,
+ cert=con.Connection.ssl_cert_pem,
+ fingerprint=con.Connection.ssl_fingerprint_sha1,
+ certificate=con.Connection.ssl_certificate))
+ return True
if hasattr(con.Connection, 'ssl_fingerprint_sha1'):
saved_fingerprint = gajim.config.get_per('accounts', self.name, 'ssl_fingerprint_sha1')
if saved_fingerprint: