From 63fa470a3f69597e18704d11340377cee5246695 Mon Sep 17 00:00:00 2001
From: jesopo <github@lolnerd.net>
Date: Thu, 2 Apr 2020 22:43:34 +0100
Subject: [PATCH] add ConnectionParams.ssl_verify

---
 ircrobots/params.py   |  3 ++-
 ircrobots/security.py | 13 +++++++++++++
 ircrobots/server.py   | 11 +++++++----
 3 files changed, 22 insertions(+), 5 deletions(-)
 create mode 100644 ircrobots/security.py

diff --git a/ircrobots/params.py b/ircrobots/params.py
index 17c4fa0..b522773 100644
--- a/ircrobots/params.py
+++ b/ircrobots/params.py
@@ -31,4 +31,5 @@ class ConnectionParams(object):
     realname: Optional[str] = None
     bindhost: Optional[str] = None
 
-    sasl: Optional[SASLParams] = None
+    ssl_verify: bool = True
+    sasl:       Optional[SASLParams] = None
diff --git a/ircrobots/security.py b/ircrobots/security.py
new file mode 100644
index 0000000..0282866
--- /dev/null
+++ b/ircrobots/security.py
@@ -0,0 +1,13 @@
+import ssl
+
+def ssl_context(verify: bool=True) -> ssl.SSLContext:
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+    context.options |= ssl.OP_NO_SSLv2
+    context.options |= ssl.OP_NO_SSLv3
+    context.options |= ssl.OP_NO_TLSv1
+    context.load_default_certs()
+
+    if verify:
+        context.verify_mode = ssl.CERT_REQUIRED
+
+    return context
diff --git a/ircrobots/server.py b/ircrobots/server.py
index 4455293..4db013f 100644
--- a/ircrobots/server.py
+++ b/ircrobots/server.py
@@ -1,4 +1,5 @@
-import asyncio, ssl
+import asyncio
+from ssl         import SSLContext
 from asyncio     import Future, PriorityQueue
 from typing      import Awaitable, List, Optional, Set, Tuple
 
@@ -11,8 +12,7 @@ from .interface import (ConnectionParams, ICapability, IServer, PriorityLine,
     SendPriority)
 from .matching  import BaseResponse
 from .sasl      import SASLContext, SASLResult
-
-sc = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+from .security  import ssl_context
 
 THROTTLE_RATE = 4 # lines
 THROTTLE_TIME = 2 # seconds
@@ -44,7 +44,10 @@ class Server(IServer):
         self.throttle.period     = time
 
     async def connect(self, params: ConnectionParams):
-        cur_ssl = sc if params.ssl else None
+        cur_ssl: Optional[SSLContext] = None
+        if params.ssl:
+            cur_ssl = ssl_context(params.ssl_verify)
+
         reader, writer = await asyncio.open_connection(
             params.host,
             params.port,