summaryrefslogtreecommitdiff
path: root/client/src
diff options
context:
space:
mode:
Diffstat (limited to 'client/src')
-rw-r--r--client/src/leap/soledad/client/__init__.py24
-rw-r--r--client/src/leap/soledad/client/sqlcipher.py5
-rw-r--r--client/src/leap/soledad/client/target.py3
3 files changed, 25 insertions, 7 deletions
diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py
index 586e3389..07255406 100644
--- a/client/src/leap/soledad/client/__init__.py
+++ b/client/src/leap/soledad/client/__init__.py
@@ -224,7 +224,7 @@ class Soledad(object):
def __init__(self, uuid, passphrase, secrets_path, local_db_path,
server_url, cert_file,
- auth_token=None, secret_id=None, defer_encryption=False):
+ auth_token=None, secret_id=None, defer_encryption=True):
"""
Initialize configuration, cryptographic keys and dbs.
@@ -1333,9 +1333,25 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection):
self.sock = sock
self._tunnel()
- self.sock = ssl.wrap_socket(sock,
- ca_certs=SOLEDAD_CERT,
- cert_reqs=ssl.CERT_REQUIRED)
+ highest_supported = ssl.PROTOCOL_SSLv23
+
+ try:
+ # needs python 2.7.9+
+ # negotiate the best available version,
+ # but explicitely disabled bad ones.
+ ctx = ssl.SSLContext(highest_supported)
+ ctx.options |= ssl.OP_NO_SSLv2
+ ctx.options |= ssl.OP_NO_SSLv3
+
+ ctx.load_verify_locations(cafile=SOLEDAD_CERT)
+ ctx.verify_mode = ssl.CERT_REQUIRED
+ self.sock = ctx.wrap_socket(sock)
+
+ except AttributeError:
+ self.sock = ssl.wrap_socket(
+ sock, ca_certs=SOLEDAD_CERT, cert_reqs=ssl.CERT_REQUIRED,
+ ssl_version=highest_supported)
+
match_hostname(self.sock.getpeercert(), self.host)
diff --git a/client/src/leap/soledad/client/sqlcipher.py b/client/src/leap/soledad/client/sqlcipher.py
index 2df9606e..fded2119 100644
--- a/client/src/leap/soledad/client/sqlcipher.py
+++ b/client/src/leap/soledad/client/sqlcipher.py
@@ -452,6 +452,11 @@ class SQLCipherDatabase(sqlite_backend.SQLitePartialExpandDatabase):
# XXX could mark the critical section here...
try:
+ if defer_decryption and not self.defer_encryption:
+ logger.warning("Can't defer decryption without first having "
+ "created a sync db. Falling back to normal "
+ "syncing mode.")
+ defer_decryption = False
res = syncer.sync(autocreate=autocreate,
defer_decryption=defer_decryption)
diff --git a/client/src/leap/soledad/client/target.py b/client/src/leap/soledad/client/target.py
index 70e4d3a2..1eb84e64 100644
--- a/client/src/leap/soledad/client/target.py
+++ b/client/src/leap/soledad/client/target.py
@@ -28,12 +28,10 @@ import logging
import re
import urllib
import threading
-import urlparse
from collections import defaultdict
from time import sleep
from uuid import uuid4
-from contextlib import contextmanager
import simplejson as json
from taskthread import TimerTask
@@ -44,7 +42,6 @@ from u1db.remote.http_client import _encode_query_parameter, HTTPClientBase
from zope.proxy import ProxyBase
from zope.proxy import sameProxiedObjects, setProxiedObject
-from leap.soledad.common import soledad_assert
from leap.soledad.common.document import SoledadDocument
from leap.soledad.client.auth import TokenBasedAuth
from leap.soledad.client.crypto import is_symmetrically_encrypted