diff options
author | Kali Kaneko <kali@leap.se> | 2014-12-04 18:13:06 +0100 |
---|---|---|
committer | drebs <drebs@leap.se> | 2014-12-05 14:40:36 -0200 |
commit | 527c28c73d22b5f852273e2c5d1713e82a2c49fd (patch) | |
tree | 7485c6b1248bbe2db19a626c2e46b30c424c28a6 /client/src | |
parent | 6fc80e14d568d83df7899e516d1422b2e011d2cb (diff) |
fix ssl negotiation
since ssl.SSLContext does not exist prior to python 2.7.9
Diffstat (limited to 'client/src')
-rw-r--r-- | client/src/leap/soledad/client/__init__.py | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py index 7ef5f6a9..c350d021 100644 --- a/client/src/leap/soledad/client/__init__.py +++ b/client/src/leap/soledad/client/__init__.py @@ -1333,22 +1333,25 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): self.sock = sock self._tunnel() - # negotiate the best availabe version... - ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + highest_supported = ssl.PROTOCOL_SSLv23 - # but if possible, we want to disable bad ones - # needs python 2.7.9+ try: + # needs python 2.7.9+ + # negotiate the best available version, + # but explicitely disabled bad ones. + ctx = ssl.SSLContext(highest_supported) ctx.options |= ssl.OP_NO_SSLv2 ctx.options |= ssl.OP_NO_SSLv3 - except AttributeError: - pass - ctx.load_cert_chain(certfile=SOLEDAD_CERT) - ctx.verify_mode = ssl.CERT_REQUIRED + ctx.load_cert_chain(certfile=SOLEDAD_CERT) + ctx.verify_mode = ssl.CERT_REQUIRED + self.sock = ctx.wrap_socket( + sock, server_side=True, server_hostname=self.host) - self.sock = ctx.wrap_socket( - sock, server_side=True, server_hostname=self.host) + except AttributeError: + self.sock = ssl.wrap_socket( + sock, ca_certs=SOLEDAD_CERT, cert_reqs=ssl.CERT_REQUIRED, + ssl_version=highest_supported) match_hostname(self.sock.getpeercert(), self.host) |