bunny-lab/Borealis-Github-Replica
1
0
Fork 0
mirror of https://github.com/bunny-lab-io/Borealis.git synced 2025-10-26 17:41:58 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix Socket.IO TLS context for pinned certificates

Browse Source
This commit is contained in:
Nicole Rappe
2025-10-18 05:31:12 -06:00
parent 3a71cc4c42
commit 45ac0dc7a4
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
Data/Agent/agent.py
View File

@@ -931,8 +931,15 @@ class AgentHttpClient:
context = None context = None
if isinstance(verify, str) and os.path.isfile(verify): if isinstance(verify, str) and os.path.isfile(verify):
try: try:
context = ssl.create_default_context(cafile=verify) # ``create_default_context`` expects a proper CA bundle and
# will reject self-signed leaf certificates that we pin on
# disk. Build a dedicated client context instead and load
# the pinned certificate as a trust anchor so the SYSTEM
# agent can complete TLS handshakes identical to Requests.
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.check_hostname = False context.check_hostname = False
context.verify_mode = ssl.CERT_REQUIRED
context.load_verify_locations(cafile=verify)
_log_agent( _log_agent(
f"SocketIO TLS alignment created SSLContext from cafile={verify}", f"SocketIO TLS alignment created SSLContext from cafile={verify}",
fname="agent.log", fname="agent.log",