[CalendarServer-changes] [15161] twext/trunk/twext/internet/ssl.py
source_changes at macosforge.org
source_changes at macosforge.org
Wed Sep 30 03:53:04 PDT 2015
Revision: 15161
http://trac.calendarserver.org//changeset/15161
Author: cdaboo at apple.com
Date: 2015-09-30 03:53:04 -0700 (Wed, 30 Sep 2015)
Log Message:
-----------
Make sure SSL compression is always disabled if the underlying library supports it.
Modified Paths:
--------------
twext/trunk/twext/internet/ssl.py
Modified: twext/trunk/twext/internet/ssl.py
===================================================================
--- twext/trunk/twext/internet/ssl.py 2015-09-30 08:44:06 UTC (rev 15160)
+++ twext/trunk/twext/internet/ssl.py 2015-09-30 10:53:04 UTC (rev 15161)
@@ -22,6 +22,7 @@
"ChainingOpenSSLContextFactory",
]
+import OpenSSL
from OpenSSL.SSL import Context as SSLContext, SSLv23_METHOD, OP_NO_SSLv2, \
OP_CIPHER_SERVER_PREFERENCE, OP_NO_SSLv3, VERIFY_NONE, VERIFY_PEER, \
VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE
@@ -31,6 +32,7 @@
import uuid
+_OP_NO_COMPRESSION = getattr(OpenSSL.SSL, 'OP_NO_COMPRESSION', 0x00020000)
class ChainingOpenSSLContextFactory (DefaultOpenSSLContextFactory):
def __init__(
@@ -64,9 +66,10 @@
# Unfortunate code duplication.
ctx = SSLContext(self.sslmethod)
- # Always disable SSLv2/SSLv3
+ # Always disable SSLv2/SSLv3/Compression
ctx.set_options(OP_NO_SSLv2)
ctx.set_options(OP_NO_SSLv3)
+ ctx.set_options(_OP_NO_COMPRESSION)
if self.ciphers is not None:
ctx.set_cipher_list(self.ciphers)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20150930/f89787c7/attachment.html>
More information about the calendarserver-changes
mailing list