summaryrefslogtreecommitdiff
path: root/client/src/leap/soledad
diff options
context:
space:
mode:
authorKali Kaneko <kali@leap.se>2014-12-04 18:13:06 +0100
committerdrebs <drebs@leap.se>2014-12-05 14:40:36 -0200
commit527c28c73d22b5f852273e2c5d1713e82a2c49fd (patch)
tree7485c6b1248bbe2db19a626c2e46b30c424c28a6 /client/src/leap/soledad
parent6fc80e14d568d83df7899e516d1422b2e011d2cb (diff)
fix ssl negotiation
since ssl.SSLContext does not exist prior to python 2.7.9
Diffstat (limited to 'client/src/leap/soledad')
-rw-r--r--client/src/leap/soledad/client/__init__.py23
1 files changed, 13 insertions, 10 deletions
diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py
index 7ef5f6a9..c350d021 100644
--- a/client/src/leap/soledad/client/__init__.py
+++ b/client/src/leap/soledad/client/__init__.py
@@ -1333,22 +1333,25 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
self.sock = sock
self._tunnel()
- # negotiate the best availabe version...
- ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ highest_supported = ssl.PROTOCOL_SSLv23
- # but if possible, we want to disable bad ones
- # needs python 2.7.9+
try:
+ # needs python 2.7.9+
+ # negotiate the best available version,
+ # but explicitely disabled bad ones.
+ ctx = ssl.SSLContext(highest_supported)
ctx.options |= ssl.OP_NO_SSLv2
ctx.options |= ssl.OP_NO_SSLv3
- except AttributeError:
- pass
- ctx.load_cert_chain(certfile=SOLEDAD_CERT)
- ctx.verify_mode = ssl.CERT_REQUIRED
+ ctx.load_cert_chain(certfile=SOLEDAD_CERT)
+ ctx.verify_mode = ssl.CERT_REQUIRED
+ self.sock = ctx.wrap_socket(
+ sock, server_side=True, server_hostname=self.host)
- self.sock = ctx.wrap_socket(
- sock, server_side=True, server_hostname=self.host)
+ except AttributeError:
+ self.sock = ssl.wrap_socket(
+ sock, ca_certs=SOLEDAD_CERT, cert_reqs=ssl.CERT_REQUIRED,
+ ssl_version=highest_supported)
match_hostname(self.sock.getpeercert(), self.host)