Verify TLS chain of trust, warn user if it fails.

xloem · xloem · commit e4d7fcba4ef7 · 2022-02-20T12:35:04.000-05:00
diff --git a/electrumx/server/peers.py b/electrumx/server/peers.py
@@ -265,7 +265,7 @@ async def _should_drop_peer(self, peer):
 
             kwargs = {'family': family}
             if kind == 'SSL':
-                kwargs['ssl'] = ssl.SSLContext(ssl.PROTOCOL_TLS)
+                kwargs['ssl'] = True
 
             if self.env.force_proxy or peer.is_tor:
                 if not self.proxy:
@@ -283,10 +283,18 @@ async def _should_drop_peer(self, peer):
 
             peer_text = f'[{peer}:{port} {kind}]'
             try:
-                async with connect_rs(peer.host, port, session_factory=PeerSession,
-                                      **kwargs) as session:
-                    session.sent_request_timeout = 120 if peer.is_tor else 30
-                    await self._verify_peer(session, peer)
+                try:
+                    async with connect_rs(peer.host, port, session_factory=PeerSession,
+                                          **kwargs) as session:
+                        session.sent_request_timeout = 120 if peer.is_tor else 30
+                        await self._verify_peer(session, peer)
+                except ssl.SSLCertVerificationError as e:
+                    self.logger.warn(e)
+                    kwargs['ssl'] = ssl.SSLContext(ssl.PROTOCOL_TLS)
+                    async with connect_rs(peer.host, port, session_factory=PeerSession,
+                                          **kwargs) as session:
+                        session.sent_request_timeout = 120 if peer.is_tor else 30
+                        await self._verify_peer(session, peer)
                 is_good = True
                 break
             except BadPeerError as e:
