##// END OF EJS Templates
sslutil: implement wrapserversocket()...
Gregory Szorc -
r29554:4a7b0c69 default
parent child Browse files
Show More
@@ -325,6 +325,52 b' def wrapsocket(sock, keyfile, certfile, '
325 325
326 326 return sslsocket
327 327
328 def wrapserversocket(sock, ui, certfile=None, keyfile=None, cafile=None,
329 requireclientcert=False):
330 """Wrap a socket for use by servers.
331
332 ``certfile`` and ``keyfile`` specify the files containing the certificate's
333 public and private keys, respectively. Both keys can be defined in the same
334 file via ``certfile`` (the private key must come first in the file).
335
336 ``cafile`` defines the path to certificate authorities.
337
338 ``requireclientcert`` specifies whether to require client certificates.
339
340 Typically ``cafile`` is only defined if ``requireclientcert`` is true.
341 """
342 if modernssl:
343 # We /could/ use create_default_context() here since it doesn't load
344 # CAs when configured for client auth.
345 sslcontext = SSLContext(ssl.PROTOCOL_SSLv23)
346 # SSLv2 and SSLv3 are broken. Ban them outright.
347 sslcontext.options |= OP_NO_SSLv2 | OP_NO_SSLv3
348 # Prevent CRIME
349 sslcontext.options |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
350 # Improve forward secrecy.
351 sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
352 sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
353
354 # Use the list of more secure ciphers if found in the ssl module.
355 if util.safehasattr(ssl, '_RESTRICTED_SERVER_CIPHERS'):
356 sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
357 sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
358 else:
359 sslcontext = SSLContext(ssl.PROTOCOL_TLSv1)
360
361 if requireclientcert:
362 sslcontext.verify_mode = ssl.CERT_REQUIRED
363 else:
364 sslcontext.verify_mode = ssl.CERT_NONE
365
366 if certfile or keyfile:
367 sslcontext.load_cert_chain(certfile=certfile, keyfile=keyfile)
368
369 if cafile:
370 sslcontext.load_verify_locations(cafile=cafile)
371
372 return sslcontext.wrap_socket(sock, server_side=True)
373
328 374 class wildcarderror(Exception):
329 375 """Represents an error parsing wildcards in DNS name."""
330 376
General Comments 0
You need to be logged in to leave comments. Login now