18 try: |
18 try: |
19 ssl_context = ssl.SSLContext |
19 ssl_context = ssl.SSLContext |
20 |
20 |
21 def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE, |
21 def ssl_wrap_socket(sock, keyfile, certfile, cert_reqs=ssl.CERT_NONE, |
22 ca_certs=None, serverhostname=None): |
22 ca_certs=None, serverhostname=None): |
23 sslcontext = ssl.SSLContext(PROTOCOL_TLSv1) |
23 # Allow any version of SSL starting with TLSv1 and |
|
24 # up. Note that specifying TLSv1 here prohibits use of |
|
25 # newer standards (like TLSv1_2), so this is the right way |
|
26 # to do this. Note that in the future it'd be better to |
|
27 # support using ssl.create_default_context(), which sets |
|
28 # up a bunch of things in smart ways (strong ciphers, |
|
29 # protocol versions, etc) and is upgraded by Python |
|
30 # maintainers for us, but that breaks too many things to |
|
31 # do it in a hurry. |
|
32 sslcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |
|
33 sslcontext.options &= ssl.OP_NO_SSLv2 & ssl.OP_NO_SSLv3 |
24 if certfile is not None: |
34 if certfile is not None: |
25 sslcontext.load_cert_chain(certfile, keyfile) |
35 sslcontext.load_cert_chain(certfile, keyfile) |
26 sslcontext.verify_mode = cert_reqs |
36 sslcontext.verify_mode = cert_reqs |
27 if ca_certs is not None: |
37 if ca_certs is not None: |
28 sslcontext.load_verify_locations(cafile=ca_certs) |
38 sslcontext.load_verify_locations(cafile=ca_certs) |