From e920a3c681ce30791ce74492ec7321f50f60e8f5 Mon Sep 17 00:00:00 2001 From: Natalia Serrano Date: Wed, 21 May 2025 17:36:13 +0200 Subject: [PATCH] refs #2055 make TLS checks optional for the server --- src/opengnsys/httpserver.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/opengnsys/httpserver.py b/src/opengnsys/httpserver.py index 1e612ec..de561c1 100644 --- a/src/opengnsys/httpserver.py +++ b/src/opengnsys/httpserver.py @@ -42,6 +42,7 @@ from six.moves.urllib.parse import unquote # @UnresolvedImport from .utils import exceptionToMessage from .log import logger +VERIFY_TLS=True class HTTPServerHandler(BaseHTTPRequestHandler): service = None @@ -159,11 +160,16 @@ class HTTPServerThread(threading.Thread): context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) context.load_cert_chain(certfile='/opt/opengnsys/etc/ogagent.crt', keyfile='/opt/opengnsys/etc/ogagent.key') context.load_verify_locations(cafile='/opt/opengnsys/etc/ca.crt') + if VERIFY_TLS: + context.verify_mode = ssl.CERT_REQUIRED + context.verify_flags &= ssl.VERIFY_X509_STRICT + else: + context.verify_mode = ssl.CERT_NONE + context.verify_flags &= ~ssl.VERIFY_X509_STRICT + s = context.cert_store_stats() if 'x509_ca' in s: logger.debug (f'{s['x509_ca']} CAs loaded') if 'x509' in s: logger.debug (f'{s['x509']} certs loaded') - context.verify_mode = ssl.CERT_REQUIRED - context.verify_flags &= ssl.VERIFY_X509_STRICT self.server.socket = context.wrap_socket(self.server.socket, server_side=True) logger.debug('Initialized HTTPS Server thread on {}'.format(address))