Merge pull request #487 from stgraber/master

Ignore hostname when verify certificate is passed
canonical · Oct 8, 2021 · c5db7ad · c5db7ad
2 parents bf91f63 + 38024dd
commit c5db7ad
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/pylxd/client.py b/pylxd/client.py
@@ -20,6 +20,8 @@
 
 import requests
 import requests_unixsocket
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes
 from ws4py.client import WebSocketBaseClient
 
 from pylxd import exceptions, managers
@@ -60,6 +62,16 @@ class EventType(Enum):
     Lifecycle = "lifecycle"
 
 
+class LXDSSLAdapter(requests.adapters.HTTPAdapter):
+    def cert_verify(self, conn, url, verify, cert):
+        with open(verify, "rb") as fd:
+            servercert = x509.load_pem_x509_certificate(fd.read())
+            fingerprint = servercert.fingerprint(hashes.SHA256())
+
+        conn.assert_fingerprint = "".join([f"{i:02x}" for i in fingerprint])
+        super().cert_verify(conn, url, False, cert)
+
+
 class _APINode:
     """An api node object."""
 
@@ -77,6 +89,9 @@ def __init__(
             self.session.cert = cert
             self.session.verify = verify
 
+            if isinstance(verify, str):
+                self.session.mount(api_endpoint, LXDSSLAdapter())
+
     def __getattr__(self, name):
         """Converts attribute lookup into the next /<segment> of an api
         url.