From c071c69e1b5a0d897674a1f7adc6ff32f19400ff Mon Sep 17 00:00:00 2001
From: Victor Shyba <victor.shyba@gmail.com>
Date: Wed, 27 May 2015 12:49:44 -0300
Subject: [bug] Use BrowserLikePolicyForHTTPS for checking

While testing the way that its implemented now, I found out that no check
is being made on certificate attributes against the host.
I found this simple way of creating a BrowserLikePolicyForHTTPS using
a self signed cert and it worked on my test. I used test_https from
Soledad for checking this (which we are fixing on another branch).

Also, we don't want to depend on twisted for other things than
leap.common.http.
---
 src/leap/common/certs.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'src/leap/common/certs.py')

diff --git a/src/leap/common/certs.py b/src/leap/common/certs.py
index db513f6..c8e0743 100644
--- a/src/leap/common/certs.py
+++ b/src/leap/common/certs.py
@@ -178,3 +178,20 @@ def should_redownload(certfile, now=time.gmtime):
         return True
 
     return False
+
+
+def get_compatible_ssl_context_factory(cert_path=None):
+    import twisted
+    cert = None
+    if twisted.version.base() > '14.0.1':
+        from twisted.web.client import BrowserLikePolicyForHTTPS
+        from twisted.internet import ssl
+        if cert_path:
+            cert = ssl.Certificate.loadPEM(open(cert_path).read())
+        policy = BrowserLikePolicyForHTTPS(cert)
+        return policy
+    else:
+        raise Exception(("""
+            Twisted 14.0.2 is needed in order to have secure Client Web SSL Contexts, not %s
+            See: http://twistedmatrix.com/trac/ticket/7647
+            """) % (twisted.version.base()))
-- 
cgit v1.2.3