From 0e405f894deec51dd4bfaa41fe380a95def7e7da Mon Sep 17 00:00:00 2001 From: berhsi Date: Fri, 2 Aug 2019 14:20:08 +0200 Subject: [PATCH] statusd.py: set some ssl-options --- statusd.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/statusd.py b/statusd.py index 53a324a..b44288d 100755 --- a/statusd.py +++ b/statusd.py @@ -204,7 +204,12 @@ def set_values(raw_data): def main(): ''' The main function - opens a socket, create a ssl context, load certs and - listen for connections. + listen for connections. at ssl context we set some security options like + OP_NO_SSLv2 (SSLv3): they are insecure + PROTOCOL_TLS: only use tls + OP_NO_COMPRESSION: prevention against crime attack + OP_DONT_ISERT_EMPTY_FRAGMENTS: prevention agains cbc 4 attack (cve-2011-3389) + ''' CONFIG = { 'HOST': 'localhost', @@ -231,12 +236,17 @@ def main(): exit() context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + context.options &= ~ssl.OP_NO_SSLv2 + context.options &= ~ssl.OP_NO_SSLv3 context.options &= ~ssl.PROTOCOL_TLS + context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE + # context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS + context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0) + # context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS') context.verify_mode = ssl.CERT_REQUIRED context.load_cert_chain(certfile = CONFIG['SERVER_CERT'], keyfile = CONFIG['SERVER_KEY']) context.load_verify_locations(cafile = CONFIG['CLIENT_CERT']) - context.options &= ~ssl.OP_NO_SSLv3 logging.debug('SSL context created') with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket: @@ -290,6 +300,7 @@ def main(): except Exception as e: logging.error('{}'.format(e)) continue + return 0 if __name__ == '__main__':