CVE-2016-9015: Correct set verify flags.

This error, introduced in 1.17, causes users using OpenSSL 1.1.0 along with PyOpenSSL to silently fail to validate certificates. This is an alarming failure mode, and is currently being worked on as part of OpenSSL 1.1.0: openssl/openssl#1793 This patch will be merged into master in a different form, as part of a general testing cleanup. The flaw was discovered by Cory Benfield, and was in fact caught by urllib3's test suite: it just happens that we hadn't tested that particular software configuration before releasing 1.17.
urllib3 · Oct 27, 2016 · c32cdbc · c32cdbc
1 parent 7d01b99
commit c32cdbc
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/urllib3/contrib/pyopenssl.py b/urllib3/contrib/pyopenssl.py
@@ -88,12 +88,15 @@
 except AttributeError:
     pass
 
-_openssl_verify = {
+_stdlib_to_openssl_verify = {
     ssl.CERT_NONE: OpenSSL.SSL.VERIFY_NONE,
     ssl.CERT_OPTIONAL: OpenSSL.SSL.VERIFY_PEER,
     ssl.CERT_REQUIRED:
         OpenSSL.SSL.VERIFY_PEER + OpenSSL.SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
 }
+_openssl_to_stdlib_verify = dict(
+    (v, k) for k, v in _stdlib_to_openssl_verify.items()
+)
 
 #: The list of supported SSL/TLS cipher suites.
 DEFAULT_SSL_CIPHER_LIST = util.ssl_.DEFAULT_CIPHERS.encode('ascii')
@@ -367,11 +370,13 @@ def options(self, value):
 
     @property
     def verify_mode(self):
-        return self._ctx.get_verify_mode()
+        return _openssl_to_stdlib_verify[self._ctx.get_verify_mode()]
 
     @verify_mode.setter
     def verify_mode(self, value):
-        self._ctx.set_verify(value, _verify_callback)
+        self._ctx.set_verify(
+            _stdlib_to_openssl_verify[value], _verify_callback
+        )
 
     def set_default_verify_paths(self):
         self._ctx.set_default_verify_paths()
@@ -440,7 +445,7 @@ def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
     if keyfile:
         ctx.use_privatekey_file(keyfile)
     if cert_reqs != ssl.CERT_NONE:
-        ctx.set_verify(_openssl_verify[cert_reqs], _verify_callback)
+        ctx.set_verify(_stdlib_to_openssl_verify[cert_reqs], _verify_callback)
     if ca_certs or ca_cert_dir:
         try:
             ctx.load_verify_locations(ca_certs, ca_cert_dir)