From 1e11592251ab599965bb7dc88b631d14e9be1a60 Mon Sep 17 00:00:00 2001
From: Thierry Parmentelat <thierry.parmentelat@inria.fr>
Date: Sun, 21 Jun 2015 19:08:50 +0200
Subject: [PATCH] use TLSv1 instead of SSLv3

---
 source/BootServerRequest.py           | 11 ++++++++---
 source/steps/InitializeBootManager.py | 25 +++++++++++++++++++++++--
 source/steps/InstallBootstrapFS.py    |  4 ++--
 3 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/source/BootServerRequest.py b/source/BootServerRequest.py
index 7b6531d..1c2dad5 100644
--- a/source/BootServerRequest.py
+++ b/source/BootServerRequest.py
@@ -32,8 +32,6 @@ except:
 
 class BootServerRequest:
 
-    VERBOSE = 0
-
     # all possible places to check the cdrom mount point.
     # /mnt/cdrom is typically after the machine has come up,
     # and /usr is when the boot cd is running
@@ -55,7 +53,14 @@ class BootServerRequest:
     # really need for the boot cd environment where pycurl
     # doesn't exist
     CURL_CMD = 'curl'
-    CURL_SSL_VERSION = 3
+
+    # use TLSv1 and not SSLv3 anymore
+    if PYCURL_LOADED:
+        CURL_SSL_VERSION = pycurl.SSLVERSION_TLSv1
+    else:
+        # used to be '3' for SSLv3
+        # xxx really not sure what this means when pycurl is not loaded
+        CURL_SSL_VERSION = 1
 
     def __init__(self, vars, verbose=0):
 
diff --git a/source/steps/InitializeBootManager.py b/source/steps/InitializeBootManager.py
index dfe3399..9baaca9 100644
--- a/source/steps/InitializeBootManager.py
+++ b/source/steps/InitializeBootManager.py
@@ -6,8 +6,11 @@
 # Copyright (c) 2004-2006 The Trustees of Princeton University
 # All rights reserved.
 
+from __future__ import print_function
+
 import os
 import xmlrpclib
+import ssl
 import socket
 import string
 
@@ -56,9 +59,27 @@ def Run(vars, log):
 
     log.write("Opening connection to API server\n")
     try:
-        api_inst = xmlrpclib.Server(vars['BOOT_API_SERVER'], verbose=0)
-    except KeyError as e:
+        server_url = vars['BOOT_API_SERVER']
+    except:
         raise BootManagerException("configuration file does not specify API server URL")
+        
+    api_inst = None
+    # preferred strategy : select tlsv1 as the encryption protocol
+    try:
+        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+        api_inst = xmlrpclib.ServerProxy(server_url,
+                                         context=ssl_context,
+                                         verbose=0)
+    # this is only supported in python >= 2.7.9 though, so allow for failure
+    except:
+        print("Default xmlrpclib strategy failed")
+        import traceback
+        traceback.print_exc()
+        pass
+
+    # if that failed, resort to the old-fashioned code
+    if api_inst is None:
+        api_inst = xmlrpclib.ServerProxy(server_url, verbose=0)
 
     vars['API_SERVER_INST'] = api_inst
 
diff --git a/source/steps/InstallBootstrapFS.py b/source/steps/InstallBootstrapFS.py
index 9180e55..06f9807 100644
--- a/source/steps/InstallBootstrapFS.py
+++ b/source/steps/InstallBootstrapFS.py
@@ -142,8 +142,8 @@ def Run(vars, log):
             # Download SHA1 checksum file
             log.write("downloading sha1sum for {}\n".format(source_file))
             result = bs_request.DownloadFile(source_hash_file, None, None,
-                                         1, 1, dest_hash_file,
-                                         30, 14400)
+                                             1, 1, dest_hash_file,
+                                             30, 14400)
  
             log.write("verifying sha1sum for {}\n".format(source_file))
             if not utils.check_file_hash(dest_file, dest_hash_file):
-- 
2.43.0