diff options
| -rw-r--r-- | client/src/leap/soledad/client/__init__.py | 23 | 
1 files changed, 13 insertions, 10 deletions
| diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py index a4030d88..d7d01b57 100644 --- a/client/src/leap/soledad/client/__init__.py +++ b/client/src/leap/soledad/client/__init__.py @@ -809,22 +809,25 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):              self.sock = sock              self._tunnel() -        # negotiate the best availabe version... -        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) +        highest_supported = ssl.PROTOCOL_SSLv23 -        # but if possible, we want to disable bad ones -        # needs python 2.7.9+          try: +            # needs python 2.7.9+ +            # negotiate the best available version, +            # but explicitely disabled bad ones. +            ctx = ssl.SSLContext(highest_supported)              ctx.options |= ssl.OP_NO_SSLv2              ctx.options |= ssl.OP_NO_SSLv3 -        except AttributeError: -            pass -        ctx.load_cert_chain(certfile=SOLEDAD_CERT) -        ctx.verify_mode = ssl.CERT_REQUIRED +            ctx.load_cert_chain(certfile=SOLEDAD_CERT) +            ctx.verify_mode = ssl.CERT_REQUIRED +            self.sock = ctx.wrap_socket( +                sock, server_side=True, server_hostname=self.host) -        self.sock = ctx.wrap_socket( -            sock, server_side=True, server_hostname=self.host) +        except AttributeError: +            self.sock = ssl.wrap_socket( +                sock, ca_certs=SOLEDAD_CERT, cert_reqs=ssl.CERT_REQUIRED, +                ssl_version=highest_supported)          match_hostname(self.sock.getpeercert(), self.host) | 
