[Ryu-devel] [PATCH] Choose the highest TLS version

Fri, 01 Feb 2019 07:46:36 -0800 

Signed-off-by: alex <[email protected]>
---
 ryu/controller/controller.py |  6 ++----
 ryu/lib/hub.py               | 24 +++++++++++++++++++++---
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/ryu/controller/controller.py b/ryu/controller/controller.py
index 62135339..f316f0bc 100644
--- a/ryu/controller/controller.py
+++ b/ryu/controller/controller.py
@@ -172,15 +172,13 @@ class OpenFlowController(object):
                                       keyfile=CONF.ctl_privkey,
                                       certfile=CONF.ctl_cert,
                                       cert_reqs=ssl.CERT_REQUIRED,
-                                      ca_certs=CONF.ca_certs,
-                                      ssl_version=ssl.PROTOCOL_TLSv1)
+                                      ca_certs=CONF.ca_certs)
             else:
                 server = StreamServer((CONF.ofp_listen_host,
                                        ofp_ssl_listen_port),
                                       datapath_connection_factory,
                                       keyfile=CONF.ctl_privkey,
-                                      certfile=CONF.ctl_cert,
-                                      ssl_version=ssl.PROTOCOL_TLSv1)
+                                      certfile=CONF.ctl_cert)
         else:
             server = StreamServer((CONF.ofp_listen_host,
                                    ofp_tcp_listen_port),
diff --git a/ryu/lib/hub.py b/ryu/lib/hub.py
index bd15fc89..18ba6e4a 100644
--- a/ryu/lib/hub.py
+++ b/ryu/lib/hub.py
@@ -42,6 +42,7 @@ if HUB_TYPE == 'eventlet':
     import ssl
     import socket
     import traceback
+    import sys
 
     getcurrent = eventlet.getcurrent
     patch = eventlet.monkey_patch
@@ -127,9 +128,26 @@ if HUB_TYPE == 'eventlet':
 
             if ssl_args:
                 def wrap_and_handle(sock, addr):
-                    ssl_args.setdefault('server_side', True)
-                    handle(ssl.wrap_socket(sock, **ssl_args), addr)
-
+                    if sys.version_info < (2,7,9):
+                        #anything less than python 2.7.9 supports only TLSv1 
or less, thus we choose TLSv1
+                        ssl_args.setdefault('server_side', True)
+                        ssl_args.update(ssl_version = 'PROTOCOL_TLSv1')
+                        handle(ssl.wrap_socket(sock, **ssl_args), addr)
+                    else:
+                        # from 2.7.9 and versions 3.4+ ssl context creation is 
supported. Protocol_TLS from 2.7.13 and from 3.5.3 replaced SSLv23. 
Functionality is similar.
+                        if hasattr(ssl, 'PROTOCOL_TLS'):
+                            p = 'PROTOCOL_TLS'
+                        else:
+                            p = 'PROTOCOL_SSLv23'
+
+                        ctx = ssl.SSLContext(getattr(ssl, p))
+                        ctx.load_cert_chain(ssl_args['certfile'], 
ssl_args['keyfile'])
+                        ctx.options |= ssl.OP_NO_SSLv3 | ssl.OP_NO_SSLv2 
#Restrict non-safe versions  
+                        if 'cert_reqs' in ssl_args:
+                            #if --ca-certs is specified
+                            ctx.verify_mode = ssl.CERT_REQUIRED
+                            ctx.load_verify_locations(ssl_args["ca_certs"])
+                        handle(ctx.wrap_socket(sock,server_side=True), addr)   
                                          
                 self.handle = wrap_and_handle
             else:
                 self.handle = handle
-- 
2.16.4



_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel

Reply via email to