Revert "unify SSL version/method handling"

This reverts commit 14e49f4fc7.

libmproxy/proxy/config.py

@@ -49,11 +49,11 @@ class ProxyConfig:
             ciphers_client=None,
             ciphers_server=None,
             certs=[],
-            ssl_version_client=tcp.SSL_DEFAULT_METHOD,
-            ssl_version_server=tcp.SSL_DEFAULT_METHOD,
+            ssl_version_client="secure",
+            ssl_version_server="secure",
             ssl_verify_upstream_cert=False,
             ssl_upstream_trusted_cadir=None,
-            ssl_upstream_trusted_ca=None
+            ssl_upstream_trusted_ca=None,
     ):
         self.host = host
         self.port = port
@@ -76,14 +76,10 @@ class ProxyConfig:
         for spec, cert in certs:
             self.certstore.add_cert_file(spec, cert)
 
-        if isinstance(ssl_version_client, int):
-            self.openssl_method_client = ssl_version_client
-        else:
-            self.openssl_method_client = tcp.SSL_VERSIONS[ssl_version_client]
-        if isinstance(ssl_version_server, int):
-            self.openssl_method_server = ssl_version_server
-        else:
-            self.openssl_method_server = tcp.SSL_VERSIONS[ssl_version_server]
+        self.openssl_method_client, self.openssl_options_client = version_to_openssl(
+            ssl_version_client)
+        self.openssl_method_server, self.openssl_options_server = version_to_openssl(
+            ssl_version_server)
 
         if ssl_verify_upstream_cert:
             self.openssl_verification_mode_server = SSL.VERIFY_PEER
@@ -92,8 +88,33 @@ class ProxyConfig:
         self.openssl_trusted_cadir_server = ssl_upstream_trusted_cadir
         self.openssl_trusted_ca_server = ssl_upstream_trusted_ca
 
-        self.openssl_options_client = tcp.SSL_DEFAULT_OPTIONS
-        self.openssl_options_server = tcp.SSL_DEFAULT_OPTIONS
+
+sslversion_choices = (
+    "all",
+    "secure",
+    "SSLv2",
+    "SSLv3",
+    "TLSv1",
+    "TLSv1_1",
+    "TLSv1_2")
+
+
+def version_to_openssl(version):
+    """
+    Convert a reasonable SSL version specification into the format OpenSSL expects.
+    Don't ask...
+    https://bugs.launchpad.net/pyopenssl/+bug/1020632/comments/3
+    """
+    if version == "all":
+        return SSL.SSLv23_METHOD, None
+    elif version == "secure":
+        # SSLv23_METHOD + NO_SSLv2 + NO_SSLv3 == TLS 1.0+
+        # TLSv1_METHOD would be TLS 1.0 only
+        return SSL.SSLv23_METHOD, (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
+    elif version in sslversion_choices:
+        return getattr(SSL, "%s_METHOD" % version), None
+    else:
+        raise ValueError("Invalid SSL version: %s" % version)
 
 
 def process_proxy_options(parser, options):
@@ -254,18 +275,16 @@ def ssl_option_group(parser):
         help="Path to a PEM formatted trusted CA certificate."
     )
     group.add_argument(
-        "--ssl-version-client", dest="ssl_version_client", type=str, default=tcp.SSL_DEFAULT_VERSION,
-        choices=tcp.SSL_VERSIONS.keys(),
-        help=""""
-            Use a specified protocol for client connections:
-            TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, SSLv23.
-            Default to SSLv23."""
+        "--ssl-version-client", dest="ssl_version_client",
+        default="secure", action="store",
+        choices=sslversion_choices,
+        help="Set supported SSL/TLS version for client connections. "
+             "SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure."
     )
     group.add_argument(
-        "--ssl-version-server", dest="ssl_version_server", type=str, default=tcp.SSL_DEFAULT_VERSION,
-        choices=tcp.SSL_VERSIONS.keys(),
-        help=""""
-            Use a specified protocol for server connections:
-            TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2, SSLv23.
-            Default to SSLv23."""
+        "--ssl-version-server", dest="ssl_version_server",
+        default="secure", action="store",
+        choices=sslversion_choices,
+        help="Set supported SSL/TLS version for server connections. "
+             "SSLv2, SSLv3 and 'all' are INSECURE. Defaults to secure."
     )