Use ssl.PROTOCOL_TLSv1 on client side to avoid SSLv23

2015-07-30 20:40:05 +02:00 · 2015-07-30 20:40:05 +02:00 · 4731418af9
parent 77b0e7be5e
commit 4731418af9
1 changed files with 3 additions and 3 deletions
--- a/lib/interface.py
+++ b/lib/interface.py
@ -148,7 +148,7 @@ class TcpInterface(threading.Thread):
                    return
                # try with CA first
                try:
-                    s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv23, cert_reqs=ssl.CERT_REQUIRED, ca_certs=ca_path, do_handshake_on_connect=True)
+                    s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1, cert_reqs=ssl.CERT_REQUIRED, ca_certs=ca_path, do_handshake_on_connect=True)
                except ssl.SSLError, e:
                    s = None
                if s and check_host_name(s.getpeercert(), self.host):
@ -161,7 +161,7 @@ class TcpInterface(threading.Thread):
                if s is None:
                    return
                try:
-                    s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv23, cert_reqs=ssl.CERT_NONE, ca_certs=None)
+                    s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1, cert_reqs=ssl.CERT_NONE, ca_certs=None)
                except ssl.SSLError, e:
                    self.print_error("SSL error retrieving SSL certificate:", e)
                    return
@ -184,7 +184,7 @@ class TcpInterface(threading.Thread):
        if self.use_ssl:
            try:
                s = ssl.wrap_socket(s,
-                                    ssl_version=ssl.PROTOCOL_SSLv23,
+                                    ssl_version=ssl.PROTOCOL_TLSv1,
                                    cert_reqs=ssl.CERT_REQUIRED,
                                    ca_certs= (temporary_path if is_new else cert_path),
                                    do_handshake_on_connect=True)