1 files changed, 18 insertions, 17 deletions

diff --git a/netlib/tcp.py b/netlib/tcp.py
index 3a094d9a..0d83816b 100644
--- a/netlib/tcp.py
+++ b/netlib/tcp.py
@@ -23,31 +23,32 @@ EINTR = 4
 # To enable all SSL methods use: SSLv23
 # then add options to disable certain methods
 # https://bugs.launchpad.net/pyopenssl/+bug/1020632/comments/3
-
-# Use ONLY for parsing of CLI arguments!
-# All code internals should use OpenSSL constants directly!
-SSL_VERSIONS = {
-    'TLSv1.2': SSL.TLSv1_2_METHOD,
-    'TLSv1.1': SSL.TLSv1_1_METHOD,
-    'TLSv1': SSL.TLSv1_METHOD,
-    'SSLv3': SSL.SSLv3_METHOD,
-    'SSLv2': SSL.SSLv2_METHOD,
-    'SSLv23': SSL.SSLv23_METHOD,
-}
-
-SSL_DEFAULT_VERSION = 'SSLv23'
-
-SSL_DEFAULT_METHOD = SSL_VERSIONS[SSL_DEFAULT_VERSION]
-
+SSL_DEFAULT_METHOD = SSL.SSLv23_METHOD
 SSL_DEFAULT_OPTIONS = (
     SSL.OP_NO_SSLv2 |
     SSL.OP_NO_SSLv3 |
     SSL.OP_CIPHER_SERVER_PREFERENCE
 )
-
 if hasattr(SSL, "OP_NO_COMPRESSION"):
     SSL_DEFAULT_OPTIONS |= SSL.OP_NO_COMPRESSION
 
+"""
+Map a reasonable SSL version specification into the format OpenSSL expects.
+Don't ask...
+https://bugs.launchpad.net/pyopenssl/+bug/1020632/comments/3
+"""
+sslversion_choices = {
+    "all": (SSL.SSLv23_METHOD, 0),
+    # SSLv23_METHOD + NO_SSLv2 + NO_SSLv3 == TLS 1.0+
+    # TLSv1_METHOD would be TLS 1.0 only
+    "secure": (SSL.SSLv23_METHOD, (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)),
+    "SSLv2": (SSL.SSLv2_METHOD, 0),
+    "SSLv3": (SSL.SSLv3_METHOD, 0),
+    "TLSv1": (SSL.TLSv1_METHOD, 0),
+    "TLSv1_1": (SSL.TLSv1_1_METHOD, 0),
+    "TLSv1_2": (SSL.TLSv1_2_METHOD, 0),
+}
+
 
 class NetLibError(Exception):
     pass