From 5765f0e29b2d14a923ec4d34bc847295f4a57353 Mon Sep 17 00:00:00 2001
From: Ken Giusti <kgiusti@apache.org>
Date: Fri, 18 Jul 2014 15:21:37 +0000
Subject: QPID-5894: force cert checking if user specifically asks to verify
 the remote's hostname.

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1611670 13f79535-47bb-0310-9956-ffa450edef68
---
 qpid/python/qpid/messaging/endpoints.py  | 2 ++
 qpid/python/qpid/messaging/transports.py | 5 +++++
 2 files changed, 7 insertions(+)

(limited to 'qpid/python')

diff --git a/qpid/python/qpid/messaging/endpoints.py b/qpid/python/qpid/messaging/endpoints.py
index 5b10fbd9f1..300e0fd657 100644
--- a/qpid/python/qpid/messaging/endpoints.py
+++ b/qpid/python/qpid/messaging/endpoints.py
@@ -182,6 +182,8 @@ class Connection(Endpoint):
     self.ssl_keyfile = default(self.ssl_keyfile, None)
     self.ssl_certfile = default(self.ssl_certfile, None)
     self.ssl_trustfile = default(self.ssl_trustfile, None)
+    # if ssl_skip_hostname_check was not explicitly set, this will be None
+    self._ssl_skip_hostname_check_actual = options.get("ssl_skip_hostname_check")
     self.ssl_skip_hostname_check = default(self.ssl_skip_hostname_check, False)
     self.client_properties = default(self.client_properties, {})
 
diff --git a/qpid/python/qpid/messaging/transports.py b/qpid/python/qpid/messaging/transports.py
index fd909f247c..f39c256d02 100644
--- a/qpid/python/qpid/messaging/transports.py
+++ b/qpid/python/qpid/messaging/transports.py
@@ -109,6 +109,11 @@ else:
       else:
         validate = CERT_NONE
 
+      # if user manually set flag to false then require cert
+      actual = getattr(conn, "_ssl_skip_hostname_check_actual", None)
+      if actual is not None and conn.ssl_skip_hostname_check is False:
+        validate = CERT_REQUIRED
+
       self.tls = wrap_socket(self.socket, keyfile=conn.ssl_keyfile,
                              certfile=conn.ssl_certfile,
                              ca_certs=conn.ssl_trustfile,
-- 
cgit v1.2.1