diff options
author | Philipp Hagemeister <phihag@phihag.de> | 2014-09-12 07:50:31 +0200 |
---|---|---|
committer | Philipp Hagemeister <phihag@phihag.de> | 2014-09-12 07:50:31 +0200 |
commit | aa37e3d486f52b8c7a22dd5255469292a6a6afb9 (patch) | |
tree | 05d389782a6ffef35417795017ba1020c895b212 /youtube_dl | |
parent | edb53e2dc33c37a8c4cef3ec541084171adeed5b (diff) |
[utils] Default SSL to TLS. (Fixes #3727)
On 2.x, we now try TLS first, and fall back to the compat 23 (basically anything) afterwards.
On 3.4+, we now use the proper function so that we get all the latest security configurations.
We allow SSLv3 though for the time being, since a lot of older pages use that.
On 3.3, we default to SSLv23 (basically "anything, including TLS") because that has the widest compatibility.
Diffstat (limited to 'youtube_dl')
-rw-r--r-- | youtube_dl/utils.py | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/youtube_dl/utils.py b/youtube_dl/utils.py index 0bc410e91..d920c65a4 100644 --- a/youtube_dl/utils.py +++ b/youtube_dl/utils.py @@ -617,7 +617,7 @@ def make_HTTPS_handler(opts_no_check_certificate, **kwargs): self.sock = sock self._tunnel() try: - self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3) + self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_TLSv1) except ssl.SSLError: self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23) @@ -625,8 +625,14 @@ def make_HTTPS_handler(opts_no_check_certificate, **kwargs): def https_open(self, req): return self.do_open(HTTPSConnectionV3, req) return HTTPSHandlerV3(**kwargs) - else: - context = ssl.SSLContext(ssl.PROTOCOL_SSLv3) + elif hasattr(ssl, 'create_default_context'): # Python >= 3.4 + context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + context.options &= ~ssl.OP_NO_SSLv3 # Allow older, not-as-secure SSLv3 + if opts_no_check_certificate: + context.verify_mode = ssl.CERT_NONE + return compat_urllib_request.HTTPSHandler(context=context, **kwargs) + else: # Python < 3.4 + context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) context.verify_mode = (ssl.CERT_NONE if opts_no_check_certificate else ssl.CERT_REQUIRED) |