Show More
@@ -325,6 +325,52 b' def wrapsocket(sock, keyfile, certfile, ' | |||||
325 |
|
325 | |||
326 | return sslsocket |
|
326 | return sslsocket | |
327 |
|
327 | |||
|
328 | def wrapserversocket(sock, ui, certfile=None, keyfile=None, cafile=None, | |||
|
329 | requireclientcert=False): | |||
|
330 | """Wrap a socket for use by servers. | |||
|
331 | ||||
|
332 | ``certfile`` and ``keyfile`` specify the files containing the certificate's | |||
|
333 | public and private keys, respectively. Both keys can be defined in the same | |||
|
334 | file via ``certfile`` (the private key must come first in the file). | |||
|
335 | ||||
|
336 | ``cafile`` defines the path to certificate authorities. | |||
|
337 | ||||
|
338 | ``requireclientcert`` specifies whether to require client certificates. | |||
|
339 | ||||
|
340 | Typically ``cafile`` is only defined if ``requireclientcert`` is true. | |||
|
341 | """ | |||
|
342 | if modernssl: | |||
|
343 | # We /could/ use create_default_context() here since it doesn't load | |||
|
344 | # CAs when configured for client auth. | |||
|
345 | sslcontext = SSLContext(ssl.PROTOCOL_SSLv23) | |||
|
346 | # SSLv2 and SSLv3 are broken. Ban them outright. | |||
|
347 | sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3 | |||
|
348 | # Prevent CRIME | |||
|
349 | sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) | |||
|
350 | # Improve forward secrecy. | |||
|
351 | sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) | |||
|
352 | sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) | |||
|
353 | ||||
|
354 | # Use the list of more secure ciphers if found in the ssl module. | |||
|
355 | if util.safehasattr(ssl, '_RESTRICTED_SERVER_CIPHERS'): | |||
|
356 | sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) | |||
|
357 | sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) | |||
|
358 | else: | |||
|
359 | sslcontext = SSLContext(ssl.PROTOCOL_TLSv1) | |||
|
360 | ||||
|
361 | if requireclientcert: | |||
|
362 | sslcontext.verify_mode = ssl.CERT_REQUIRED | |||
|
363 | else: | |||
|
364 | sslcontext.verify_mode = ssl.CERT_NONE | |||
|
365 | ||||
|
366 | if certfile or keyfile: | |||
|
367 | sslcontext.load_cert_chain(certfile=certfile, keyfile=keyfile) | |||
|
368 | ||||
|
369 | if cafile: | |||
|
370 | sslcontext.load_verify_locations(cafile=cafile) | |||
|
371 | ||||
|
372 | return sslcontext.wrap_socket(sock, server_side=True) | |||
|
373 | ||||
328 | class wildcarderror(Exception): |
|
374 | class wildcarderror(Exception): | |
329 | """Represents an error parsing wildcards in DNS name.""" |
|
375 | """Represents an error parsing wildcards in DNS name.""" | |
330 |
|
376 |
General Comments 0
You need to be logged in to leave comments.
Login now