Moved sslProtocolVersion and sslProtocolCiphers to network.tls
This commit is contained in:
parent
b52cb9360f
commit
ffbc09758c
|
@ -12,13 +12,37 @@ from network.advanceddispatcher import AdvancedDispatcher
|
||||||
import network.asyncore_pollchoose as asyncore
|
import network.asyncore_pollchoose as asyncore
|
||||||
from queues import receiveDataQueue
|
from queues import receiveDataQueue
|
||||||
import paths
|
import paths
|
||||||
import protocol
|
|
||||||
|
|
||||||
_DISCONNECTED_SSL = frozenset((ssl.SSL_ERROR_EOF,))
|
_DISCONNECTED_SSL = frozenset((ssl.SSL_ERROR_EOF,))
|
||||||
|
|
||||||
|
# sslProtocolVersion
|
||||||
|
if sys.version_info >= (2, 7, 13):
|
||||||
|
# this means TLSv1 or higher
|
||||||
|
# in the future change to
|
||||||
|
# ssl.PROTOCOL_TLS1.2
|
||||||
|
sslProtocolVersion = ssl.PROTOCOL_TLS # pylint: disable=no-member
|
||||||
|
elif sys.version_info >= (2, 7, 9):
|
||||||
|
# this means any SSL/TLS. SSLv2 and 3 are excluded with an option after context is created
|
||||||
|
sslProtocolVersion = ssl.PROTOCOL_SSLv23
|
||||||
|
else:
|
||||||
|
# this means TLSv1, there is no way to set "TLSv1 or higher" or
|
||||||
|
# "TLSv1.2" in < 2.7.9
|
||||||
|
sslProtocolVersion = ssl.PROTOCOL_TLSv1
|
||||||
|
|
||||||
|
|
||||||
|
# ciphers
|
||||||
|
if ssl.OPENSSL_VERSION_NUMBER >= 0x10100000 and not ssl.OPENSSL_VERSION.startswith("LibreSSL"):
|
||||||
|
sslProtocolCiphers = "AECDH-AES256-SHA@SECLEVEL=0"
|
||||||
|
else:
|
||||||
|
sslProtocolCiphers = "AECDH-AES256-SHA"
|
||||||
|
|
||||||
|
|
||||||
class TLSDispatcher(AdvancedDispatcher):
|
class TLSDispatcher(AdvancedDispatcher):
|
||||||
def __init__(self, address=None, sock=None,
|
def __init__(
|
||||||
certfile=None, keyfile=None, server_side=False, ciphers=protocol.sslProtocolCiphers):
|
self, address=None, sock=None, certfile=None, keyfile=None,
|
||||||
|
server_side=False, ciphers=sslProtocolCiphers
|
||||||
|
):
|
||||||
self.want_read = self.want_write = True
|
self.want_read = self.want_write = True
|
||||||
if certfile is None:
|
if certfile is None:
|
||||||
self.certfile = os.path.join(paths.codePath(), 'sslkeys', 'cert.pem')
|
self.certfile = os.path.join(paths.codePath(), 'sslkeys', 'cert.pem')
|
||||||
|
@ -50,13 +74,11 @@ class TLSDispatcher(AdvancedDispatcher):
|
||||||
context.options = ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_SINGLE_ECDH_USE | ssl.OP_CIPHER_SERVER_PREFERENCE
|
context.options = ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_SINGLE_ECDH_USE | ssl.OP_CIPHER_SERVER_PREFERENCE
|
||||||
self.sslSocket = context.wrap_socket(self.socket, server_side = self.server_side, do_handshake_on_connect=False)
|
self.sslSocket = context.wrap_socket(self.socket, server_side = self.server_side, do_handshake_on_connect=False)
|
||||||
else:
|
else:
|
||||||
self.sslSocket = ssl.wrap_socket(self.socket,
|
self.sslSocket = ssl.wrap_socket(
|
||||||
server_side=self.server_side,
|
self.socket, server_side=self.server_side,
|
||||||
ssl_version=protocol.sslProtocolVersion,
|
ssl_version=sslProtocolVersion,
|
||||||
certfile=self.certfile,
|
certfile=self.certfile, keyfile=self.keyfile,
|
||||||
keyfile=self.keyfile,
|
ciphers=self.ciphers, do_handshake_on_connect=False)
|
||||||
ciphers=self.ciphers,
|
|
||||||
do_handshake_on_connect=False)
|
|
||||||
self.sslSocket.setblocking(0)
|
self.sslSocket.setblocking(0)
|
||||||
self.want_read = self.want_write = True
|
self.want_read = self.want_write = True
|
||||||
self.set_state("tls_handshake")
|
self.set_state("tls_handshake")
|
||||||
|
|
|
@ -12,7 +12,6 @@ import base64
|
||||||
import hashlib
|
import hashlib
|
||||||
import random
|
import random
|
||||||
import socket
|
import socket
|
||||||
import ssl
|
|
||||||
import sys
|
import sys
|
||||||
import time
|
import time
|
||||||
import traceback
|
import traceback
|
||||||
|
@ -449,25 +448,3 @@ def decryptAndCheckPubkeyPayload(data, address):
|
||||||
traceback.format_exc()
|
traceback.format_exc()
|
||||||
)
|
)
|
||||||
return 'failed'
|
return 'failed'
|
||||||
|
|
||||||
|
|
||||||
# sslProtocolVersion
|
|
||||||
if sys.version_info >= (2, 7, 13):
|
|
||||||
# this means TLSv1 or higher
|
|
||||||
# in the future change to
|
|
||||||
# ssl.PROTOCOL_TLS1.2
|
|
||||||
sslProtocolVersion = ssl.PROTOCOL_TLS # pylint: disable=no-member
|
|
||||||
elif sys.version_info >= (2, 7, 9):
|
|
||||||
# this means any SSL/TLS. SSLv2 and 3 are excluded with an option after context is created
|
|
||||||
sslProtocolVersion = ssl.PROTOCOL_SSLv23
|
|
||||||
else:
|
|
||||||
# this means TLSv1, there is no way to set "TLSv1 or higher" or
|
|
||||||
# "TLSv1.2" in < 2.7.9
|
|
||||||
sslProtocolVersion = ssl.PROTOCOL_TLSv1
|
|
||||||
|
|
||||||
|
|
||||||
# ciphers
|
|
||||||
if ssl.OPENSSL_VERSION_NUMBER >= 0x10100000 and not ssl.OPENSSL_VERSION.startswith("LibreSSL"):
|
|
||||||
sslProtocolCiphers = "AECDH-AES256-SHA@SECLEVEL=0"
|
|
||||||
else:
|
|
||||||
sslProtocolCiphers = "AECDH-AES256-SHA"
|
|
||||||
|
|
Reference in New Issue
Block a user