From 31d2a5d2d1b72af3e8876fa4c20001e3084b5ccd Mon Sep 17 00:00:00 2001
From: AlucardZero <saturos@gmail.com>
Date: Tue, 28 Jun 2016 19:48:25 -0400
Subject: [PATCH] Reenable TLS1.1 and 1.2 while leaving SSLv3 disabled (#2385)

---
 homeassistant/components/http.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/homeassistant/components/http.py b/homeassistant/components/http.py
index 218c202bcc2..d170f2a713e 100644
--- a/homeassistant/components/http.py
+++ b/homeassistant/components/http.py
@@ -40,7 +40,8 @@ DATA_API_PASSWORD = 'api_password'
 # TLS configuation follows the best-practice guidelines
 # specified here: https://wiki.mozilla.org/Security/Server_Side_TLS
 # Intermediate guidelines are followed.
-SSL_VERSION = ssl.PROTOCOL_TLSv1
+SSL_VERSION = ssl.PROTOCOL_SSLv23
+SSL_OPTS = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_COMPRESSION
 CIPHERS = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:" \
           "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" \
           "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" \
@@ -312,9 +313,11 @@ class HomeAssistantWSGI(object):
 
         sock = eventlet.listen((self.server_host, self.server_port))
         if self.ssl_certificate:
-            sock = eventlet.wrap_ssl(sock, certfile=self.ssl_certificate,
-                                     keyfile=self.ssl_key, server_side=True,
-                                     ssl_version=SSL_VERSION, ciphers=CIPHERS)
+            context = ssl.SSLContext(SSL_VERSION)
+            context.options |= SSL_OPTS
+            context.set_ciphers(CIPHERS)
+            context.load_cert_chain(self.ssl_certificate, self.ssl_key)
+            sock = context.wrap_socket(sock, server_side=True)
         wsgi.server(sock, self, log=_LOGGER)
 
     def dispatch_request(self, request):
-- 
GitLab