summaryrefslogtreecommitdiff
path: root/client/src/leap/soledad
diff options
context:
space:
mode:
authordrebs <drebs@leap.se>2014-12-08 14:37:29 -0200
committerdrebs <drebs@leap.se>2014-12-08 14:37:29 -0200
commit7496a78b2d82d27a7b2470f5393f0e531ef75360 (patch)
treeab97f8612d503ec5b2ec315f0353b1a86eec7589 /client/src/leap/soledad
parent365fa1603a977040a1891880a66118f196a54ac0 (diff)
parent2abe641215b6435fa3c18ae802a621a23d01f643 (diff)
Merge branch 'release-0.6.1' into release/0.6.x0.6.1
Diffstat (limited to 'client/src/leap/soledad')
-rw-r--r--client/src/leap/soledad/client/__init__.py23
1 files changed, 20 insertions, 3 deletions
diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py
index 586e3389..c350d021 100644
--- a/client/src/leap/soledad/client/__init__.py
+++ b/client/src/leap/soledad/client/__init__.py
@@ -1333,9 +1333,26 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
self.sock = sock
self._tunnel()
- self.sock = ssl.wrap_socket(sock,
- ca_certs=SOLEDAD_CERT,
- cert_reqs=ssl.CERT_REQUIRED)
+ highest_supported = ssl.PROTOCOL_SSLv23
+
+ try:
+ # needs python 2.7.9+
+ # negotiate the best available version,
+ # but explicitely disabled bad ones.
+ ctx = ssl.SSLContext(highest_supported)
+ ctx.options |= ssl.OP_NO_SSLv2
+ ctx.options |= ssl.OP_NO_SSLv3
+
+ ctx.load_cert_chain(certfile=SOLEDAD_CERT)
+ ctx.verify_mode = ssl.CERT_REQUIRED
+ self.sock = ctx.wrap_socket(
+ sock, server_side=True, server_hostname=self.host)
+
+ except AttributeError:
+ self.sock = ssl.wrap_socket(
+ sock, ca_certs=SOLEDAD_CERT, cert_reqs=ssl.CERT_REQUIRED,
+ ssl_version=highest_supported)
+
match_hostname(self.sock.getpeercert(), self.host)