[PATCH] Don't allow SSLv2 connections
Johannes Stezenbach
js at sig21.net
Thu Jan 27 15:51:15 GMT 2011
On Thu, Jan 27, 2011 at 04:29:05PM +0100, Sebastian Spaeth wrote:
> - self.sslobj = ssl.wrap_socket(self.sock, self.keyfile,
> + #first try TLSv1 and fall back to SSLv3 if that fails.
> + #Starting from python 3.2 we can use:
> + # context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
> + # context.options |= ssl.OP_NO_SSLv2
> + #to allow TLSv1 and SSLv3 but not SSLv2 in one call
> + try:
> + self.sslobj = ssl.wrap_socket(self.sock, self.keyfile,
> self.certfile,
> ca_certs = self._cacertfile,
> - cert_reqs = requirecert)
> + cert_reqs = requirecert,
> + ssl_version = ssl.PROTOCOL_TLSv1)
> +
> +
> + except ssl.SSLError as e:
> + # assume: "Invalid SSL protocol variant specified, try SSLv3
> + try:
> + self.sslobj = ssl.wrap_socket(self.sock, self.keyfile,
I'm not sure this will work since the server might have closed
the socket already. You'd need a new self.sock.
Johannes
More information about the OfflineIMAP-project
mailing list