refs #2055 make TLS checks optional for the server

2025-05-21 17:36:13 +02:00 · 2025-05-21 17:36:13 +02:00 · e920a3c681
parent 921706e9f0
commit e920a3c681
1 changed files with 8 additions and 2 deletions
--- a/src/opengnsys/httpserver.py
+++ b/src/opengnsys/httpserver.py
@ -42,6 +42,7 @@ from six.moves.urllib.parse import unquote  # @UnresolvedImport
 from .utils import exceptionToMessage
 from .log import logger

+VERIFY_TLS=True

 class HTTPServerHandler(BaseHTTPRequestHandler):
    service = None
@ -159,11 +160,16 @@ class HTTPServerThread(threading.Thread):
        context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
        context.load_cert_chain(certfile='/opt/opengnsys/etc/ogagent.crt', keyfile='/opt/opengnsys/etc/ogagent.key')
        context.load_verify_locations(cafile='/opt/opengnsys/etc/ca.crt')
+        if VERIFY_TLS:
+            context.verify_mode = ssl.CERT_REQUIRED
+            context.verify_flags &= ssl.VERIFY_X509_STRICT
+        else:
+            context.verify_mode = ssl.CERT_NONE
+            context.verify_flags &= ~ssl.VERIFY_X509_STRICT
+
        s = context.cert_store_stats()
        if 'x509_ca' in s: logger.debug (f'{s['x509_ca']} CAs loaded')
        if 'x509'    in s: logger.debug (f'{s['x509']} certs loaded')
-        context.verify_mode = ssl.CERT_REQUIRED
-        context.verify_flags &= ssl.VERIFY_X509_STRICT
        self.server.socket = context.wrap_socket(self.server.socket, server_side=True)

        logger.debug('Initialized HTTPS Server thread on {}'.format(address))