From 077047059629cb1a18e74d2425bf2d72f9c8d29f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crrodriguez@opensuse.org>
Date: Sun, 15 Jul 2012 23:20:19 -0400
Subject: [PATCH] watchout the BEAST...

This patch workarounds the BEAST attack in the client side
making OSC to prefer TLS v1.1 or v1.2 ciphers/key exchanges
when available.
Now, as long as openSUSE API webservers do not support
these protocols it will prefer the RC4-SHA1 combination to
be in the safe side.
---
 osc/oscssl.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/osc/oscssl.py b/osc/oscssl.py
index a0b305be..127c0cdd 100644
--- a/osc/oscssl.py
+++ b/osc/oscssl.py
@@ -155,7 +155,7 @@ class mySSLContext(SSL.Context):
     def __init__(self):
         SSL.Context.__init__(self, 'sslv23')
         self.set_options(m2.SSL_OP_NO_SSLv2 | m2.SSL_OP_NO_SSLv3)
-        self.set_cipher_list("ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH")
+        self.set_cipher_list("ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH")
         self.set_session_cache_mode(m2.SSL_SESS_CACHE_CLIENT)
         self.verrs = None
         #self.set_info_callback() # debug