diff options
author | Matěj Cepl <mcepl@cepl.eu> | 2016-07-18 15:03:45 +0200 |
---|---|---|
committer | Matěj Cepl <mcepl@cepl.eu> | 2016-07-19 16:51:05 +0200 |
commit | 71d87c3025f3fe16af41f2014219b96be6524026 (patch) | |
tree | 116a0eddb8c2dd59f61119eb8a8a61fb7f042498 | |
parent | 33301b829e3976275c099db8ff885d2816a66959 (diff) | |
download | m2crypto-71d87c3025f3fe16af41f2014219b96be6524026.tar.gz |
Use better defaults for SSL_CTX_new().
Either TLS_method() is available, or SSLv23_method(), but remove
explicit selection of sslv23.
-rw-r--r-- | M2Crypto/SSL/Context.py | 14 | ||||
-rw-r--r-- | M2Crypto/ftpslib.py | 5 | ||||
-rw-r--r-- | M2Crypto/httpslib.py | 2 | ||||
-rw-r--r-- | M2Crypto/m2urllib.py | 4 | ||||
-rw-r--r-- | M2Crypto/m2xmlrpclib.py | 2 | ||||
-rw-r--r-- | contrib/dispatcher.py | 2 |
6 files changed, 14 insertions, 15 deletions
diff --git a/M2Crypto/SSL/Context.py b/M2Crypto/SSL/Context.py index 092143d..f8ac7c9 100644 --- a/M2Crypto/SSL/Context.py +++ b/M2Crypto/SSL/Context.py @@ -51,21 +51,25 @@ class Context: m2_ssl_ctx_free = m2.ssl_ctx_free - def __init__(self, protocol='sslv23', weak_crypto=None, + def __init__(self, protocol='tls', weak_crypto=None, post_connection_check=None): # type: (str, Optional[int], Optional[Callable]) -> None proto = getattr(m2, protocol + '_method', None) if proto is None: - raise ValueError("no such protocol '%s'" % protocol) + # default is 'sslv23' for older versions of OpenSSL + if protocol == 'tls': + proto = getattr(m2, 'sslv23_method') + else: + raise ValueError("no such protocol '%s'" % protocol) self.ctx = m2.ssl_ctx_new(proto()) self.allow_unknown_ca = 0 # type: Union[int, bool] self.post_connection_check = post_connection_check ctxmap()[int(self.ctx)] = self - m2.ssl_ctx_set_cache_size(self.ctx, long(128)) + m2.ssl_ctx_set_cache_size(self.ctx, 128) if weak_crypto is None: if protocol == 'sslv23': - self.set_options(m2.SSL_OP_ALL | m2.SSL_OP_NO_SSLv2) - self.set_cipher_list('ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH') + self.set_options(m2.SSL_OP_ALL | m2.SSL_OP_NO_SSLv2 | + m2.SSL_OP_NO_SSLv3) def __del__(self): # type: () -> None diff --git a/M2Crypto/ftpslib.py b/M2Crypto/ftpslib.py index ec059c3..3b5d89a 100644 --- a/M2Crypto/ftpslib.py +++ b/M2Crypto/ftpslib.py @@ -36,13 +36,10 @@ Copyright (c) 1999-2003 Ng Pheng Siong. All rights reserved.""" # We want to import whole stdlib ftplib objects, because our users want # to use them. from ftplib import * # noqa -import socket # noqa # M2Crypto from M2Crypto import SSL -DEFAULT_PROTOCOL = 'sslv23' # type: str - class FTP_TLS(FTP): # noqa @@ -53,7 +50,7 @@ class FTP_TLS(FTP): # noqa if ssl_ctx is not None: self.ssl_ctx = ssl_ctx else: - self.ssl_ctx = SSL.Context(DEFAULT_PROTOCOL) + self.ssl_ctx = SSL.Context() FTP.__init__(self, host) self.prot = 0 diff --git a/M2Crypto/httpslib.py b/M2Crypto/httpslib.py index 6317780..32f536f 100644 --- a/M2Crypto/httpslib.py +++ b/M2Crypto/httpslib.py @@ -61,7 +61,7 @@ class HTTPSConnection(HTTPConnection): self.ssl_ctx = ssl['ssl_context'] assert isinstance(self.ssl_ctx, SSL.Context), self.ssl_ctx except KeyError: - self.ssl_ctx = SSL.Context('sslv23') + self.ssl_ctx = SSL.Context() HTTPConnection.__init__(self, host, port, strict) def connect(self): diff --git a/M2Crypto/m2urllib.py b/M2Crypto/m2urllib.py index c7fb33b..6a69bac 100644 --- a/M2Crypto/m2urllib.py +++ b/M2Crypto/m2urllib.py @@ -22,8 +22,6 @@ if six.PY3: else: from urllib import * # noqa -DEFAULT_PROTOCOL = 'sslv23' - def open_https(self, url, data=None, ssl_context=None): # type: (AnyStr, Optional[bytes], Optional[SSL.Context]) -> addinfourl @@ -38,7 +36,7 @@ def open_https(self, url, data=None, ssl_context=None): if ssl_context is not None and isinstance(ssl_context, SSL.Context): self.ctx = ssl_context else: - self.ctx = SSL.Context(DEFAULT_PROTOCOL) + self.ctx = SSL.Context() user_passwd = None if isinstance(url, six.string_types): try: # python 2 diff --git a/M2Crypto/m2xmlrpclib.py b/M2Crypto/m2xmlrpclib.py index 56a56ca..90113e9 100644 --- a/M2Crypto/m2xmlrpclib.py +++ b/M2Crypto/m2xmlrpclib.py @@ -31,7 +31,7 @@ class SSL_Transport(Transport): # noqa # type: (Optional[SSL.Context], *List[Any], **Dict[Any, Any]) -> None Transport.__init__(self, *args, **kw) if ssl_context is None: - self.ssl_ctx = SSL.Context('sslv23') + self.ssl_ctx = SSL.Context() else: self.ssl_ctx = ssl_context diff --git a/contrib/dispatcher.py b/contrib/dispatcher.py index 6d857ad..8e74985 100644 --- a/contrib/dispatcher.py +++ b/contrib/dispatcher.py @@ -45,7 +45,7 @@ class dispatcher(asyncore.dispatcher_with_send): else: self.create_socket (socket.AF_INET, socket.SOCK_STREAM) - self.ctx = SSL.Context('sslv23') + self.ctx = SSL.Context() self.ctx.set_verify(SSL.verify_none, 10) self.ctx.load_cert(cert, key) self.ctx.set_info_callback() |