forked from solderpunk/AV-98
work in progress
This commit is contained in:
parent
6d43b13520
commit
a7c8ed33d5
53
netcache.py
53
netcache.py
|
@ -459,30 +459,35 @@ def _fetch_gemini(url):
|
||||||
context = ssl.SSLContext(protocol)
|
context = ssl.SSLContext(protocol)
|
||||||
|
|
||||||
# Use CAs or TOFU
|
# Use CAs or TOFU
|
||||||
if self.options["tls_mode"] == "ca":
|
#TODO : should we care about this options?
|
||||||
context.verify_mode = ssl.CERT_REQUIRED
|
#if self.options["tls_mode"] == "ca":
|
||||||
context.check_hostname = True
|
# context.verify_mode = ssl.CERT_REQUIRED
|
||||||
context.load_default_certs()
|
# context.check_hostname = True
|
||||||
else:
|
# context.load_default_certs()
|
||||||
context.check_hostname = False
|
#else:
|
||||||
context.verify_mode = ssl.CERT_NONE
|
# context.check_hostname = False
|
||||||
# Impose minimum TLS version
|
# context.verify_mode = ssl.CERT_NONE
|
||||||
## In 3.7 and above, this is easy...
|
context.check_hostname=False
|
||||||
if sys.version_info.minor >= 7:
|
context.verify_mode = ssl.CERT_NONE
|
||||||
context.minimum_version = ssl.TLSVersion.TLSv1_2
|
# Impose minimum TLS version
|
||||||
## Otherwise, it seems very hard...
|
## In 3.7 and above, this is easy...
|
||||||
## The below is less strict than it ought to be, but trying to disable
|
if sys.version_info.minor >= 7:
|
||||||
## TLS v1.1 here using ssl.OP_NO_TLSv1_1 produces unexpected failures
|
context.minimum_version = ssl.TLSVersion.TLSv1_2
|
||||||
## with recent versions of OpenSSL. What a mess...
|
## Otherwise, it seems very hard...
|
||||||
else:
|
## The below is less strict than it ought to be, but trying to disable
|
||||||
context.options |= ssl.OP_NO_SSLv3
|
## TLS v1.1 here using ssl.OP_NO_TLSv1_1 produces unexpected failures
|
||||||
context.options |= ssl.OP_NO_SSLv2
|
## with recent versions of OpenSSL. What a mess...
|
||||||
# Try to enforce sensible ciphers
|
else:
|
||||||
try:
|
context.options |= ssl.OP_NO_SSLv3
|
||||||
context.set_ciphers("AESGCM+ECDHE:AESGCM+DHE:CHACHA20+ECDHE:CHACHA20+DHE:!DSS:!SHA1:!MD5:@STRENGTH")
|
context.options |= ssl.OP_NO_SSLv2
|
||||||
except ssl.SSLError:
|
# Try to enforce sensible ciphers
|
||||||
# Rely on the server to only support sensible things, I guess...
|
try:
|
||||||
pass
|
context.set_ciphers("AESGCM+ECDHE:AESGCM+DHE:CHACHA20+ECDHE:CHACHA20+DHE:!DSS:!SHA1:!MD5:@STRENGTH")
|
||||||
|
except ssl.SSLError:
|
||||||
|
# Rely on the server to only support sensible things, I guess...
|
||||||
|
pass
|
||||||
|
|
||||||
|
#TODO: I’m here in the refactor
|
||||||
# Load client certificate if needed
|
# Load client certificate if needed
|
||||||
if self.client_certs["active"]:
|
if self.client_certs["active"]:
|
||||||
certfile, keyfile = self.client_certs["active"]
|
certfile, keyfile = self.client_certs["active"]
|
||||||
|
|
Loading…
Reference in New Issue