summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG8
-rw-r--r--client/src/leap/soledad/client/__init__.py23
-rw-r--r--server/pkg/soledad27
3 files changed, 44 insertions, 14 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 0dce4847..7cf5a3b4 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,11 @@
+0.6.1 Dec 08 2014:
+Client:
+ o Use TLS v1 in soledad client. Fixes partially #6437
+
+Server:
+ o Run daemon as user soledad (#6436).
+ o Avoid use of SSLv3 (#6437).
+
0.6.0 Jul 18, 2014:
Client:
o Close all connections after syncing. Fixes #5518.
diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py
index 586e3389..c350d021 100644
--- a/client/src/leap/soledad/client/__init__.py
+++ b/client/src/leap/soledad/client/__init__.py
@@ -1333,9 +1333,26 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
self.sock = sock
self._tunnel()
- self.sock = ssl.wrap_socket(sock,
- ca_certs=SOLEDAD_CERT,
- cert_reqs=ssl.CERT_REQUIRED)
+ highest_supported = ssl.PROTOCOL_SSLv23
+
+ try:
+ # needs python 2.7.9+
+ # negotiate the best available version,
+ # but explicitely disabled bad ones.
+ ctx = ssl.SSLContext(highest_supported)
+ ctx.options |= ssl.OP_NO_SSLv2
+ ctx.options |= ssl.OP_NO_SSLv3
+
+ ctx.load_cert_chain(certfile=SOLEDAD_CERT)
+ ctx.verify_mode = ssl.CERT_REQUIRED
+ self.sock = ctx.wrap_socket(
+ sock, server_side=True, server_hostname=self.host)
+
+ except AttributeError:
+ self.sock = ssl.wrap_socket(
+ sock, ca_certs=SOLEDAD_CERT, cert_reqs=ssl.CERT_REQUIRED,
+ ssl_version=highest_supported)
+
match_hostname(self.sock.getpeercert(), self.host)
diff --git a/server/pkg/soledad b/server/pkg/soledad
index 841233d1..ccb3e9b0 100644
--- a/server/pkg/soledad
+++ b/server/pkg/soledad
@@ -19,6 +19,9 @@ CERT_PATH=/etc/leap/soledad-server.pem
PRIVKEY_PATH=/etc/leap/soledad-server.key
TWISTD_PATH=/usr/bin/twistd
HOME=/var/lib/soledad/
+SSL_METHOD=SSLv23_METHOD
+USER=soledad
+GROUP=soledad
[ -r /etc/default/soledad ] && . /etc/default/soledad
@@ -27,36 +30,38 @@ test -r /etc/leap/ || exit 0
. /lib/lsb/init-functions
-case "$1" in
+case "${1}" in
start)
echo -n "Starting soledad: twistd"
- start-stop-daemon --start --quiet --exec $TWISTD_PATH -- \
- --pidfile=$PIDFILE \
- --logfile=$LOGFILE \
+ start-stop-daemon --start --quiet \
+ --user=${USER} --group=${GROUP} \
+ --exec ${TWISTD_PATH} -- \
+ --pidfile=${PIDFILE} \
+ --logfile=${LOGFILE} \
web \
- --wsgi=$OBJ \
- --port=ssl:$HTTPS_PORT:privateKey=$PRIVKEY_PATH:certKey=$CERT_PATH
+ --wsgi=${OBJ} \
+ --port=ssl:${HTTPS_PORT}:privateKey=${PRIVKEY_PATH}:certKey=${CERT_PATH}:sslmethod=${SSL_METHOD}
echo "."
;;
stop)
echo -n "Stopping soledad: twistd"
start-stop-daemon --stop --quiet \
- --pidfile $PIDFILE
+ --pidfile ${PIDFILE}
echo "."
;;
restart)
- $0 stop
- $0 start
+ ${0} stop
+ ${0} start
;;
force-reload)
- $0 restart
+ ${0} restart
;;
status)
- status_of_proc -p $PIDFILE $TWISTD_PATH soledad && exit 0 || exit $?
+ status_of_proc -p ${PIDFILE} ${TWISTD_PATH} soledad && exit 0 || exit ${?}
;;
*)