From c4c78aa5ba69ef24f178b3715e5064478f37e3dc Mon Sep 17 00:00:00 2001 From: Ludwig Behm Date: Wed, 25 Oct 2023 00:35:28 +0200 Subject: [PATCH] Fix apistatusd.py/create_ssl_context: set sane cipher list, ecdh_curve, single_ecdh_use --- source/server/apistatusd.py | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/source/server/apistatusd.py b/source/server/apistatusd.py index fe79acf..048e554 100755 --- a/source/server/apistatusd.py +++ b/source/server/apistatusd.py @@ -55,14 +55,12 @@ def create_ssl_context(config): Creates the ssl context. return: context object or None ''' - context = None requirement = ssl.CERT_REQUIRED - required = config['client']['required'].lower() - - if required == 'false': - requirement = ssl.CERT_NONE - elif required == 'may': - requirement = ssl.CERT_OPTIONAL + match config['client']['required'].lower(): + case 'false': + requirement = ssl.CERT_NONE + case 'may': + requirement = ssl.CERT_OPTIONAL try: context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) @@ -70,17 +68,20 @@ def create_ssl_context(config): context.load_cert_chain(certfile=config['server']['cert'], keyfile=config['server']['key']) context.load_verify_locations(cafile=config['client']['cert']) - #context.minimum_version = ssl.TLSVersion.TLSv1_2 - #context.maximum_version = ssl.TLSVersion.TLSv1_2 + context.set_ciphers("ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256") + context.set_ecdh_curve("secp384r1") + context.minimum_version = ssl.TLSVersion.TLSv1_2 + context.maximum_version = ssl.TLSVersion.TLSv1_2 # ensure, compression is disabled (disabled by default anyway at the moment) context.options |= ssl.OP_NO_COMPRESSION context.options |= ssl.OP_CIPHER_SERVER_PREFERENCE + context.options |= ssl.OP_SINGLE_ECDH_USE logging.debug('SSL context created') + return context except Exception as e: logging.error('Failed to create SSL context') logging.error('Error: {}'.format(e)) return None - return context def print_ciphers(cipherlist): ''' @@ -449,7 +450,7 @@ def main(): Connection = context.wrap_socket(ClientSocket, server_side=True) logging.info('SSL Connection established') Connection.settimeout(float(config['general']['timeout'])) - logging.debug('Connection timeout set to {}'.format(config['general']['timeout'])) + logging.debug('Connection timeout set to {}'.format(Connection.gettimeout()) cert = Connection.getpeercert(binary_form=False) display_peercert(cert) except Exception as e: