From e073ff3c736f70fbf0ae9767db9b223becee0b4e Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Wed, 26 Nov 2014 21:06:25 +0100 Subject: force tls v1 in soledad client. Partially fixes #6437 --- client/changes/bug_6437_use_tls | 1 + client/src/leap/soledad/client/__init__.py | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 client/changes/bug_6437_use_tls (limited to 'client') diff --git a/client/changes/bug_6437_use_tls b/client/changes/bug_6437_use_tls new file mode 100644 index 00000000..7138d962 --- /dev/null +++ b/client/changes/bug_6437_use_tls @@ -0,0 +1 @@ + o Use TLS v1 in soledad client. Fixes partially #6437 diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py index 586e3389..4703133c 100644 --- a/client/src/leap/soledad/client/__init__.py +++ b/client/src/leap/soledad/client/__init__.py @@ -1335,7 +1335,8 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): self.sock = ssl.wrap_socket(sock, ca_certs=SOLEDAD_CERT, - cert_reqs=ssl.CERT_REQUIRED) + cert_reqs=ssl.CERT_REQUIRED, + ssl_version=ssl.PROTOCOL_TLSv1) match_hostname(self.sock.getpeercert(), self.host) -- cgit v1.2.3 From 6fc80e14d568d83df7899e516d1422b2e011d2cb Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Wed, 3 Dec 2014 00:22:18 +0100 Subject: Use SSL negotiation. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Although the API can be misleading, PROTOCOL_SSLv23 selects the highest protocol version that both the client and server support. Despite the name, this option can select “TLS” protocols as well as “SSL”. In this way, we can use TLSv1.2 (PROTOCOL_TLSv1 will *only* give us TLS v1.0) In the client side, we try to disable SSLv2 and SSLv3 options explicitely. The python version in wheezy does not offer PROTOCOL_TLSv1_2 nor OP_NO_SSLv2 or OP_NO_SSLv3 (It's new in 2.7.9) --- client/src/leap/soledad/client/__init__.py | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'client') diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py index 4703133c..7ef5f6a9 100644 --- a/client/src/leap/soledad/client/__init__.py +++ b/client/src/leap/soledad/client/__init__.py @@ -1333,10 +1333,23 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): self.sock = sock self._tunnel() - self.sock = ssl.wrap_socket(sock, - ca_certs=SOLEDAD_CERT, - cert_reqs=ssl.CERT_REQUIRED, - ssl_version=ssl.PROTOCOL_TLSv1) + # negotiate the best availabe version... + ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + + # but if possible, we want to disable bad ones + # needs python 2.7.9+ + try: + ctx.options |= ssl.OP_NO_SSLv2 + ctx.options |= ssl.OP_NO_SSLv3 + except AttributeError: + pass + + ctx.load_cert_chain(certfile=SOLEDAD_CERT) + ctx.verify_mode = ssl.CERT_REQUIRED + + self.sock = ctx.wrap_socket( + sock, server_side=True, server_hostname=self.host) + match_hostname(self.sock.getpeercert(), self.host) -- cgit v1.2.3 From 527c28c73d22b5f852273e2c5d1713e82a2c49fd Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Thu, 4 Dec 2014 18:13:06 +0100 Subject: fix ssl negotiation since ssl.SSLContext does not exist prior to python 2.7.9 --- client/src/leap/soledad/client/__init__.py | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) (limited to 'client') diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py index 7ef5f6a9..c350d021 100644 --- a/client/src/leap/soledad/client/__init__.py +++ b/client/src/leap/soledad/client/__init__.py @@ -1333,22 +1333,25 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): self.sock = sock self._tunnel() - # negotiate the best availabe version... - ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + highest_supported = ssl.PROTOCOL_SSLv23 - # but if possible, we want to disable bad ones - # needs python 2.7.9+ try: + # needs python 2.7.9+ + # negotiate the best available version, + # but explicitely disabled bad ones. + ctx = ssl.SSLContext(highest_supported) ctx.options |= ssl.OP_NO_SSLv2 ctx.options |= ssl.OP_NO_SSLv3 - except AttributeError: - pass - ctx.load_cert_chain(certfile=SOLEDAD_CERT) - ctx.verify_mode = ssl.CERT_REQUIRED + ctx.load_cert_chain(certfile=SOLEDAD_CERT) + ctx.verify_mode = ssl.CERT_REQUIRED + self.sock = ctx.wrap_socket( + sock, server_side=True, server_hostname=self.host) - self.sock = ctx.wrap_socket( - sock, server_side=True, server_hostname=self.host) + except AttributeError: + self.sock = ssl.wrap_socket( + sock, ca_certs=SOLEDAD_CERT, cert_reqs=ssl.CERT_REQUIRED, + ssl_version=highest_supported) match_hostname(self.sock.getpeercert(), self.host) -- cgit v1.2.3 From 2abe641215b6435fa3c18ae802a621a23d01f643 Mon Sep 17 00:00:00 2001 From: drebs Date: Mon, 8 Dec 2014 14:36:25 -0200 Subject: Fold in changes. --- client/changes/bug_6437_use_tls | 1 - 1 file changed, 1 deletion(-) delete mode 100644 client/changes/bug_6437_use_tls (limited to 'client') diff --git a/client/changes/bug_6437_use_tls b/client/changes/bug_6437_use_tls deleted file mode 100644 index 7138d962..00000000 --- a/client/changes/bug_6437_use_tls +++ /dev/null @@ -1 +0,0 @@ - o Use TLS v1 in soledad client. Fixes partially #6437 -- cgit v1.2.3