Reuse DEFAULT_SSL_CONTEXT_OPTIONS

abhinavsingh · Aug 10, 2024 · bed356c · bed356c
1 parent 9c33a52
commit bed356c
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 9 deletions.
diff --git a/proxy/common/utils.py b/proxy/common/utils.py
@@ -25,7 +25,8 @@
 from types import TracebackType
 from typing import Any, Dict, List, Type, Tuple, Callable, Optional
 
-import _ssl  # noqa: WPS436
+# noqa: WPS436
+import _ssl  # type: ignore[import-not-found]
 
 from .types import HostPort
 from .constants import (

diff --git a/proxy/core/connection/server.py b/proxy/core/connection/server.py
@@ -15,6 +15,7 @@
 from .connection import TcpConnection, TcpConnectionUninitializedException
 from ...common.types import HostPort, TcpOrTlsSocket
 from ...common.utils import new_socket_connection
+from ...common.constants import DEFAULT_SSL_CONTEXT_OPTIONS
 
 
 class TcpServerConnection(TcpConnection):
@@ -51,15 +52,12 @@ def wrap(
             # Ref https://github.com/PyCQA/pylint/issues/3691
             verify_mode: ssl.VerifyMode = ssl.VerifyMode.CERT_REQUIRED,     # pylint: disable=E1101
     ) -> None:
-        ctx = ssl.create_default_context(
-            ssl.Purpose.SERVER_AUTH,
-            cafile=ca_file,
+        ctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile=ca_file)
+        ctx.options |= DEFAULT_SSL_CONTEXT_OPTIONS
+        # pylint: disable=E1101
+        ctx.check_hostname = (
+            False if verify_mode == ssl.VerifyMode.CERT_NONE else hostname is not None
         )
-        ctx.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
-        if verify_mode == ssl.VerifyMode.CERT_NONE:  # pylint: disable=E1101
-            ctx.check_hostname = False
-        else:
-            ctx.check_hostname = hostname is not None
         ctx.verify_mode = verify_mode
         self.connection.setblocking(True)
         self._conn = ctx.wrap_socket(