diff options
author | Joffrey F <joffrey@docker.com> | 2014-10-30 14:07:52 +0100 |
---|---|---|
committer | Joffrey F <joffrey@docker.com> | 2014-10-30 14:07:52 +0100 |
commit | 31fb94f973ea4fddfa1f3d9c2264cc6b5effa4b0 (patch) | |
tree | a1d343d6f690c40edfa72bdba96231f4615cdb03 | |
parent | 984411ef8ff272381603a68ae5112a0e9d8a5b96 (diff) | |
parent | 83691139831881f33011e426f09ac9c3796eaa70 (diff) | |
download | docker-py-31fb94f973ea4fddfa1f3d9c2264cc6b5effa4b0.tar.gz |
Merge branch 'ewindisch-angry-poodle'
-rw-r--r-- | docker/ssladapter/ssladapter.py | 11 | ||||
-rw-r--r-- | docker/tls.py | 7 |
2 files changed, 16 insertions, 2 deletions
diff --git a/docker/ssladapter/ssladapter.py b/docker/ssladapter/ssladapter.py index e243d07..1d42fc9 100644 --- a/docker/ssladapter/ssladapter.py +++ b/docker/ssladapter/ssladapter.py @@ -4,6 +4,7 @@ """ from distutils.version import StrictVersion from requests.adapters import HTTPAdapter +import ssl try: import requests.packages.urllib3 as urllib3 except ImportError: @@ -13,9 +14,19 @@ except ImportError: PoolManager = urllib3.poolmanager.PoolManager +def get_max_tls_protocol(): + protocols = ('PROTOCOL_TLSv1_2', + 'PROTOCOL_TLSv1_1', + 'PROTOCOL_TLSv1') + for proto in protocols: + if hasattr(ssl, proto): + return getattr(ssl, proto) + + class SSLAdapter(HTTPAdapter): '''An HTTPS Transport Adapter that uses an arbitrary SSL version.''' def __init__(self, ssl_version=None, assert_hostname=None, **kwargs): + ssl_version = ssl_version or get_max_tls_protocol() self.ssl_version = ssl_version self.assert_hostname = assert_hostname super(SSLAdapter, self).__init__(**kwargs) diff --git a/docker/tls.py b/docker/tls.py index 0e78984..c007d0b 100644 --- a/docker/tls.py +++ b/docker/tls.py @@ -17,8 +17,11 @@ class TLSConfig(object): # here, but also disable any public/default CA pool verification by # leaving tls_verify=False - # urllib3 sets a default ssl_version if ssl_version is None - # http://tinyurl.com/kxga8hb + # urllib3 sets a default ssl_version if ssl_version is None, + # but that default is the vulnerable PROTOCOL_SSLv23 selection, + # so we override the default with the maximum supported in the running + # Python interpeter up to TLS 1.2. (see: http://tinyurl.com/kxga8hb) + ssl_version = ssl_version or ssladapter.get_max_tls_protocol() self.ssl_version = ssl_version self.assert_hostname = assert_hostname |