summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKali Kaneko <kali@leap.se>2014-12-03 00:22:18 +0100
committerKali Kaneko <kali@leap.se>2014-12-03 00:22:18 +0100
commit31eeafd715f407c61d8de4e6555241a1de33fba1 (patch)
tree2939133381319730b026b835e1b5d3bb785d760b
parent2414b23ecdb8cfc8b8a5852243c22b6fbb89536f (diff)
Use SSL negotiation.
Although the API can be misleading, PROTOCOL_SSLv23 selects the highest protocol version that both the client and server support. Despite the name, this option can select “TLS” protocols as well as “SSL”. In this way, we can use TLSv1.2 (PROTOCOL_TLSv1 will *only* give us TLS v1.0) In the client side, we try to disable SSLv2 and SSLv3 options explicitely. The python version in wheezy does not offer PROTOCOL_TLSv1_2 nor OP_NO_SSLv2 or OP_NO_SSLv3 (It's new in 2.7.9)
-rw-r--r--client/src/leap/soledad/client/__init__.py21
-rw-r--r--server/pkg/soledad2
2 files changed, 18 insertions, 5 deletions
diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py
index 7267180b..a4030d88 100644
--- a/client/src/leap/soledad/client/__init__.py
+++ b/client/src/leap/soledad/client/__init__.py
@@ -809,10 +809,23 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
self.sock = sock
self._tunnel()
- self.sock = ssl.wrap_socket(sock,
- ca_certs=SOLEDAD_CERT,
- cert_reqs=ssl.CERT_REQUIRED,
- ssl_version=ssl.PROTOCOL_TLSv1)
+ # negotiate the best availabe version...
+ ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+
+ # but if possible, we want to disable bad ones
+ # needs python 2.7.9+
+ try:
+ ctx.options |= ssl.OP_NO_SSLv2
+ ctx.options |= ssl.OP_NO_SSLv3
+ except AttributeError:
+ pass
+
+ ctx.load_cert_chain(certfile=SOLEDAD_CERT)
+ ctx.verify_mode = ssl.CERT_REQUIRED
+
+ self.sock = ctx.wrap_socket(
+ sock, server_side=True, server_hostname=self.host)
+
match_hostname(self.sock.getpeercert(), self.host)
diff --git a/server/pkg/soledad b/server/pkg/soledad
index bf24dac2..ccb3e9b0 100644
--- a/server/pkg/soledad
+++ b/server/pkg/soledad
@@ -19,7 +19,7 @@ CERT_PATH=/etc/leap/soledad-server.pem
PRIVKEY_PATH=/etc/leap/soledad-server.key
TWISTD_PATH=/usr/bin/twistd
HOME=/var/lib/soledad/
-SSL_METHOD=TLSv1_METHOD
+SSL_METHOD=SSLv23_METHOD
USER=soledad
GROUP=soledad