230 s[b'verifymode'] = ssl.CERT_NONE |
230 s[b'verifymode'] = ssl.CERT_NONE |
231 |
231 |
232 assert s[b'verifymode'] is not None |
232 assert s[b'verifymode'] is not None |
233 |
233 |
234 return s |
234 return s |
235 |
|
236 |
|
237 def commonssloptions(minimumprotocol): |
|
238 """Return SSLContext options common to servers and clients.""" |
|
239 if minimumprotocol not in configprotocols: |
|
240 raise ValueError(b'protocol value not supported: %s' % minimumprotocol) |
|
241 |
|
242 # SSLv2 and SSLv3 are broken. We ban them outright. |
|
243 options = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 |
|
244 |
|
245 if minimumprotocol == b'tls1.0': |
|
246 # Defaults above are to use TLS 1.0+ |
|
247 pass |
|
248 elif minimumprotocol == b'tls1.1': |
|
249 options |= ssl.OP_NO_TLSv1 |
|
250 elif minimumprotocol == b'tls1.2': |
|
251 options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 |
|
252 else: |
|
253 raise error.Abort(_(b'this should not happen')) |
|
254 |
|
255 # Prevent CRIME. |
|
256 # There is no guarantee this attribute is defined on the module. |
|
257 options |= getattr(ssl, 'OP_NO_COMPRESSION', 0) |
|
258 |
|
259 return options |
|
260 |
235 |
261 |
236 |
262 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None): |
237 def wrapsocket(sock, keyfile, certfile, ui, serverhostname=None): |
263 """Add SSL/TLS to a socket. |
238 """Add SSL/TLS to a socket. |
264 |
239 |