[CalendarServer-changes] [14048] CalendarServer/branches/release/CalendarServer-4.3.1-dev/twext/ internet/ssl.py
source_changes at macosforge.org
source_changes at macosforge.org
Mon Oct 6 13:45:04 PDT 2014
Revision: 14048
http://trac.calendarserver.org//changeset/14048
Author: wsanchez at apple.com
Date: 2014-10-06 13:45:04 -0700 (Mon, 06 Oct 2014)
Log Message:
-----------
Disable SSLv2 and SSLv3.
Modified Paths:
--------------
CalendarServer/branches/release/CalendarServer-4.3.1-dev/twext/internet/ssl.py
Modified: CalendarServer/branches/release/CalendarServer-4.3.1-dev/twext/internet/ssl.py
===================================================================
--- CalendarServer/branches/release/CalendarServer-4.3.1-dev/twext/internet/ssl.py 2014-10-06 20:44:48 UTC (rev 14047)
+++ CalendarServer/branches/release/CalendarServer-4.3.1-dev/twext/internet/ssl.py 2014-10-06 20:45:04 UTC (rev 14048)
@@ -1,5 +1,5 @@
##
-# Copyright (c) 2005-2012 Apple Inc. All rights reserved.
+# Copyright (c) 2005-2014 Apple Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,14 +15,15 @@
##
"""
-Extentions to twisted.internet.ssl.
+Extensions to twisted.internet.ssl.
"""
__all__ = [
"ChainingOpenSSLContextFactory",
]
-from OpenSSL.SSL import Context as SSLContext, SSLv3_METHOD
+from OpenSSL.SSL import Context as SSLContext, SSLv23_METHOD, OP_NO_SSLv2, \
+ OP_CIPHER_SERVER_PREFERENCE, OP_NO_SSLv3
from twisted.internet.ssl import DefaultOpenSSLContextFactory
@@ -30,7 +31,7 @@
class ChainingOpenSSLContextFactory (DefaultOpenSSLContextFactory):
def __init__(
self, privateKeyFileName, certificateFileName,
- sslmethod=SSLv3_METHOD, certificateChainFile=None,
+ sslmethod=SSLv23_METHOD, certificateChainFile=None,
passwdCallback=None, ciphers=None
):
self.certificateChainFile = certificateChainFile
@@ -44,12 +45,18 @@
sslmethod=sslmethod
)
+
def cacheContext(self):
# Unfortunate code duplication.
ctx = SSLContext(self.sslmethod)
+ # Always disable SSLv2/SSLv3
+ ctx.set_options(OP_NO_SSLv2)
+ ctx.set_options(OP_NO_SSLv3)
+
if self.ciphers is not None:
ctx.set_cipher_list(self.ciphers)
+ ctx.set_options(OP_CIPHER_SERVER_PREFERENCE)
if self.passwdCallback is not None:
ctx.set_passwd_cb(self.passwdCallback)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20141006/d015c0a6/attachment.html>
More information about the calendarserver-changes
mailing list