Use better defaults for SSL_CTX_new().

Either TLS_method() is available, or SSLv23_method(), but remove
explicit selection of sslv23.

6 files changed, 14 insertions, 15 deletions

diff --git a/M2Crypto/SSL/Context.py b/M2Crypto/SSL/Context.py
index 092143d..f8ac7c9 100644
--- a/M2Crypto/SSL/Context.py
+++ b/M2Crypto/SSL/Context.py
@@ -51,21 +51,25 @@ class Context:
 
     m2_ssl_ctx_free = m2.ssl_ctx_free
 
-    def __init__(self, protocol='sslv23', weak_crypto=None,
+    def __init__(self, protocol='tls', weak_crypto=None,
                  post_connection_check=None):
         # type: (str, Optional[int], Optional[Callable]) -> None
         proto = getattr(m2, protocol + '_method', None)
         if proto is None:
-            raise ValueError("no such protocol '%s'" % protocol)
+            # default is 'sslv23' for older versions of OpenSSL
+            if protocol == 'tls':
+                proto = getattr(m2, 'sslv23_method')
+            else:
+                raise ValueError("no such protocol '%s'" % protocol)
         self.ctx = m2.ssl_ctx_new(proto())
         self.allow_unknown_ca = 0  # type: Union[int, bool]
         self.post_connection_check = post_connection_check
         ctxmap()[int(self.ctx)] = self
-        m2.ssl_ctx_set_cache_size(self.ctx, long(128))
+        m2.ssl_ctx_set_cache_size(self.ctx, 128)
         if weak_crypto is None:
             if protocol == 'sslv23':
-                self.set_options(m2.SSL_OP_ALL | m2.SSL_OP_NO_SSLv2)
-            self.set_cipher_list('ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH')
+                self.set_options(m2.SSL_OP_ALL | m2.SSL_OP_NO_SSLv2 |
+                                 m2.SSL_OP_NO_SSLv3)
 
     def __del__(self):
         # type: () -> None
diff --git a/M2Crypto/ftpslib.py b/M2Crypto/ftpslib.py
index ec059c3..3b5d89a 100644
--- a/M2Crypto/ftpslib.py
+++ b/M2Crypto/ftpslib.py
@@ -36,13 +36,10 @@ Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved."""
 # We want to import whole stdlib ftplib objects, because our users want
 # to use them.
 from ftplib import *  # noqa
-import socket  # noqa
 
 # M2Crypto
 from M2Crypto import SSL
 
-DEFAULT_PROTOCOL = 'sslv23'  # type: str
-
 
 class FTP_TLS(FTP):  # noqa
 
@@ -53,7 +50,7 @@ class FTP_TLS(FTP):  # noqa
         if ssl_ctx is not None:
             self.ssl_ctx = ssl_ctx
         else:
-            self.ssl_ctx = SSL.Context(DEFAULT_PROTOCOL)
+            self.ssl_ctx = SSL.Context()
         FTP.__init__(self, host)
         self.prot = 0
 
diff --git a/M2Crypto/httpslib.py b/M2Crypto/httpslib.py
index 6317780..32f536f 100644
--- a/M2Crypto/httpslib.py
+++ b/M2Crypto/httpslib.py
@@ -61,7 +61,7 @@ class HTTPSConnection(HTTPConnection):
             self.ssl_ctx = ssl['ssl_context']
             assert isinstance(self.ssl_ctx, SSL.Context), self.ssl_ctx
         except KeyError:
-            self.ssl_ctx = SSL.Context('sslv23')
+            self.ssl_ctx = SSL.Context()
         HTTPConnection.__init__(self, host, port, strict)
 
     def connect(self):
diff --git a/M2Crypto/m2urllib.py b/M2Crypto/m2urllib.py
index c7fb33b..6a69bac 100644
--- a/M2Crypto/m2urllib.py
+++ b/M2Crypto/m2urllib.py
@@ -22,8 +22,6 @@ if six.PY3:
 else:
     from urllib import *  # noqa
 
-DEFAULT_PROTOCOL = 'sslv23'
-
 
 def open_https(self, url, data=None, ssl_context=None):
     # type: (AnyStr, Optional[bytes], Optional[SSL.Context]) -> addinfourl
@@ -38,7 +36,7 @@ def open_https(self, url, data=None, ssl_context=None):
     if ssl_context is not None and isinstance(ssl_context, SSL.Context):
         self.ctx = ssl_context
     else:
-        self.ctx = SSL.Context(DEFAULT_PROTOCOL)
+        self.ctx = SSL.Context()
     user_passwd = None
     if isinstance(url, six.string_types):
         try:               # python 2
diff --git a/M2Crypto/m2xmlrpclib.py b/M2Crypto/m2xmlrpclib.py
index 56a56ca..90113e9 100644
--- a/M2Crypto/m2xmlrpclib.py
+++ b/M2Crypto/m2xmlrpclib.py
@@ -31,7 +31,7 @@ class SSL_Transport(Transport):  # noqa
         # type: (Optional[SSL.Context], *List[Any], **Dict[Any, Any]) -> None
         Transport.__init__(self, *args, **kw)
         if ssl_context is None:
-            self.ssl_ctx = SSL.Context('sslv23')
+            self.ssl_ctx = SSL.Context()
         else:
             self.ssl_ctx = ssl_context
 
diff --git a/contrib/dispatcher.py b/contrib/dispatcher.py
index 6d857ad..8e74985 100644
--- a/contrib/dispatcher.py
+++ b/contrib/dispatcher.py
@@ -45,7 +45,7 @@ class dispatcher(asyncore.dispatcher_with_send):
         else:
             self.create_socket (socket.AF_INET, socket.SOCK_STREAM)
 
-        self.ctx = SSL.Context('sslv23')
+        self.ctx = SSL.Context()
         self.ctx.set_verify(SSL.verify_none, 10)
         self.ctx.load_cert(cert, key)
         self.ctx.set_info_callback()