From 9dfada45253f0ebcb8034825823f0789166391e2 Mon Sep 17 00:00:00 2001 From: xloem <0xloem@gmail.com> Date: Sun, 20 Feb 2022 12:11:53 -0500 Subject: [PATCH] Verify TLS chain of trust, warn user if it fails. --- electrumx/server/peers.py | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/electrumx/server/peers.py b/electrumx/server/peers.py index dbd53dc36..7f49c73c4 100644 --- a/electrumx/server/peers.py +++ b/electrumx/server/peers.py @@ -265,7 +265,7 @@ async def _should_drop_peer(self, peer): kwargs = {'family': family} if kind == 'SSL': - kwargs['ssl'] = ssl.SSLContext(ssl.PROTOCOL_TLS) + kwargs['ssl'] = True if self.env.force_proxy or peer.is_tor: if not self.proxy: @@ -283,10 +283,19 @@ async def _should_drop_peer(self, peer): peer_text = f'[{peer}:{port} {kind}]' try: - async with connect_rs(peer.host, port, session_factory=PeerSession, - **kwargs) as session: - session.sent_request_timeout = 120 if peer.is_tor else 30 - await self._verify_peer(session, peer) + try: + async with connect_rs(peer.host, port, session_factory=PeerSession, + **kwargs) as session: + session.sent_request_timeout = 120 if peer.is_tor else 30 + await self._verify_peer(session, peer) + except ssl.SSLCertVerificationError as e: + self.logger.warn(f'{peer.host} {e}') + self.logger.warn(f'Please ask {peer.host} to properly configure with a CA such as letsencrypt.org') + kwargs['ssl'] = ssl.SSLContext(ssl.PROTOCOL_TLS) + async with connect_rs(peer.host, port, session_factory=PeerSession, + **kwargs) as session: + session.sent_request_timeout = 120 if peer.is_tor else 30 + await self._verify_peer(session, peer) is_good = True break except BadPeerError as e: