137 'ctxoptions': None, |
137 'ctxoptions': None, |
138 # OpenSSL Cipher List to use (instead of default). |
138 # OpenSSL Cipher List to use (instead of default). |
139 'ciphers': None, |
139 'ciphers': None, |
140 } |
140 } |
141 |
141 |
142 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol |
|
143 # that both ends support, including TLS protocols. On legacy stacks, |
|
144 # the highest it likely goes is TLS 1.0. On modern stacks, it can |
|
145 # support TLS 1.2. |
|
146 # |
|
147 # The PROTOCOL_TLSv* constants select a specific TLS version |
|
148 # only (as opposed to multiple versions). So the method for |
|
149 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and |
|
150 # disable protocols via SSLContext.options and OP_NO_* constants. |
|
151 # However, SSLContext.options doesn't work unless we have the |
|
152 # full/real SSLContext available to us. |
|
153 |
|
154 # Allow minimum TLS protocol to be specified in the config. |
142 # Allow minimum TLS protocol to be specified in the config. |
155 def validateprotocol(protocol, key): |
143 def validateprotocol(protocol, key): |
156 if protocol not in configprotocols: |
144 if protocol not in configprotocols: |
157 raise error.Abort( |
145 raise error.Abort( |
158 _('unsupported protocol from hostsecurity.%s: %s') % |
146 _('unsupported protocol from hostsecurity.%s: %s') % |
287 def protocolsettings(protocol): |
275 def protocolsettings(protocol): |
288 """Resolve the protocol and context options for a config value.""" |
276 """Resolve the protocol and context options for a config value.""" |
289 if protocol not in configprotocols: |
277 if protocol not in configprotocols: |
290 raise ValueError('protocol value not supported: %s' % protocol) |
278 raise ValueError('protocol value not supported: %s' % protocol) |
291 |
279 |
292 # Legacy ssl module only supports up to TLS 1.0. Ideally we'd use |
280 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol |
293 # PROTOCOL_SSLv23 and options to disable SSLv2 and SSLv3. However, |
281 # that both ends support, including TLS protocols. On legacy stacks, |
294 # SSLContext.options doesn't work in our implementation since we use |
282 # the highest it likely goes is TLS 1.0. On modern stacks, it can |
295 # a fake SSLContext on these Python versions. |
283 # support TLS 1.2. |
|
284 # |
|
285 # The PROTOCOL_TLSv* constants select a specific TLS version |
|
286 # only (as opposed to multiple versions). So the method for |
|
287 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and |
|
288 # disable protocols via SSLContext.options and OP_NO_* constants. |
|
289 # However, SSLContext.options doesn't work unless we have the |
|
290 # full/real SSLContext available to us. |
296 if not modernssl: |
291 if not modernssl: |
297 if protocol != 'tls1.0': |
292 if protocol != 'tls1.0': |
298 raise error.Abort(_('current Python does not support protocol ' |
293 raise error.Abort(_('current Python does not support protocol ' |
299 'setting %s') % protocol, |
294 'setting %s') % protocol, |
300 hint=_('upgrade Python or disable setting since ' |
295 hint=_('upgrade Python or disable setting since ' |