summaryrefslogtreecommitdiff
path: root/src/leap/eip
diff options
context:
space:
mode:
authorkali <kali@leap.se>2012-10-18 09:30:53 +0900
committerkali <kali@leap.se>2012-10-18 09:30:53 +0900
commite1dbfc454180a77ebb38ecae6244ac4abe6d0ac5 (patch)
treedc160544313ab1e7a5e14ab5aa9fb8373fe8fae8 /src/leap/eip
parent17896b9f9cbfbca7bc0a0344050dddea8ba61880 (diff)
catch cert verification errors and ask user for trust
with a little helper function using gnutls
Diffstat (limited to 'src/leap/eip')
-rw-r--r--src/leap/eip/checks.py27
-rw-r--r--src/leap/eip/exceptions.py11
2 files changed, 33 insertions, 5 deletions
diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index f739c3e8..c704aef3 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -94,6 +94,7 @@ class ProviderCertChecker(object):
raise NotImplementedError
def is_there_provider_ca(self):
+ # XXX remove for generic build
from leap import certs
logger.debug('do we have provider_ca?')
cacert_path = BRANDING.get('provider_ca_file', None)
@@ -104,30 +105,46 @@ class ProviderCertChecker(object):
logger.debug('True')
return True
- def is_https_working(self, uri=None, verify=True):
+ def is_https_working(
+ self, uri=None, verify=True,
+ autocacert=False):
if uri is None:
uri = self._get_root_uri()
# XXX raise InsecureURI or something better
- assert uri.startswith('https')
- if verify is True and self.cacert is not None:
+ try:
+ assert uri.startswith('https')
+ except AssertionError:
+ raise AssertionError(
+ "uri passed should start with https")
+ if autocacert and verify is True and self.cacert is not None:
logger.debug('verify cert: %s', self.cacert)
verify = self.cacert
logger.debug('is https working?')
logger.debug('uri: %s (verify:%s)', uri, verify)
try:
self.fetcher.get(uri, verify=verify)
+
+ except requests.exceptions.SSLError as exc:
+ logger.error("SSLError")
+ raise eipexceptions.HttpsBadCertError
+
+ except requests.exceptions.ConnectionError:
+ logger.error('ConnectionError')
+ raise eipexceptions.HttpsNotSupported
+
except requests.exceptions.SSLError as exc:
logger.warning('False! CERT VERIFICATION FAILED! '
'(this should be CRITICAL)')
logger.warning('SSLError: %s', exc.message)
# XXX RAISE! See #638
#raise eipexceptions.EIPBadCertError
- # XXX get requests.exceptions.ConnectionError Errno 110
- # Connection timed out, and raise ours.
else:
logger.debug('True')
return True
+ def get_certificate_fingerprint(self, domain):
+ pass
+
def check_new_cert_needed(self, skip_download=False, verify=True):
logger.debug('is new cert needed?')
if not self.is_cert_valid(do_raise=False):
diff --git a/src/leap/eip/exceptions.py b/src/leap/eip/exceptions.py
index 11bfd620..41eed77a 100644
--- a/src/leap/eip/exceptions.py
+++ b/src/leap/eip/exceptions.py
@@ -32,8 +32,10 @@ TODO:
* gettext / i18n for user messages.
"""
+from leap.base.exceptions import LeapException
+# This should inherit from LeapException
class EIPClientError(Exception):
"""
base EIPClient exception
@@ -99,6 +101,15 @@ class OpenVPNAlreadyRunning(EIPClientError):
"Please close it before starting leap-client")
+class HttpsNotSupported(LeapException):
+ message = "connection refused while accessing via https"
+ usermessage = "Server does not allow secure connections."
+
+
+class HttpsBadCertError(LeapException):
+ message = "verification error on cert"
+ usermessage = "Server certificate could not be verified."
+
#
# errors still needing some love
#