summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--client/src/leap/soledad/client/__init__.py21
-rw-r--r--server/pkg/soledad2
2 files changed, 18 insertions, 5 deletions
diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py
index 7267180b..a4030d88 100644
--- a/client/src/leap/soledad/client/__init__.py
+++ b/client/src/leap/soledad/client/__init__.py
@@ -809,10 +809,23 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
self.sock = sock
self._tunnel()
- self.sock = ssl.wrap_socket(sock,
- ca_certs=SOLEDAD_CERT,
- cert_reqs=ssl.CERT_REQUIRED,
- ssl_version=ssl.PROTOCOL_TLSv1)
+ # negotiate the best availabe version...
+ ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+
+ # but if possible, we want to disable bad ones
+ # needs python 2.7.9+
+ try:
+ ctx.options |= ssl.OP_NO_SSLv2
+ ctx.options |= ssl.OP_NO_SSLv3
+ except AttributeError:
+ pass
+
+ ctx.load_cert_chain(certfile=SOLEDAD_CERT)
+ ctx.verify_mode = ssl.CERT_REQUIRED
+
+ self.sock = ctx.wrap_socket(
+ sock, server_side=True, server_hostname=self.host)
+
match_hostname(self.sock.getpeercert(), self.host)
diff --git a/server/pkg/soledad b/server/pkg/soledad
index bf24dac2..ccb3e9b0 100644
--- a/server/pkg/soledad
+++ b/server/pkg/soledad
@@ -19,7 +19,7 @@ CERT_PATH=/etc/leap/soledad-server.pem
PRIVKEY_PATH=/etc/leap/soledad-server.key
TWISTD_PATH=/usr/bin/twistd
HOME=/var/lib/soledad/
-SSL_METHOD=TLSv1_METHOD
+SSL_METHOD=SSLv23_METHOD
USER=soledad
GROUP=soledad