summaryrefslogtreecommitdiff
path: root/client/src/leap
diff options
context:
space:
mode:
Diffstat (limited to 'client/src/leap')
-rw-r--r--client/src/leap/soledad/client/__init__.py23
1 files changed, 13 insertions, 10 deletions
diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py
index a4030d88..d7d01b57 100644
--- a/client/src/leap/soledad/client/__init__.py
+++ b/client/src/leap/soledad/client/__init__.py
@@ -809,22 +809,25 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
self.sock = sock
self._tunnel()
- # negotiate the best availabe version...
- ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ highest_supported = ssl.PROTOCOL_SSLv23
- # but if possible, we want to disable bad ones
- # needs python 2.7.9+
try:
+ # needs python 2.7.9+
+ # negotiate the best available version,
+ # but explicitely disabled bad ones.
+ ctx = ssl.SSLContext(highest_supported)
ctx.options |= ssl.OP_NO_SSLv2
ctx.options |= ssl.OP_NO_SSLv3
- except AttributeError:
- pass
- ctx.load_cert_chain(certfile=SOLEDAD_CERT)
- ctx.verify_mode = ssl.CERT_REQUIRED
+ ctx.load_cert_chain(certfile=SOLEDAD_CERT)
+ ctx.verify_mode = ssl.CERT_REQUIRED
+ self.sock = ctx.wrap_socket(
+ sock, server_side=True, server_hostname=self.host)
- self.sock = ctx.wrap_socket(
- sock, server_side=True, server_hostname=self.host)
+ except AttributeError:
+ self.sock = ssl.wrap_socket(
+ sock, ca_certs=SOLEDAD_CERT, cert_reqs=ssl.CERT_REQUIRED,
+ ssl_version=highest_supported)
match_hostname(self.sock.getpeercert(), self.host)