Browse code
Handle unvalidated SSL certificate
SSLSocket.getpeercert() can return {} meaning the library did not
validate the SSL certificate. We can't do the match_hostname() tests
against this, so don't bother trying.
This addresses #472 which was failing on Ubuntu 14.04 because it does
not have a new-enough SSL library to validate the certificate.
Matt Domsch authored on 2015/02/07 23:18:28Showing 1 changed files
| ... | ... |
@@ -84,9 +84,10 @@ class http_connection(object): |
| 84 | 84 |
cert = self.c.sock.getpeercert() |
| 85 | 85 |
try: |
| 86 | 86 |
ssl.match_hostname(cert, self.c.host) |
| 87 |
- |
|
| 88 | 87 |
except AttributeError: # old ssl module doesn't have this function |
| 89 | 88 |
return |
| 89 |
+ except ValueError: # empty SSL cert means underlying SSL library didn't validate it, we don't either. |
|
| 90 |
+ return |
|
| 90 | 91 |
except ssl.CertificateError, e: |
| 91 | 92 |
self.match_hostname_aws(cert, e) |
| 92 | 93 |
|