Merge branch 'release-0.6.1' into release/0.6.x0.6.1

1 files changed, 20 insertions, 3 deletions

diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py
index 586e3389..c350d021 100644
--- a/client/src/leap/soledad/client/__init__.py
+++ b/client/src/leap/soledad/client/__init__.py
@@ -1333,9 +1333,26 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
             self.sock = sock
             self._tunnel()
 
-        self.sock = ssl.wrap_socket(sock,
-                                    ca_certs=SOLEDAD_CERT,
-                                    cert_reqs=ssl.CERT_REQUIRED)
+        highest_supported = ssl.PROTOCOL_SSLv23
+
+        try:
+            # needs python 2.7.9+
+            # negotiate the best available version,
+            # but explicitely disabled bad ones.
+            ctx = ssl.SSLContext(highest_supported)
+            ctx.options |= ssl.OP_NO_SSLv2
+            ctx.options |= ssl.OP_NO_SSLv3
+
+            ctx.load_cert_chain(certfile=SOLEDAD_CERT)
+            ctx.verify_mode = ssl.CERT_REQUIRED
+            self.sock = ctx.wrap_socket(
+                sock, server_side=True, server_hostname=self.host)
+
+        except AttributeError:
+            self.sock = ssl.wrap_socket(
+                sock, ca_certs=SOLEDAD_CERT, cert_reqs=ssl.CERT_REQUIRED,
+                ssl_version=highest_supported)
+
         match_hostname(self.sock.getpeercert(), self.host)