SSL issue workaround: replace ssl._make_ssl_socket

[vladimir-mencl-eresearch]

Hack the ssl class in socket.py NOT to enable all supported ciphersuits when setting up an SSL connection.

Enabling all supported ciphersuits causes an issue on:

• some Java platforms (OpenJDK, Mac Java 1.6.0_33)
• in combination for some IdPs (Canterbury IdP behing a BigIP firewall)
• In this combination, a second https connection (e.g., after a 302 redirect) breaks.

Replace the _make_ssl_socket method from socket.ssl class with our own version that does not enable all ciphersuits that Java lists as supported.

The replacement method is in sibboleth/socketsslonlydefaultciphers.py

Importing this module (in sibboleth/shibboleth.py) activates this workaround.

[vladimir-mencl-eresearch]

Hmm, I was trying to create a separate pull request for each of the commits - but the previous commit (which is already in https://github.com/grith/sibboleth/pull/4) gets included here whatever I try...

[vladimir-mencl-eresearch]

This pull request was ment to include only https://github.com/vladimir-mencl-eresearch/sibboleth/commit/48b28942922280084b76b4db29c0749652d83a67 - SSL issue workaround: replace ssl._make_ssl_socket

[makkus]

Ups, sorry, didn't read your second comment and merged everything. Do I need to revert back?

[vladimir-mencl-eresearch]

Hi Markus,

I wanted to have a proper separate pull request for each of the commits - but I'm not really sure whether it's actually possible for a sequence of commits to be merged in separate pull requests.

But overall, I wanted to merge both commits and that's what has happened.

All is well.

Cheers, Vlad

[makkus]

Good! Having only one commit in a pull request should be possible ( see: http://stackoverflow.com/questions/5256021/send-a-pull-request-on-github-for-only-latest-commit ) but probably a bit cumbersome...

[vladimir-mencl-eresearch]

Thanks. Good to know for the future - but would do it only if I REALLY need to apply only the latest commit...