Fix apistatusd.py/create_ssl_context: set sane cipher list, ecdh_curve, single_ecdh_use

2023-10-25 00:35:28 +02:00 · 2023-10-25 00:35:28 +02:00 · c4c78aa5ba
commit c4c78aa5ba
parent 66bc266f2e
1 changed files with 12 additions and 11 deletions
--- a/source/server/apistatusd.py
+++ b/source/server/apistatusd.py
@ -55,14 +55,12 @@ def create_ssl_context(config):
    Creates the ssl context.
    return: context object or None
    '''
-    context = None
    requirement = ssl.CERT_REQUIRED
-    required = config['client']['required'].lower()
-
-    if required == 'false':
-        requirement = ssl.CERT_NONE
-    elif required == 'may':
-        requirement = ssl.CERT_OPTIONAL
+    match config['client']['required'].lower():
+        case 'false':
+            requirement = ssl.CERT_NONE
+        case 'may':
+            requirement = ssl.CERT_OPTIONAL

    try:
        context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
@ -70,17 +68,20 @@ def create_ssl_context(config):
        context.load_cert_chain(certfile=config['server']['cert'],
                                keyfile=config['server']['key'])
        context.load_verify_locations(cafile=config['client']['cert'])
-        #context.minimum_version = ssl.TLSVersion.TLSv1_2
-        #context.maximum_version = ssl.TLSVersion.TLSv1_2
+        context.set_ciphers("ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256")
+        context.set_ecdh_curve("secp384r1")
+        context.minimum_version = ssl.TLSVersion.TLSv1_2
+        context.maximum_version = ssl.TLSVersion.TLSv1_2
        # ensure, compression is disabled (disabled by default anyway at the moment)
        context.options |= ssl.OP_NO_COMPRESSION
        context.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
+        context.options |= ssl.OP_SINGLE_ECDH_USE
        logging.debug('SSL context created')
+        return context
    except Exception as e:
        logging.error('Failed to create SSL context')
        logging.error('Error: {}'.format(e))
        return None
-    return context

 def print_ciphers(cipherlist):
    '''
@ -449,7 +450,7 @@ def main():
                    Connection = context.wrap_socket(ClientSocket, server_side=True)
                    logging.info('SSL Connection established')
                    Connection.settimeout(float(config['general']['timeout']))
-                    logging.debug('Connection timeout set to {}'.format(config['general']['timeout']))
+                    logging.debug('Connection timeout set to {}'.format(Connection.gettimeout())
                    cert = Connection.getpeercert(binary_form=False)
                    display_peercert(cert)
                except Exception as e: