Don't be so strict client-side (#15546)

This commit is contained in:
Paulus Schoutsen 2018-07-18 23:00:26 +02:00 committed by GitHub
parent dfe17491f8
commit 4650366f07
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -6,21 +6,14 @@ import certifi
def client_context(): def client_context():
"""Return an SSL context for making requests.""" """Return an SSL context for making requests."""
context = _get_context() context = ssl.create_default_context(
context.verify_mode = ssl.CERT_REQUIRED purpose=ssl.Purpose.SERVER_AUTH,
context.check_hostname = True cafile=certifi.where()
context.load_verify_locations(cafile=certifi.where(), capath=None) )
return context return context
def server_context(): def server_context():
"""Return an SSL context for being a server."""
context = _get_context()
context.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
return context
def _get_context():
"""Return an SSL context following the Mozilla recommendations. """Return an SSL context following the Mozilla recommendations.
TLS configuration follows the best-practice guidelines specified here: TLS configuration follows the best-practice guidelines specified here:
@ -31,7 +24,8 @@ def _get_context():
context.options |= ( context.options |= (
ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 |
ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 |
ssl.OP_CIPHER_SERVER_PREFERENCE
) )
if hasattr(ssl, 'OP_NO_COMPRESSION'): if hasattr(ssl, 'OP_NO_COMPRESSION'):
context.options |= ssl.OP_NO_COMPRESSION context.options |= ssl.OP_NO_COMPRESSION