[CalendarServer-changes] [13918] twext/trunk/twext/internet/ssl.py
source_changes at macosforge.org
source_changes at macosforge.org
Tue Aug 26 13:02:30 PDT 2014
Revision: 13918
http://trac.calendarserver.org//changeset/13918
Author: cdaboo at apple.com
Date: 2014-08-26 13:02:30 -0700 (Tue, 26 Aug 2014)
Log Message:
-----------
Enhance TLS security.
Modified Paths:
--------------
twext/trunk/twext/internet/ssl.py
Modified: twext/trunk/twext/internet/ssl.py
===================================================================
--- twext/trunk/twext/internet/ssl.py 2014-08-25 17:39:41 UTC (rev 13917)
+++ twext/trunk/twext/internet/ssl.py 2014-08-26 20:02:30 UTC (rev 13918)
@@ -15,14 +15,15 @@
##
"""
-Extentions to twisted.internet.ssl.
+Extensions to twisted.internet.ssl.
"""
__all__ = [
"ChainingOpenSSLContextFactory",
]
-from OpenSSL.SSL import Context as SSLContext, SSLv3_METHOD
+from OpenSSL.SSL import Context as SSLContext, SSLv23_METHOD, OP_NO_SSLv2, \
+ OP_CIPHER_SERVER_PREFERENCE
from twisted.internet.ssl import DefaultOpenSSLContextFactory
@@ -30,7 +31,7 @@
class ChainingOpenSSLContextFactory (DefaultOpenSSLContextFactory):
def __init__(
self, privateKeyFileName, certificateFileName,
- sslmethod=SSLv3_METHOD, certificateChainFile=None,
+ sslmethod=SSLv23_METHOD, certificateChainFile=None,
passwdCallback=None, ciphers=None
):
self.certificateChainFile = certificateChainFile
@@ -49,8 +50,12 @@
# Unfortunate code duplication.
ctx = SSLContext(self.sslmethod)
+ # Always disable SSLv2
+ ctx.set_options(OP_NO_SSLv2)
+
if self.ciphers is not None:
ctx.set_cipher_list(self.ciphers)
+ ctx.set_options(OP_CIPHER_SERVER_PREFERENCE)
if self.passwdCallback is not None:
ctx.set_passwd_cb(self.passwdCallback)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20140826/42b5bdba/attachment.html>
More information about the calendarserver-changes
mailing list