diff options
| -rw-r--r-- | client/src/leap/soledad/client/__init__.py | 21 | ||||
| -rw-r--r-- | server/pkg/soledad | 2 |
2 files changed, 18 insertions, 5 deletions
diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py index 4703133c..7ef5f6a9 100644 --- a/client/src/leap/soledad/client/__init__.py +++ b/client/src/leap/soledad/client/__init__.py @@ -1333,10 +1333,23 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): self.sock = sock self._tunnel() - self.sock = ssl.wrap_socket(sock, - ca_certs=SOLEDAD_CERT, - cert_reqs=ssl.CERT_REQUIRED, - ssl_version=ssl.PROTOCOL_TLSv1) + # negotiate the best availabe version... + ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + + # but if possible, we want to disable bad ones + # needs python 2.7.9+ + try: + ctx.options |= ssl.OP_NO_SSLv2 + ctx.options |= ssl.OP_NO_SSLv3 + except AttributeError: + pass + + ctx.load_cert_chain(certfile=SOLEDAD_CERT) + ctx.verify_mode = ssl.CERT_REQUIRED + + self.sock = ctx.wrap_socket( + sock, server_side=True, server_hostname=self.host) + match_hostname(self.sock.getpeercert(), self.host) diff --git a/server/pkg/soledad b/server/pkg/soledad index bf24dac2..ccb3e9b0 100644 --- a/server/pkg/soledad +++ b/server/pkg/soledad @@ -19,7 +19,7 @@ CERT_PATH=/etc/leap/soledad-server.pem PRIVKEY_PATH=/etc/leap/soledad-server.key TWISTD_PATH=/usr/bin/twistd HOME=/var/lib/soledad/ -SSL_METHOD=TLSv1_METHOD +SSL_METHOD=SSLv23_METHOD USER=soledad GROUP=soledad |