New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify TLS certificate during XMPP connection. #1084
Verify TLS certificate during XMPP connection. #1084
Conversation
76be5c4
to
0a30d0b
Compare
Codecov Report
@@ Coverage Diff @@
## trunk #1084 +/- ##
==========================================
- Coverage 91.98% 91.57% -0.41%
==========================================
Files 844 844
Lines 151099 151390 +291
Branches 13162 13252 +90
==========================================
- Hits 138989 138640 -349
- Misses 10007 10624 +617
- Partials 2103 2126 +23 |
0a30d0b
to
4cecff0
Compare
A new "check_certificate" attribute has been introduced in t.w.p.j.xmlstream.TLSInitiatingInitializer. A new "check_certificate" init argument has been introduced in t.w.p.j.client.BasicAuthenticator and t.w.p.j.client.XMPPAuthenticator.
4cecff0
to
adbe5db
Compare
This seems like a good change, I certainly agree that the current default behavior is surprising in a bad way, and the default behavior should be to verify the server's cert against However, if I don't want the default behavior, I probably don't want my only alternative to be not to verify anything at all. Most likely I want to trust some private CA or a pinned certificate. Maybe I want to supply a client cert or something. What about letting the user supply a |
Hello @wiml yes this make sense. I'll do an update later today or this week. Thanks for your feedback. |
hello, just a ping to show I haven't forgotten about this PR, I have been overwhelmed lastly. I'll update my PR hopefully soon. |
@goffi-contrib I'm looking at this here at the PyCon spints. Besides feelings of regret towards some design decisions I made when this code was created (including subclassing instead of composition), not verifying is a result of me misunderstanding how this is supposed to work. Initial observations below.
|
Closed by merging #1147. |
A new "check_certificate" attribute has been introduced in t.w.p.j.xmlstream.TLSInitiatingInitializer.
A new "check_certificate" init argument has been introduced in
t.w.p.j.client.BasicAuthenticator and t.w.p.j.client.XMPPAuthenticator.
Remove this paragraph
Please have a look at our developer documentation before submitting your Pull Request.
https://twistedmatrix.com/trac/wiki/TwistedDevelopment#SubmittingaPatch
Contributor Checklist: