From: Martijn van Oosterhout <oosterhout@fox-it.com>
Date: Tue, 25 Jun 2019 16:25:33 +0000 (+0200)
Subject: SSLIOStream: Handle CertificateErrors like other errors
X-Git-Tag: v6.1.0b1~34^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b746799b801de6101ec9fa28ed168cf5a48ba728;p=thirdparty%2Ftornado.git

SSLIOStream: Handle CertificateErrors like other errors

Fixes: tornadoweb/tornado#2689
---

diff --git a/tornado/iostream.py b/tornado/iostream.py
index 23ad0da3d..447088faf 100644
--- a/tornado/iostream.py
+++ b/tornado/iostream.py
@@ -1387,6 +1387,10 @@ class SSLIOStream(IOStream):
                 )
                 return self.close(exc_info=err)
             raise
+        except ssl.CertificateError as err:
+            # CertificateError can happen during handshake (hostname
+            # verification) and should be passed to user
+            return self.close(exc_info=err)
         except socket.error as err:
             # Some port scans (e.g. nmap in -sT mode) have been known
             # to cause do_handshake to raise EBADF and ENOTCONN, so make