Thanks for working on this.
On Sat, 02 Feb 2019 00:39:34 +0900,
alex wrote:
>
> Signed-off-by: alex <[email protected]>
> ---
> ryu/controller/controller.py | 6 ++----
> ryu/lib/hub.py | 24 +++++++++++++++++++++---
> 2 files changed, 23 insertions(+), 7 deletions(-)
>
> diff --git a/ryu/controller/controller.py b/ryu/controller/controller.py
> index 62135339..f316f0bc 100644
> --- a/ryu/controller/controller.py
> +++ b/ryu/controller/controller.py
> @@ -172,15 +172,13 @@ class OpenFlowController(object):
> keyfile=CONF.ctl_privkey,
> certfile=CONF.ctl_cert,
> cert_reqs=ssl.CERT_REQUIRED,
> - ca_certs=CONF.ca_certs,
> - ssl_version=ssl.PROTOCOL_TLSv1)
> + ca_certs=CONF.ca_certs)
I think ssl_version should be set here so that any other potential
StreamServer user can override. Also, if we add a config option to
restrict unsafe TLS versions in future, the logic should be here.
> else:
> server = StreamServer((CONF.ofp_listen_host,
> ofp_ssl_listen_port),
> datapath_connection_factory,
> keyfile=CONF.ctl_privkey,
> - certfile=CONF.ctl_cert,
> - ssl_version=ssl.PROTOCOL_TLSv1)
> + certfile=CONF.ctl_cert)
ditto
> else:
> server = StreamServer((CONF.ofp_listen_host,
> ofp_tcp_listen_port),
> diff --git a/ryu/lib/hub.py b/ryu/lib/hub.py
> index bd15fc89..18ba6e4a 100644
> --- a/ryu/lib/hub.py
> +++ b/ryu/lib/hub.py
> @@ -42,6 +42,7 @@ if HUB_TYPE == 'eventlet':
> import ssl
> import socket
> import traceback
> + import sys
>
> getcurrent = eventlet.getcurrent
> patch = eventlet.monkey_patch
> @@ -127,9 +128,26 @@ if HUB_TYPE == 'eventlet':
>
> if ssl_args:
> def wrap_and_handle(sock, addr):
> - ssl_args.setdefault('server_side', True)
> - handle(ssl.wrap_socket(sock, **ssl_args), addr)
> -
> + if sys.version_info < (2,7,9):
> + #anything less than python 2.7.9 supports only TLSv1
> or less, thus we choose TLSv1
> + ssl_args.setdefault('server_side', True)
> + ssl_args.update(ssl_version = 'PROTOCOL_TLSv1')
> + handle(ssl.wrap_socket(sock, **ssl_args), addr)
> + else:
> + # from 2.7.9 and versions 3.4+ ssl context creation
> is supported. Protocol_TLS from 2.7.13 and from 3.5.3 replaced SSLv23.
> Functionality is similar.
> + if hasattr(ssl, 'PROTOCOL_TLS'):
> + p = 'PROTOCOL_TLS'
> + else:
> + p = 'PROTOCOL_SSLv23'
> +
> + ctx = ssl.SSLContext(getattr(ssl, p))
> + ctx.load_cert_chain(ssl_args['certfile'],
> ssl_args['keyfile'])
> + ctx.options |= ssl.OP_NO_SSLv3 | ssl.OP_NO_SSLv2
> #Restrict non-safe versions
> + if 'cert_reqs' in ssl_args:
> + #if --ca-certs is specified
> + ctx.verify_mode = ssl.CERT_REQUIRED
> + ctx.load_verify_locations(ssl_args["ca_certs"])
> + handle(ctx.wrap_socket(sock,server_side=True), addr)
>
> self.handle = wrap_and_handle
> else:
> self.handle = handle
> --
> 2.16.4
>
>
>
> _______________________________________________
> Ryu-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ryu-devel
>
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel
