Merge pull request #51 from zopefoundation/load-default-cert-for-client-of-signed-server

Fixed: SSL clients of servers with signed certs didn't load default

CHANGES.rst

 Changelog
 =========
 
+- Fixed: SSL clients of servers with signed certs didn't load default
+  certs and were unable to connect.
+
+
 5.0.0a0 (2016-07-08)
 --------------------
 

src/ZEO/tests/testssl.py

@@ -195,6 +195,8 @@ class SSLConfigTestMockiavellian(ZEOConfigTestBase):
             factory, context, (client_cert, client_key, None),
             check_hostname=True)
 
+        context.load_default_certs.assert_called_with()
+
     @mock.patch('ssl.create_default_context')
     @mock.patch('ZEO.ClientStorage.ClientStorage')
     def test_ssl_mockiavellian_client_auth_dir(
@@ -210,6 +212,7 @@ class SSLConfigTestMockiavellian(ZEOConfigTestBase):
             capath=here,
             check_hostname=True,
             )
+        context.load_default_certs.assert_not_called()
 
     @mock.patch('ssl.create_default_context')
     @mock.patch('ZEO.ClientStorage.ClientStorage')
@@ -226,6 +229,7 @@ class SSLConfigTestMockiavellian(ZEOConfigTestBase):
             cafile=server_cert,
             check_hostname=True,
             )
+        context.load_default_certs.assert_not_called()
 
     @mock.patch('ssl.create_default_context')
     @mock.patch('ZEO.ClientStorage.ClientStorage')

src/ZEO/zconfig.py

@@ -11,12 +11,16 @@ def ssl_config(section, server):
     if auth:
         if os.path.isdir(auth):
             capath=auth
-        else:
+        elif auth != 'DYNAMIC':
             cafile=auth
 
     context = ssl.create_default_context(
         ssl.Purpose.CLIENT_AUTH, cafile=cafile, capath=capath)
 
+    if not auth:
+        assert not server
+        context.load_default_certs()
+
     if section.certificate:
         password = section.password_function
         if password: