QPID-5894: force cert checking if user specifically asks to verify the remote's hostname.

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1611670 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 7 insertions, 0 deletions

diff --git a/qpid/python/qpid/messaging/endpoints.py b/qpid/python/qpid/messaging/endpoints.py
index 5b10fbd9f1..300e0fd657 100644
--- a/qpid/python/qpid/messaging/endpoints.py
+++ b/qpid/python/qpid/messaging/endpoints.py
@@ -182,6 +182,8 @@ class Connection(Endpoint):
     self.ssl_keyfile = default(self.ssl_keyfile, None)
     self.ssl_certfile = default(self.ssl_certfile, None)
     self.ssl_trustfile = default(self.ssl_trustfile, None)
+    # if ssl_skip_hostname_check was not explicitly set, this will be None
+    self._ssl_skip_hostname_check_actual = options.get("ssl_skip_hostname_check")
     self.ssl_skip_hostname_check = default(self.ssl_skip_hostname_check, False)
     self.client_properties = default(self.client_properties, {})
 
diff --git a/qpid/python/qpid/messaging/transports.py b/qpid/python/qpid/messaging/transports.py
index fd909f247c..f39c256d02 100644
--- a/qpid/python/qpid/messaging/transports.py
+++ b/qpid/python/qpid/messaging/transports.py
@@ -109,6 +109,11 @@ else:
       else:
         validate = CERT_NONE
 
+      # if user manually set flag to false then require cert
+      actual = getattr(conn, "_ssl_skip_hostname_check_actual", None)
+      if actual is not None and conn.ssl_skip_hostname_check is False:
+        validate = CERT_REQUIRED
+
       self.tls = wrap_socket(self.socket, keyfile=conn.ssl_keyfile,
                              certfile=conn.ssl_certfile,
                              ca_certs=conn.ssl_trustfile,