[CalendarServer-changes] [14047] CalendarServer/branches/release/CalendarServer-4.2.1-dev/twext/ internet/ssl.py

source_changes at macosforge.org source_changes at macosforge.org
Mon Oct 6 13:44:48 PDT 2014


Revision: 14047
          http://trac.calendarserver.org//changeset/14047
Author:   wsanchez at apple.com
Date:     2014-10-06 13:44:48 -0700 (Mon, 06 Oct 2014)
Log Message:
-----------
Disable SSLv2 and SSLv3.

Modified Paths:
--------------
    CalendarServer/branches/release/CalendarServer-4.2.1-dev/twext/internet/ssl.py

Modified: CalendarServer/branches/release/CalendarServer-4.2.1-dev/twext/internet/ssl.py
===================================================================
--- CalendarServer/branches/release/CalendarServer-4.2.1-dev/twext/internet/ssl.py	2014-10-06 17:58:39 UTC (rev 14046)
+++ CalendarServer/branches/release/CalendarServer-4.2.1-dev/twext/internet/ssl.py	2014-10-06 20:44:48 UTC (rev 14047)
@@ -1,5 +1,5 @@
 ##
-# Copyright (c) 2005-2012 Apple Inc. All rights reserved.
+# Copyright (c) 2005-2014 Apple Inc. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,14 +15,15 @@
 ##
 
 """
-Extentions to twisted.internet.ssl.
+Extensions to twisted.internet.ssl.
 """
 
 __all__ = [
     "ChainingOpenSSLContextFactory",
 ]
 
-from OpenSSL.SSL import Context as SSLContext, SSLv3_METHOD
+from OpenSSL.SSL import Context as SSLContext, SSLv23_METHOD, OP_NO_SSLv2, \
+    OP_CIPHER_SERVER_PREFERENCE, OP_NO_SSLv3
 
 from twisted.internet.ssl import DefaultOpenSSLContextFactory
 
@@ -30,7 +31,7 @@
 class ChainingOpenSSLContextFactory (DefaultOpenSSLContextFactory):
     def __init__(
         self, privateKeyFileName, certificateFileName,
-        sslmethod=SSLv3_METHOD, certificateChainFile=None,
+        sslmethod=SSLv23_METHOD, certificateChainFile=None,
         passwdCallback=None, ciphers=None
     ):
         self.certificateChainFile = certificateChainFile
@@ -44,12 +45,18 @@
             sslmethod=sslmethod
         )
 
+
     def cacheContext(self):
         # Unfortunate code duplication.
         ctx = SSLContext(self.sslmethod)
 
+        # Always disable SSLv2/SSLv3
+        ctx.set_options(OP_NO_SSLv2)
+        ctx.set_options(OP_NO_SSLv3)
+
         if self.ciphers is not None:
             ctx.set_cipher_list(self.ciphers)
+            ctx.set_options(OP_CIPHER_SERVER_PREFERENCE)
 
         if self.passwdCallback is not None:
             ctx.set_passwd_cb(self.passwdCallback)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20141006/139881ab/attachment.html>


More information about the calendarserver-changes mailing list