Commit 815f39d1 authored by Jim Fulton's avatar Jim Fulton Committed by GitHub

Merge pull request #51 from zopefoundation/load-default-cert-for-client-of-signed-server

Fixed: SSL clients of servers with signed certs didn't load default
parents 51a63113 031ab976
Changelog Changelog
========= =========
- Fixed: SSL clients of servers with signed certs didn't load default
certs and were unable to connect.
5.0.0a0 (2016-07-08) 5.0.0a0 (2016-07-08)
-------------------- --------------------
......
...@@ -195,6 +195,8 @@ class SSLConfigTestMockiavellian(ZEOConfigTestBase): ...@@ -195,6 +195,8 @@ class SSLConfigTestMockiavellian(ZEOConfigTestBase):
factory, context, (client_cert, client_key, None), factory, context, (client_cert, client_key, None),
check_hostname=True) check_hostname=True)
context.load_default_certs.assert_called_with()
@mock.patch('ssl.create_default_context') @mock.patch('ssl.create_default_context')
@mock.patch('ZEO.ClientStorage.ClientStorage') @mock.patch('ZEO.ClientStorage.ClientStorage')
def test_ssl_mockiavellian_client_auth_dir( def test_ssl_mockiavellian_client_auth_dir(
...@@ -210,6 +212,7 @@ class SSLConfigTestMockiavellian(ZEOConfigTestBase): ...@@ -210,6 +212,7 @@ class SSLConfigTestMockiavellian(ZEOConfigTestBase):
capath=here, capath=here,
check_hostname=True, check_hostname=True,
) )
context.load_default_certs.assert_not_called()
@mock.patch('ssl.create_default_context') @mock.patch('ssl.create_default_context')
@mock.patch('ZEO.ClientStorage.ClientStorage') @mock.patch('ZEO.ClientStorage.ClientStorage')
...@@ -226,6 +229,7 @@ class SSLConfigTestMockiavellian(ZEOConfigTestBase): ...@@ -226,6 +229,7 @@ class SSLConfigTestMockiavellian(ZEOConfigTestBase):
cafile=server_cert, cafile=server_cert,
check_hostname=True, check_hostname=True,
) )
context.load_default_certs.assert_not_called()
@mock.patch('ssl.create_default_context') @mock.patch('ssl.create_default_context')
@mock.patch('ZEO.ClientStorage.ClientStorage') @mock.patch('ZEO.ClientStorage.ClientStorage')
......
...@@ -11,12 +11,16 @@ def ssl_config(section, server): ...@@ -11,12 +11,16 @@ def ssl_config(section, server):
if auth: if auth:
if os.path.isdir(auth): if os.path.isdir(auth):
capath=auth capath=auth
else: elif auth != 'DYNAMIC':
cafile=auth cafile=auth
context = ssl.create_default_context( context = ssl.create_default_context(
ssl.Purpose.CLIENT_AUTH, cafile=cafile, capath=capath) ssl.Purpose.CLIENT_AUTH, cafile=cafile, capath=capath)
if not auth:
assert not server
context.load_default_certs()
if section.certificate: if section.certificate:
password = section.password_function password = section.password_function
if password: if password:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment