From e1dbfc454180a77ebb38ecae6244ac4abe6d0ac5 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Thu, 18 Oct 2012 09:30:53 +0900
Subject: catch cert verification errors and ask user for trust

with a little helper function using gnutls
---
 src/leap/eip/checks.py | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

(limited to 'src/leap/eip/checks.py')

diff --git a/src/leap/eip/checks.py b/src/leap/eip/checks.py
index f739c3e8..c704aef3 100644
--- a/src/leap/eip/checks.py
+++ b/src/leap/eip/checks.py
@@ -94,6 +94,7 @@ class ProviderCertChecker(object):
         raise NotImplementedError
 
     def is_there_provider_ca(self):
+        # XXX remove for generic build
         from leap import certs
         logger.debug('do we have provider_ca?')
         cacert_path = BRANDING.get('provider_ca_file', None)
@@ -104,30 +105,46 @@ class ProviderCertChecker(object):
         logger.debug('True')
         return True
 
-    def is_https_working(self, uri=None, verify=True):
+    def is_https_working(
+            self, uri=None, verify=True,
+            autocacert=False):
         if uri is None:
             uri = self._get_root_uri()
         # XXX raise InsecureURI or something better
-        assert uri.startswith('https')
-        if verify is True and self.cacert is not None:
+        try:
+            assert uri.startswith('https')
+        except AssertionError:
+            raise AssertionError(
+                "uri passed should start with https")
+        if autocacert and verify is True and self.cacert is not None:
             logger.debug('verify cert: %s', self.cacert)
             verify = self.cacert
         logger.debug('is https working?')
         logger.debug('uri: %s (verify:%s)', uri, verify)
         try:
             self.fetcher.get(uri, verify=verify)
+
+        except requests.exceptions.SSLError as exc:
+            logger.error("SSLError")
+            raise eipexceptions.HttpsBadCertError
+
+        except requests.exceptions.ConnectionError:
+            logger.error('ConnectionError')
+            raise eipexceptions.HttpsNotSupported
+
         except requests.exceptions.SSLError as exc:
             logger.warning('False! CERT VERIFICATION FAILED! '
                            '(this should be CRITICAL)')
             logger.warning('SSLError: %s', exc.message)
             # XXX RAISE! See #638
             #raise eipexceptions.EIPBadCertError
-        # XXX get requests.exceptions.ConnectionError Errno 110
-        # Connection timed out, and raise ours.
         else:
             logger.debug('True')
             return True
 
+    def get_certificate_fingerprint(self, domain):
+        pass
+
     def check_new_cert_needed(self, skip_download=False, verify=True):
         logger.debug('is new cert needed?')
         if not self.is_cert_valid(do_raise=False):
-- 
cgit v1.2.3