Don't mask invalid hostname certificate errors. PYTHON-478

rozza · rozza · commit 4b7cc70f7fb5 · 2013-02-28T10:50:54.000Z
diff --git a/pymongo/pool.py b/pymongo/pool.py
@@ -250,11 +250,8 @@ def connect(self, pair):
                                        ca_certs=self.ssl_ca_certs,
                                        cert_reqs=self.ssl_cert_reqs)
                 if self.ssl_cert_reqs:
-                    try:
-                        match_hostname(sock.getpeercert(), hostname)
-                    except CertificateError, e:
-                        raise ConnectionFailure("SSL certificate validation "
-                                                "failed: %s" % e)
+                    match_hostname(sock.getpeercert(), hostname)
+
             except ssl.SSLError:
                 sock.close()
                 raise ConnectionFailure("SSL handshake failed. MongoDB may "
diff --git a/test/test_ssl.py b/test/test_ssl.py
@@ -87,7 +87,7 @@ def is_server_resolvable():
             SERVER_IS_RESOLVABLE = is_server_resolvable()
 
 
-class TestNoSSLModule(unittest.TestCase):
+class TestClientSSL(unittest.TestCase):
 
     def test_no_ssl_module(self):
         # Test that ConfigurationError is raised if the ssl
@@ -109,20 +109,6 @@ def test_no_ssl_module(self):
         self.assertRaises(ConfigurationError,
                           MongoReplicaSetClient, ssl_certfile=CLIENT_PEM)
 
-
-class TestSSL(unittest.TestCase):
-
-    def setUp(self):
-        if not HAS_SSL:
-            raise SkipTest("The ssl module is not available.")
-
-        if sys.version.startswith('3.0'):
-            raise SkipTest("Python 3.0.x has problems "
-                           "with SSL and socket timeouts.")
-
-        if not SIMPLE_SSL:
-            raise SkipTest("No simple mongod available over SSL")
-
     def test_config_ssl(self):
         """Tests various ssl configurations"""
         self.assertRaises(ConfigurationError, MongoClient, ssl='foo')
@@ -187,6 +173,20 @@ def test_config_ssl(self):
                           ssl_keyfile=CLIENT_PEM,
                           ssl_certfile=CLIENT_PEM)
 
+
+class TestSSL(unittest.TestCase):
+
+    def setUp(self):
+        if not HAS_SSL:
+            raise SkipTest("The ssl module is not available.")
+
+        if sys.version.startswith('3.0'):
+            raise SkipTest("Python 3.0.x has problems "
+                           "with SSL and socket timeouts.")
+
+        if not SIMPLE_SSL:
+            raise SkipTest("No simple mongod available over SSL")
+
     def test_simple_ssl(self):
         # Expects the server to be running with ssl and with
         # no --sslPEMKeyFile or with --sslWeakCertificateValidation
@@ -279,6 +279,10 @@ def test_cert_ssl_validation(self):
                              ssl_ca_certs=CA_PEM)
         response = client.admin.command('ismaster')
         if 'setName' in response:
+            if response['primary'].split(":")[0] != 'server':
+                raise SkipTest("No hosts in the replicaset for 'server'. "
+                               "Cannot validate hostname in the certificate")
+
             client = MongoReplicaSetClient('server',
                                            replicaSet=response['setName'],
                                            w=len(response['hosts']),
@@ -314,8 +318,13 @@ def test_cert_ssl_validation_optional(self):
                              ssl_certfile=CLIENT_PEM,
                              ssl_cert_reqs=ssl.CERT_OPTIONAL,
                              ssl_ca_certs=CA_PEM)
+
         response = client.admin.command('ismaster')
         if 'setName' in response:
+            if response['primary'].split(":")[0] != 'server':
+                raise SkipTest("No hosts in the replicaset for 'server'. "
+                               "Cannot validate hostname in the certificate")
+
             client = MongoReplicaSetClient('server',
                                            replicaSet=response['setName'],
                                            w=len(response['hosts']),
