diff options
author | drebs <drebs@leap.se> | 2014-12-08 14:37:29 -0200 |
---|---|---|
committer | drebs <drebs@leap.se> | 2014-12-08 14:37:29 -0200 |
commit | 7496a78b2d82d27a7b2470f5393f0e531ef75360 (patch) | |
tree | ab97f8612d503ec5b2ec315f0353b1a86eec7589 /client | |
parent | 365fa1603a977040a1891880a66118f196a54ac0 (diff) | |
parent | 2abe641215b6435fa3c18ae802a621a23d01f643 (diff) |
Merge branch 'release-0.6.1' into release/0.6.x0.6.1
Diffstat (limited to 'client')
-rw-r--r-- | client/src/leap/soledad/client/__init__.py | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py index 586e3389..c350d021 100644 --- a/client/src/leap/soledad/client/__init__.py +++ b/client/src/leap/soledad/client/__init__.py @@ -1333,9 +1333,26 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): self.sock = sock self._tunnel() - self.sock = ssl.wrap_socket(sock, - ca_certs=SOLEDAD_CERT, - cert_reqs=ssl.CERT_REQUIRED) + highest_supported = ssl.PROTOCOL_SSLv23 + + try: + # needs python 2.7.9+ + # negotiate the best available version, + # but explicitely disabled bad ones. + ctx = ssl.SSLContext(highest_supported) + ctx.options |= ssl.OP_NO_SSLv2 + ctx.options |= ssl.OP_NO_SSLv3 + + ctx.load_cert_chain(certfile=SOLEDAD_CERT) + ctx.verify_mode = ssl.CERT_REQUIRED + self.sock = ctx.wrap_socket( + sock, server_side=True, server_hostname=self.host) + + except AttributeError: + self.sock = ssl.wrap_socket( + sock, ca_certs=SOLEDAD_CERT, cert_reqs=ssl.CERT_REQUIRED, + ssl_version=highest_supported) + match_hostname(self.sock.getpeercert(), self.host) |