From: Ben Darnell <ben@bendarnell.com>
Date: Tue, 15 Feb 2011 03:48:25 +0000 (-0800)
Subject: Part 1 of certificate validation: Require that the cert be signed by a CA.
X-Git-Tag: v1.2.0~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cfa8857b819579170a7fc949bcf8c27cca040215;p=thirdparty%2Ftornado.git

Part 1 of certificate validation: Require that the cert be signed by a CA.
---

diff --git a/tornado/iostream.py b/tornado/iostream.py
index 0d19af358..3cbd9b65e 100644
--- a/tornado/iostream.py
+++ b/tornado/iostream.py
@@ -382,6 +382,12 @@ class SSLIOStream(IOStream):
     wrapped when IOStream.connect is finished.
     """
     def __init__(self, *args, **kwargs):
+        """Creates an SSLIOStream.
+
+        If a dictionary is provided as keyword argument ssl_options,
+        it will be used as additional keyword arguments to ssl.wrap_socket.
+        """
+        self._ssl_options = kwargs.pop('ssl_options', {})
         super(SSLIOStream, self).__init__(*args, **kwargs)
         self._ssl_accepting = True
 
@@ -423,9 +429,9 @@ class SSLIOStream(IOStream):
         super(SSLIOStream, self)._handle_write()
 
     def _handle_connect(self):
-        # TODO(bdarnell): cert verification, etc
         self.socket = ssl.wrap_socket(self.socket,
-                                      do_handshake_on_connect=False)
+                                      do_handshake_on_connect=False,
+                                      **self._ssl_options)
         # Don't call the superclass's _handle_connect (which is responsible
         # for telling the application that the connection is complete)
         # until we've completed the SSL handshake (so certificates are
diff --git a/tornado/simple_httpclient.py b/tornado/simple_httpclient.py
index 8fa4e7e28..c23def6cf 100644
--- a/tornado/simple_httpclient.py
+++ b/tornado/simple_httpclient.py
@@ -13,6 +13,7 @@ import contextlib
 import errno
 import functools
 import logging
+import os.path
 import re
 import socket
 import time
@@ -142,9 +143,13 @@ class _HTTPConnection(object):
                 host = self.client.hostname_mapping.get(host, host)
 
             if parsed.scheme == "https":
-                # TODO: cert verification, etc
+                ssl_options = dict(
+                    cert_reqs=ssl.CERT_REQUIRED,
+                    ca_certs=os.path.dirname(__file__) + '/ca-certificates.crt',
+                    )
                 self.stream = SSLIOStream(socket.socket(),
-                                          io_loop=self.io_loop)
+                                          io_loop=self.io_loop,
+                                          ssl_options=ssl_options)
             else:
                 self.stream = IOStream(socket.socket(),
                                        io_loop=self.io_loop)