From 54e768a6dbe3cadeb456dea37bbeaf6e1e17e87c Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Thu, 9 Jan 2020 10:47:27 +0100
Subject: [PATCH] CVE-2019-11324 Certification mishandle when error should be
 thrown

---
 util/ssl_.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/ssl_.py b/util/ssl_.py
index 32fd9ed..f9f12ff 100644
--- a/util/ssl_.py
+++ b/util/ssl_.py
@@ -319,7 +319,7 @@ def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
             if e.errno == errno.ENOENT:
                 raise SSLError(e)
             raise
-    elif getattr(context, 'load_default_certs', None) is not None:
+    elif ssl_context is None and hasattr(context, 'load_default_certs'):
         # try to load OS default certs; works well on Windows (require Python3.4+)
         context.load_default_certs()
 
-- 
2.24.1