33 OP_NO_SSLv2 = ssl.OP_NO_SSLv2 |
33 OP_NO_SSLv2 = ssl.OP_NO_SSLv2 |
34 OP_NO_SSLv3 = ssl.OP_NO_SSLv3 |
34 OP_NO_SSLv3 = ssl.OP_NO_SSLv3 |
35 except AttributeError: |
35 except AttributeError: |
36 OP_NO_SSLv2 = 0x1000000 |
36 OP_NO_SSLv2 = 0x1000000 |
37 OP_NO_SSLv3 = 0x2000000 |
37 OP_NO_SSLv3 = 0x2000000 |
|
38 |
|
39 try: |
|
40 # ssl.SSLContext was added in 2.7.9 and presence indicates modern |
|
41 # SSL/TLS features are available. |
|
42 SSLContext = ssl.SSLContext |
|
43 modernssl = True |
|
44 except AttributeError: |
|
45 modernssl = False |
|
46 |
|
47 # We implement SSLContext using the interface from the standard library. |
|
48 class SSLContext(object): |
|
49 # ssl.wrap_socket gained the "ciphers" named argument in 2.7. |
|
50 _supportsciphers = sys.version_info >= (2, 7) |
|
51 |
|
52 def __init__(self, protocol): |
|
53 # From the public interface of SSLContext |
|
54 self.protocol = protocol |
|
55 self.check_hostname = False |
|
56 self.options = 0 |
|
57 self.verify_mode = ssl.CERT_NONE |
|
58 |
|
59 # Used by our implementation. |
|
60 self._certfile = None |
|
61 self._keyfile = None |
|
62 self._certpassword = None |
|
63 self._cacerts = None |
|
64 self._ciphers = None |
|
65 |
|
66 def load_cert_chain(self, certfile, keyfile=None, password=None): |
|
67 self._certfile = certfile |
|
68 self._keyfile = keyfile |
|
69 self._certpassword = password |
|
70 |
|
71 def load_default_certs(self, purpose=None): |
|
72 pass |
|
73 |
|
74 def load_verify_locations(self, cafile=None, capath=None, cadata=None): |
|
75 if capath: |
|
76 raise error.Abort('capath not supported') |
|
77 if cadata: |
|
78 raise error.Abort('cadata not supported') |
|
79 |
|
80 self._cacerts = cafile |
|
81 |
|
82 def set_ciphers(self, ciphers): |
|
83 if not self._supportsciphers: |
|
84 raise error.Abort('setting ciphers not supported') |
|
85 |
|
86 self._ciphers = ciphers |
|
87 |
|
88 def wrap_socket(self, socket, server_hostname=None, server_side=False): |
|
89 # server_hostname is unique to SSLContext.wrap_socket and is used |
|
90 # for SNI in that context. So there's nothing for us to do with it |
|
91 # in this legacy code since we don't support SNI. |
|
92 |
|
93 args = { |
|
94 'keyfile': self._keyfile, |
|
95 'certfile': self._certfile, |
|
96 'server_side': server_side, |
|
97 'cert_reqs': self.verify_mode, |
|
98 'ssl_version': self.protocol, |
|
99 'ca_certs': self._cacerts, |
|
100 } |
|
101 |
|
102 if self._supportsciphers: |
|
103 args['ciphers'] = self._ciphers |
|
104 |
|
105 return ssl.wrap_socket(socket, **args) |
38 |
106 |
39 _canloaddefaultcerts = False |
107 _canloaddefaultcerts = False |
40 try: |
108 try: |
41 # ssl.SSLContext was added in 2.7.9 and presence indicates modern |
109 # ssl.SSLContext was added in 2.7.9 and presence indicates modern |
42 # SSL/TLS features are available. |
110 # SSL/TLS features are available. |