##// END OF EJS Templates
sslutil: use saner TLS settings on Python 2.7.9...
Augie Fackler -
r23850:e1931f7c default
parent child Browse files
Show More
@@ -20,7 +20,17 b' try:'
20
20
21 def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
21 def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE,
22 ca_certs=None, serverhostname=None):
22 ca_certs=None, serverhostname=None):
23 sslcontext = ssl.SSLContext(PROTOCOL_TLSv1)
23 # Allow any version of SSL starting with TLSv1 and
24 # up. Note that specifying TLSv1 here prohibits use of
25 # newer standards (like TLSv1_2), so this is the right way
26 # to do this. Note that in the future it'd be better to
27 # support using ssl.create_default_context(), which sets
28 # up a bunch of things in smart ways (strong ciphers,
29 # protocol versions, etc) and is upgraded by Python
30 # maintainers for us, but that breaks too many things to
31 # do it in a hurry.
32 sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
33 sslcontext.options &= ssl.OP_NO_SSLv2 & ssl.OP_NO_SSLv3
24 if certfile is not None:
34 if certfile is not None:
25 sslcontext.load_cert_chain(certfile, keyfile)
35 sslcontext.load_cert_chain(certfile, keyfile)
26 sslcontext.verify_mode = cert_reqs
36 sslcontext.verify_mode = cert_reqs
General Comments 0
You need to be logged in to leave comments. Login now