forked from Krautspace/doorstatus
statusd.py: set some ssl-options
This commit is contained in:
parent
8755e35584
commit
0e405f894d
1 changed files with 13 additions and 2 deletions
15
statusd.py
15
statusd.py
|
@ -204,7 +204,12 @@ def set_values(raw_data):
|
|||
def main():
|
||||
'''
|
||||
The main function - opens a socket, create a ssl context, load certs and
|
||||
listen for connections.
|
||||
listen for connections. at ssl context we set some security options like
|
||||
OP_NO_SSLv2 (SSLv3): they are insecure
|
||||
PROTOCOL_TLS: only use tls
|
||||
OP_NO_COMPRESSION: prevention against crime attack
|
||||
OP_DONT_ISERT_EMPTY_FRAGMENTS: prevention agains cbc 4 attack (cve-2011-3389)
|
||||
|
||||
'''
|
||||
CONFIG = {
|
||||
'HOST': 'localhost',
|
||||
|
@ -231,12 +236,17 @@ def main():
|
|||
exit()
|
||||
|
||||
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
||||
context.options &= ~ssl.OP_NO_SSLv2
|
||||
context.options &= ~ssl.OP_NO_SSLv3
|
||||
context.options &= ~ssl.PROTOCOL_TLS
|
||||
context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE
|
||||
# context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS
|
||||
context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
|
||||
# context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS')
|
||||
context.verify_mode = ssl.CERT_REQUIRED
|
||||
context.load_cert_chain(certfile = CONFIG['SERVER_CERT'],
|
||||
keyfile = CONFIG['SERVER_KEY'])
|
||||
context.load_verify_locations(cafile = CONFIG['CLIENT_CERT'])
|
||||
context.options &= ~ssl.OP_NO_SSLv3
|
||||
logging.debug('SSL context created')
|
||||
|
||||
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
|
||||
|
@ -290,6 +300,7 @@ def main():
|
|||
except Exception as e:
|
||||
logging.error('{}'.format(e))
|
||||
continue
|
||||
return 0
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
|
Loading…
Reference in a new issue