Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a config variable for users to set expected CN when using CA verification #72

Merged
merged 1 commit into from
Jun 3, 2024
Merged

Add a config variable for users to set expected CN when using CA verification #72

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion docs/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,11 @@ PyTAK can send & receive data over TLS by setting the following configuration pa
Path to a file containing the CA Trust Store to use for remote certificate verification.


* **`PYTAK_TLS_SERVER_EXPECTED_HOSTNAME`** (optional)

Expected hostname or CN of the connected server. Not used unless verifying hostname.


* **`PYTAK_TLS_CLIENT_CIPHERS`** (optional)
* Default: ``ALL``

Expand All @@ -152,4 +157,4 @@ PyTAK can send & receive data over TLS by setting the following configuration pa

* **`PYTAK_TLS_CLIENT_PASSWORD`** (optional)

Password for PKCS#12 (.p12) password protected certificates or password protected Private Keys.
Password for PKCS#12 (.p12) password protected certificates or password protected Private Keys.
7 changes: 6 additions & 1 deletion pytak/client_functions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,8 @@ async def protocol_factory( # NOQA pylint: disable=too-many-locals,too-many-bra
client_cafile = tls_config.get("PYTAK_TLS_CLIENT_CAFILE")
client_password = tls_config.get("PYTAK_TLS_CLIENT_PASSWORD")

expected_server_hostname = tls_config.get("PYTAK_TLS_SERVER_EXPECTED_HOSTNAME")

# Default cipher suite: ALL.
# Also available in FIPS: DEFAULT_FIPS_CIPHERS
client_ciphers = tls_config.get("PYTAK_TLS_CLIENT_CIPHERS") or "ALL"
Expand Down Expand Up @@ -267,6 +269,7 @@ async def protocol_factory( # NOQA pylint: disable=too-many-locals,too-many-bra
warnings.warn(
"TLS CN/Hostname Check DISABLED by PYTAK_TLS_DONT_CHECK_HOSTNAME."
)
expected_server_hostname = None
ssl_ctx.check_hostname = False

# Default to verifying cert:
Expand All @@ -277,7 +280,9 @@ async def protocol_factory( # NOQA pylint: disable=too-many-locals,too-many-bra
ssl_ctx.verify_mode = ssl.CERT_NONE

try:
reader, writer = await asyncio.open_connection(host, port, ssl=ssl_ctx)
reader, writer = await asyncio.open_connection(
host, port, ssl=ssl_ctx, server_hostname=expected_server_hostname
)
except ssl.SSLCertVerificationError as exc:
raise SyntaxError(
"Consider setting PYTAK_TLS_DONT_CHECK_HOSTNAME=1 ?"
Expand Down
1 change: 1 addition & 0 deletions pytak/constants.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@
"PYTAK_TLS_DONT_CHECK_HOSTNAME",
"PYTAK_TLS_DONT_VERIFY",
"PYTAK_TLS_CLIENT_PASSWORD",
"PYTAK_TLS_SERVER_EXPECTED_HOSTNAME",
]

DEFAULT_IMPORT_OTHER_CONFIGS: str = "0"
Expand Down
Loading