add distinct error for cert verification issues

netlib/certutils.py

@@ -304,8 +304,6 @@ class CertStore(object):
             valid, plain-ASCII, IDNA-encoded domain name.
 
             sans: A list of Subject Alternate Names.
-
-            Return None if the certificate could not be found or generated.
         """
 
         potential_keys = self.asterisk_forms(commonname)

netlib/tcp.py

@@ -65,6 +65,10 @@ class NetLibSSLError(NetLibError):
     pass
 
 
+class NetLibInvalidCertificateError(NetLibSSLError):
+    pass
+
+
 class SSLKeyLogger(object):
 
     def __init__(self, filename):
@@ -517,13 +521,16 @@ class TCPClient(_Connection):
         try:
             self.connection.do_handshake()
         except SSL.Error as v:
-            raise NetLibError("SSL handshake error: %s" % repr(v))
+            if self.ssl_verification_error:
+                raise NetLibInvalidCertificateError("SSL handshake error: %s" % repr(v))
+            else:
+                raise NetLibError("SSL handshake error: %s" % repr(v))
 
         # Fix for pre v1.0 OpenSSL, which doesn't throw an exception on
         # certificate validation failure
         verification_mode = sslctx_kwargs.get('verify_options', None)
         if self.ssl_verification_error is not None and verification_mode == SSL.VERIFY_PEER:
-            raise NetLibError("SSL handshake error: certificate verify failed")
+            raise NetLibInvalidCertificateError("SSL handshake error: certificate verify failed")
 
         self.ssl_established = True
         self.cert = certutils.SSLCert(self.connection.get_peer_certificate())

test/test_tcp.py

@@ -224,7 +224,7 @@ class TestSSLUpstreamCertVerificationWBadServerCert(tservers.ServerTestBase):
         c.connect()
 
         tutils.raises(
-            tcp.NetLibError,
+            tcp.NetLibInvalidCertificateError,
             c.convert_to_ssl,
             verify_options=SSL.VERIFY_PEER,
             ca_pemfile=tutils.test_data.path("data/verificationcerts/trusted.pem"))