Part 1 of certificate validation: Require that the cert be signed by …

…a CA.
tornadoweb · Feb 15, 2011 · cfa8857 · cfa8857
1 parent d14cb06
commit cfa8857
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 4 deletions.
diff --git a/tornado/iostream.py b/tornado/iostream.py
@@ -382,6 +382,12 @@ class SSLIOStream(IOStream):
     wrapped when IOStream.connect is finished.
     """
     def __init__(self, *args, **kwargs):
+        """Creates an SSLIOStream.
+
+        If a dictionary is provided as keyword argument ssl_options,
+        it will be used as additional keyword arguments to ssl.wrap_socket.
+        """
+        self._ssl_options = kwargs.pop('ssl_options', {})
         super(SSLIOStream, self).__init__(*args, **kwargs)
         self._ssl_accepting = True
 
@@ -423,9 +429,9 @@ def _handle_write(self):
         super(SSLIOStream, self)._handle_write()
 
     def _handle_connect(self):
-        # TODO(bdarnell): cert verification, etc
         self.socket = ssl.wrap_socket(self.socket,
-                                      do_handshake_on_connect=False)
+                                      do_handshake_on_connect=False,
+                                      **self._ssl_options)
         # Don't call the superclass's _handle_connect (which is responsible
         # for telling the application that the connection is complete)
         # until we've completed the SSL handshake (so certificates are

diff --git a/tornado/simple_httpclient.py b/tornado/simple_httpclient.py
@@ -13,6 +13,7 @@
 import errno
 import functools
 import logging
+import os.path
 import re
 import socket
 import time
@@ -142,9 +143,13 @@ def __init__(self, io_loop, client, request, callback):
                 host = self.client.hostname_mapping.get(host, host)
 
             if parsed.scheme == "https":
-                # TODO: cert verification, etc
+                ssl_options = dict(
+                    cert_reqs=ssl.CERT_REQUIRED,
+                    ca_certs=os.path.dirname(__file__) + '/ca-certificates.crt',
+                    )
                 self.stream = SSLIOStream(socket.socket(),
-                                          io_loop=self.io_loop)
+                                          io_loop=self.io_loop,
+                                          ssl_options=ssl_options)
             else:
                 self.stream = IOStream(socket.socket(),
                                        io_loop=self.io_loop)