From b746799b801de6101ec9fa28ed168cf5a48ba728 Mon Sep 17 00:00:00 2001
From: Martijn van Oosterhout <oosterhout@fox-it.com>
Date: Tue, 25 Jun 2019 18:25:33 +0200
Subject: [PATCH] SSLIOStream: Handle CertificateErrors like other errors

Fixes: tornadoweb/tornado#2689
---
 tornado/iostream.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tornado/iostream.py b/tornado/iostream.py
index 23ad0da3d..447088faf 100644
--- a/tornado/iostream.py
+++ b/tornado/iostream.py
@@ -1387,6 +1387,10 @@ class SSLIOStream(IOStream):
                 )
                 return self.close(exc_info=err)
             raise
+        except ssl.CertificateError as err:
+            # CertificateError can happen during handshake (hostname
+            # verification) and should be passed to user
+            return self.close(exc_info=err)
         except socket.error as err:
             # Some port scans (e.g. nmap in -sT mode) have been known
             # to cause do_handshake to raise EBADF and ENOTCONN, so make
-- 
2.47.2