Show More
| @@ -325,6 +325,52 b' def wrapsocket(sock, keyfile, certfile, ' | |||
|
|
325 | 325 | |
|
|
326 | 326 | return sslsocket |
|
|
327 | 327 | |
|
|
328 | def wrapserversocket(sock, ui, certfile=None, keyfile=None, cafile=None, | |
|
|
329 | requireclientcert=False): | |
|
|
330 | """Wrap a socket for use by servers. | |
|
|
331 | ||
|
|
332 | ``certfile`` and ``keyfile`` specify the files containing the certificate's | |
|
|
333 | public and private keys, respectively. Both keys can be defined in the same | |
|
|
334 | file via ``certfile`` (the private key must come first in the file). | |
|
|
335 | ||
|
|
336 | ``cafile`` defines the path to certificate authorities. | |
|
|
337 | ||
|
|
338 | ``requireclientcert`` specifies whether to require client certificates. | |
|
|
339 | ||
|
|
340 | Typically ``cafile`` is only defined if ``requireclientcert`` is true. | |
|
|
341 | """ | |
|
|
342 | if modernssl: | |
|
|
343 | # We /could/ use create_default_context() here since it doesn't load | |
|
|
344 | # CAs when configured for client auth. | |
|
|
345 | sslcontext = SSLContext(ssl.PROTOCOL_SSLv23) | |
|
|
346 | # SSLv2 and SSLv3 are broken. Ban them outright. | |
|
|
347 | sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3 | |
|
|
348 | # Prevent CRIME | |
|
|
349 | sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) | |
|
|
350 | # Improve forward secrecy. | |
|
|
351 | sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) | |
|
|
352 | sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) | |
|
|
353 | ||
|
|
354 | # Use the list of more secure ciphers if found in the ssl module. | |
|
|
355 | if util.safehasattr(ssl, '_RESTRICTED_SERVER_CIPHERS'): | |
|
|
356 | sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) | |
|
|
357 | sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) | |
|
|
358 | else: | |
|
|
359 | sslcontext = SSLContext(ssl.PROTOCOL_TLSv1) | |
|
|
360 | ||
|
|
361 | if requireclientcert: | |
|
|
362 | sslcontext.verify_mode = ssl.CERT_REQUIRED | |
|
|
363 | else: | |
|
|
364 | sslcontext.verify_mode = ssl.CERT_NONE | |
|
|
365 | ||
|
|
366 | if certfile or keyfile: | |
|
|
367 | sslcontext.load_cert_chain(certfile=certfile, keyfile=keyfile) | |
|
|
368 | ||
|
|
369 | if cafile: | |
|
|
370 | sslcontext.load_verify_locations(cafile=cafile) | |
|
|
371 | ||
|
|
372 | return sslcontext.wrap_socket(sock, server_side=True) | |
|
|
373 | ||
|
|
328 | 374 | class wildcarderror(Exception): |
|
|
329 | 375 | """Represents an error parsing wildcards in DNS name.""" |
|
|
330 | 376 | |
General Comments 0
You need to be logged in to leave comments.
Login now