SSLIOStream: Handle CertificateErrors like other errors

author Martijn van Oosterhout <oosterhout@fox-it.com>

Tue, 25 Jun 2019 16:25:33 +0000 (18:25 +0200)

committer Martijn van Oosterhout <oosterhout@fox-it.com>

Tue, 25 Jun 2019 16:28:56 +0000 (18:28 +0200)
author Martijn van Oosterhout <oosterhout@fox-it.com>
Tue, 25 Jun 2019 16:25:33 +0000 (18:25 +0200)
committer Martijn van Oosterhout <oosterhout@fox-it.com>
Tue, 25 Jun 2019 16:28:56 +0000 (18:28 +0200)
diff --git a/tornado/iostream.py b/tornado/iostream.py

index 23ad0da3dc33a0f6f1b679871c7605262a9036ee..447088fafb4e050e7e651dd19053dd1598e8a645 100644 (file)
--- a/tornado/iostream.py
+++ b/tornado/iostream.py
@@ -1387,6 +1387,10 @@ class SSLIOStream(IOStream):
                  )
                  return self.close(exc_info=err)
              raise
+        except ssl.CertificateError as err:
+            # CertificateError can happen during handshake (hostname
+            # verification) and should be passed to user
+            return self.close(exc_info=err)
          except socket.error as err:
              # Some port scans (e.g. nmap in -sT mode) have been known
              # to cause do_handshake to raise EBADF and ENOTCONN, so make
author	Martijn van Oosterhout <oosterhout@fox-it.com>
	Tue, 25 Jun 2019 16:25:33 +0000 (18:25 +0200)
committer	Martijn van Oosterhout <oosterhout@fox-it.com>
	Tue, 25 Jun 2019 16:28:56 +0000 (18:28 +0200)