Removed a bunch of unnecessary certificate checks.
This commit is contained in:
parent
37e2c671e4
commit
292a68fc23
26
av98.py
26
av98.py
|
@ -775,32 +775,6 @@ you'll be able to transparently follow links to Gopherspace!""")
|
||||||
# the standard ssl library...
|
# the standard ssl library...
|
||||||
c = x509.load_der_x509_certificate(cert, _BACKEND)
|
c = x509.load_der_x509_certificate(cert, _BACKEND)
|
||||||
|
|
||||||
# Check certificate validity dates
|
|
||||||
if c.not_valid_before >= now:
|
|
||||||
raise CertificateError("Certificate not valid until: {}!".format(c.not_valid_before))
|
|
||||||
elif c.not_valid_after <= now:
|
|
||||||
raise CertificateError("Certificate expired as of: {})!".format(c.not_valid_after))
|
|
||||||
|
|
||||||
# Check certificate hostnames
|
|
||||||
names = []
|
|
||||||
common_name = c.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)
|
|
||||||
if common_name:
|
|
||||||
names.append(common_name[0].value)
|
|
||||||
try:
|
|
||||||
names.extend([alt.value for alt in c.extensions.get_extension_for_oid(x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value])
|
|
||||||
except x509.ExtensionNotFound:
|
|
||||||
pass
|
|
||||||
names = set(names)
|
|
||||||
for name in names:
|
|
||||||
try:
|
|
||||||
ssl._dnsname_match(name, host)
|
|
||||||
break
|
|
||||||
except CertificateError:
|
|
||||||
continue
|
|
||||||
else:
|
|
||||||
# If we didn't break out, none of the names were valid
|
|
||||||
raise CertificateError("Hostname does not match certificate common name or any alternative names.")
|
|
||||||
|
|
||||||
sha = hashlib.sha256()
|
sha = hashlib.sha256()
|
||||||
sha.update(cert)
|
sha.update(cert)
|
||||||
fingerprint = sha.hexdigest()
|
fingerprint = sha.hexdigest()
|
||||||
|
|
Loading…
Reference in New Issue