better sslversion handling

2015-08-29 12:30:54 +02:00 · 2015-08-29 12:30:54 +02:00 · 08b630f83a
parent dd317aa5d2
commit 08b630f83a
5 changed files with 19 additions and 14 deletions
--- a/libpathod/pathoc.py
+++ b/libpathod/pathoc.py
@ -140,6 +140,7 @@ class Pathoc(tcp.TCPClient):
            ssl=None,
            sni=None,
            ssl_version=tcp.SSL_DEFAULT_METHOD,
+            ssl_options=tcp.SSL_DEFAULT_OPTIONS,
            clientcert=None,
            ciphers=None,

@ -179,6 +180,7 @@ class Pathoc(tcp.TCPClient):
        self.ssl, self.sni = ssl, sni
        self.clientcert = clientcert
        self.ssl_version = ssl_version
+        self.ssl_options = ssl_options
        self.ciphers = ciphers
        self.sslinfo = None

@ -294,6 +296,7 @@ class Pathoc(tcp.TCPClient):
                    sni=self.sni,
                    cert=self.clientcert,
                    method=self.ssl_version,
+                    options=self.ssl_options,
                    cipher_list=self.ciphers,
                    alpn_protos=alpn_protos
                )
@ -473,6 +476,7 @@ def main(args):  # pragma: nocover
                ssl=args.ssl,
                sni=args.sni,
                ssl_version=args.ssl_version,
+                ssl_options=args.ssl_options,
                clientcert=args.clientcert,
                ciphers=args.ciphers,
                use_http2=args.use_http2,
--- a/libpathod/pathoc_cmdline.py
+++ b/libpathod/pathoc_cmdline.py
@ -109,12 +109,10 @@ def args_pathoc(argv, stdout=sys.stdout, stderr=sys.stderr):
        help="SSL cipher specification"
    )
    group.add_argument(
-        "--ssl-version", dest="ssl_version", type=str, default=tcp.SSL_DEFAULT_VERSION,
-        choices=tcp.SSL_VERSIONS.keys(),
-        help=""""
-            Use a specified protocol:
-            TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, SSLv23.
-            Default to SSLv23."""
+        "--ssl-version", dest="ssl_version", type=str, default="secure",
+        choices=tcp.sslversion_choices.keys(),
+        help="Set supported SSL/TLS versions. "
+             "SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure, which is TLS1.0+."
    )

    group = parser.add_argument_group(
@ -163,7 +161,7 @@ def args_pathoc(argv, stdout=sys.stdout, stderr=sys.stderr):

    args = parser.parse_args(argv[1:])

-    args.ssl_version = tcp.SSL_VERSIONS[args.ssl_version]
+    args.ssl_version, args.ssl_options = tcp.sslversion_choices[args.ssl_version]

    args.port = None
    if ":" in args.host:
--- a/libpathod/pathod.py
+++ b/libpathod/pathod.py
@ -38,6 +38,7 @@ class SSLOptions(object):
        not_after_connect=None,
        request_client_cert=False,
        ssl_version=tcp.SSL_DEFAULT_METHOD,
+        ssl_options=tcp.SSL_DEFAULT_OPTIONS,
        ciphers=None,
        certs=None,
        alpn_select=http2.HTTP2Protocol.ALPN_PROTO_H2,
@ -48,6 +49,7 @@ class SSLOptions(object):
        self.not_after_connect = not_after_connect
        self.request_client_cert = request_client_cert
        self.ssl_version = ssl_version
+        self.ssl_options = ssl_options
        self.ciphers = ciphers
        self.alpn_select = alpn_select
        self.certstore = certutils.CertStore.from_store(
@ -243,6 +245,7 @@ class PathodHandler(tcp.BaseHandler):
                    request_client_cert=self.server.ssloptions.request_client_cert,
                    cipher_list=self.server.ssloptions.ciphers,
                    method=self.server.ssloptions.ssl_version,
+                    options=self.server.ssloptions.ssl_options,
                    alpn_select=self.server.ssloptions.alpn_select,
                )
            except tcp.NetLibError as v:
@ -435,6 +438,7 @@ def main(args):  # pragma: nocover
        not_after_connect=args.ssl_not_after_connect,
        ciphers=args.ciphers,
        ssl_version=args.ssl_version,
+        ssl_options=args.ssl_options,
        certs=args.ssl_certs,
        sans=args.sans,
    )
--- a/libpathod/pathod_cmdline.py
+++ b/libpathod/pathod_cmdline.py
@ -139,12 +139,10 @@ def args_pathod(argv, stdout_=sys.stdout, stderr_=sys.stderr):
        """
    )
    group.add_argument(
-        "--ssl-version", dest="ssl_version", type=str, default=tcp.SSL_DEFAULT_VERSION,
-        choices=tcp.SSL_VERSIONS.keys(),
-        help=""""
-            Use a specified protocol:
-            TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, SSLv23.
-            Default to SSLv23."""
+        "--ssl-version", dest="ssl_version", type=str, default="secure",
+        choices=tcp.sslversion_choices.keys(),
+        help="Set supported SSL/TLS versions. "
+             "SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure, which is TLS1.0+."
    )

    group = parser.add_argument_group(
@ -182,7 +180,7 @@ def args_pathod(argv, stdout_=sys.stdout, stderr_=sys.stderr):

    args = parser.parse_args(argv[1:])

-    args.ssl_version = tcp.SSL_VERSIONS[args.ssl_version]
+    args.ssl_version, args.ssl_options = tcp.sslversion_choices[args.ssl_version]

    certs = []
    for i in args.ssl_certs:
--- a/libpathod/protocols/http.py
+++ b/libpathod/protocols/http.py
@ -60,6 +60,7 @@ class HTTPProtocol:
                    request_client_cert=self.pathod_handler.server.ssloptions.request_client_cert,
                    cipher_list=self.pathod_handler.server.ssloptions.ciphers,
                    method=self.pathod_handler.server.ssloptions.ssl_version,
+                    options=self.pathod_handler.server.ssloptions.ssl_options,
                    alpn_select=self.pathod_handler.server.ssloptions.alpn_select,
                )
            except tcp.NetLibError as v: