Signed-off-by: alex <atoptsog...@suse.com> --- ryu/controller/controller.py | 6 ++---- ryu/lib/hub.py | 24 +++++++++++++++++++++--- 2 files changed, 23 insertions(+), 7 deletions(-)
diff --git a/ryu/controller/controller.py b/ryu/controller/controller.py index 62135339..f316f0bc 100644 --- a/ryu/controller/controller.py +++ b/ryu/controller/controller.py @@ -172,15 +172,13 @@ class OpenFlowController(object): keyfile=CONF.ctl_privkey, certfile=CONF.ctl_cert, cert_reqs=ssl.CERT_REQUIRED, - ca_certs=CONF.ca_certs, - ssl_version=ssl.PROTOCOL_TLSv1) + ca_certs=CONF.ca_certs) else: server = StreamServer((CONF.ofp_listen_host, ofp_ssl_listen_port), datapath_connection_factory, keyfile=CONF.ctl_privkey, - certfile=CONF.ctl_cert, - ssl_version=ssl.PROTOCOL_TLSv1) + certfile=CONF.ctl_cert) else: server = StreamServer((CONF.ofp_listen_host, ofp_tcp_listen_port), diff --git a/ryu/lib/hub.py b/ryu/lib/hub.py index bd15fc89..18ba6e4a 100644 --- a/ryu/lib/hub.py +++ b/ryu/lib/hub.py @@ -42,6 +42,7 @@ if HUB_TYPE == 'eventlet': import ssl import socket import traceback + import sys getcurrent = eventlet.getcurrent patch = eventlet.monkey_patch @@ -127,9 +128,26 @@ if HUB_TYPE == 'eventlet': if ssl_args: def wrap_and_handle(sock, addr): - ssl_args.setdefault('server_side', True) - handle(ssl.wrap_socket(sock, **ssl_args), addr) - + if sys.version_info < (2,7,9): + #anything less than python 2.7.9 supports only TLSv1 or less, thus we choose TLSv1 + ssl_args.setdefault('server_side', True) + ssl_args.update(ssl_version = 'PROTOCOL_TLSv1') + handle(ssl.wrap_socket(sock, **ssl_args), addr) + else: + # from 2.7.9 and versions 3.4+ ssl context creation is supported. Protocol_TLS from 2.7.13 and from 3.5.3 replaced SSLv23. Functionality is similar. + if hasattr(ssl, 'PROTOCOL_TLS'): + p = 'PROTOCOL_TLS' + else: + p = 'PROTOCOL_SSLv23' + + ctx = ssl.SSLContext(getattr(ssl, p)) + ctx.load_cert_chain(ssl_args['certfile'], ssl_args['keyfile']) + ctx.options |= ssl.OP_NO_SSLv3 | ssl.OP_NO_SSLv2 #Restrict non-safe versions + if 'cert_reqs' in ssl_args: + #if --ca-certs is specified + ctx.verify_mode = ssl.CERT_REQUIRED + ctx.load_verify_locations(ssl_args["ca_certs"]) + handle(ctx.wrap_socket(sock,server_side=True), addr) self.handle = wrap_and_handle else: self.handle = handle -- 2.16.4 _______________________________________________ Ryu-devel mailing list Ryu-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ryu-devel