divergentdave
commented
7 years ago Deployed, and ARC is no longer red!
Closed divergentdave closed 7 years ago
divergentdave
commented
7 years ago Deployed, and ARC is no longer red!
konklone
commented
7 years ago Super solid! Great research, great fix, and simpler code. A+.
This re-fixes #289, which had regressed on the production server due to changing default cipher suite lists. Since this issue first came up, newer versions of urllib3 now make it possible to supply a custom
ssl_contextwhen setting up connections. So, this PR adds a new TransportAdapter to override the cipher suite list, and then uses that on connections to ARC's domain only. (This touches requirements.txt, so deploying will require upgrading Python dependencies)While I was working on this, I also took out some old TLS workarounds. No servers require RC4 anymore, so I took out the
DEFAULT_CIPHERSoverride. There aren't any more problems with the SBA server, either because they upgraded their F5 box or because we're using a newer OpenSSL version. I haven't looked into which of these is the case, but I took the TLS 1.0 workaround out anyway.