@@ -19,7 +19,7 @@ use foreign_types_shared::{ForeignType, ForeignTypeRef};
1919use openssl:: {
2020 asn1:: { Asn1Object , Asn1ObjectRef } ,
2121 nid:: Nid ,
22- ssl:: { self , SslContextBuilder , SslVerifyMode } ,
22+ ssl:: { self , SslContextBuilder , SslOptions , SslVerifyMode } ,
2323} ;
2424
2525mod sys {
@@ -35,6 +35,7 @@ mod sys {
3535 pub fn X509_get_default_cert_file ( ) -> * const c_char ;
3636 pub fn X509_get_default_cert_dir_env ( ) -> * const c_char ;
3737 pub fn X509_get_default_cert_dir ( ) -> * const c_char ;
38+ pub fn SSL_CTX_set_post_handshake_auth ( ctx : * mut SSL_CTX , val : c_int ) ;
3839 }
3940}
4041
@@ -232,12 +233,36 @@ impl PySslContext {
232233 } ;
233234 let mut builder =
234235 SslContextBuilder :: new ( method) . map_err ( |e| convert_openssl_error ( vm, e) ) ?;
236+
235237 let check_hostname = proto == SslVersion :: TlsClient ;
236238 builder. set_verify ( if check_hostname {
237239 SslVerifyMode :: PEER | SslVerifyMode :: FAIL_IF_NO_PEER_CERT
238240 } else {
239241 SslVerifyMode :: NONE
240242 } ) ;
243+
244+ let mut options = SslOptions :: ALL & !SslOptions :: DONT_INSERT_EMPTY_FRAGMENTS ;
245+ if proto != SslVersion :: Ssl2 {
246+ options |= SslOptions :: NO_SSLV2 ;
247+ }
248+ if proto != SslVersion :: Ssl3 {
249+ options |= SslOptions :: NO_SSLV3 ;
250+ }
251+ options |= SslOptions :: NO_COMPRESSION ;
252+ options |= SslOptions :: CIPHER_SERVER_PREFERENCE ;
253+ options |= SslOptions :: SINGLE_DH_USE ;
254+ options |= SslOptions :: SINGLE_ECDH_USE ;
255+ builder. set_options ( options) ;
256+
257+ let mode = ssl:: SslMode :: ACCEPT_MOVING_WRITE_BUFFER | ssl:: SslMode :: AUTO_RETRY ;
258+ builder. set_mode ( mode) ;
259+
260+ unsafe { sys:: SSL_CTX_set_post_handshake_auth ( builder. as_ptr ( ) , 0 ) } ;
261+
262+ builder
263+ . set_session_id_context ( b"Python" )
264+ . map_err ( |e| convert_openssl_error ( vm, e) ) ?;
265+
241266 PySslContext {
242267 ctx : RefCell :: new ( builder) ,
243268 check_hostname,
0 commit comments