forked from Krautspace/doorstatus
Fix apistatusd.py/create_ssl_context: set sane cipher list, ecdh_curve, single_ecdh_use
This commit is contained in:
parent
66bc266f2e
commit
c4c78aa5ba
1 changed files with 12 additions and 11 deletions
|
@ -55,13 +55,11 @@ def create_ssl_context(config):
|
||||||
Creates the ssl context.
|
Creates the ssl context.
|
||||||
return: context object or None
|
return: context object or None
|
||||||
'''
|
'''
|
||||||
context = None
|
|
||||||
requirement = ssl.CERT_REQUIRED
|
requirement = ssl.CERT_REQUIRED
|
||||||
required = config['client']['required'].lower()
|
match config['client']['required'].lower():
|
||||||
|
case 'false':
|
||||||
if required == 'false':
|
|
||||||
requirement = ssl.CERT_NONE
|
requirement = ssl.CERT_NONE
|
||||||
elif required == 'may':
|
case 'may':
|
||||||
requirement = ssl.CERT_OPTIONAL
|
requirement = ssl.CERT_OPTIONAL
|
||||||
|
|
||||||
try:
|
try:
|
||||||
|
@ -70,17 +68,20 @@ def create_ssl_context(config):
|
||||||
context.load_cert_chain(certfile=config['server']['cert'],
|
context.load_cert_chain(certfile=config['server']['cert'],
|
||||||
keyfile=config['server']['key'])
|
keyfile=config['server']['key'])
|
||||||
context.load_verify_locations(cafile=config['client']['cert'])
|
context.load_verify_locations(cafile=config['client']['cert'])
|
||||||
#context.minimum_version = ssl.TLSVersion.TLSv1_2
|
context.set_ciphers("ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256")
|
||||||
#context.maximum_version = ssl.TLSVersion.TLSv1_2
|
context.set_ecdh_curve("secp384r1")
|
||||||
|
context.minimum_version = ssl.TLSVersion.TLSv1_2
|
||||||
|
context.maximum_version = ssl.TLSVersion.TLSv1_2
|
||||||
# ensure, compression is disabled (disabled by default anyway at the moment)
|
# ensure, compression is disabled (disabled by default anyway at the moment)
|
||||||
context.options |= ssl.OP_NO_COMPRESSION
|
context.options |= ssl.OP_NO_COMPRESSION
|
||||||
context.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
|
context.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
|
||||||
|
context.options |= ssl.OP_SINGLE_ECDH_USE
|
||||||
logging.debug('SSL context created')
|
logging.debug('SSL context created')
|
||||||
|
return context
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
logging.error('Failed to create SSL context')
|
logging.error('Failed to create SSL context')
|
||||||
logging.error('Error: {}'.format(e))
|
logging.error('Error: {}'.format(e))
|
||||||
return None
|
return None
|
||||||
return context
|
|
||||||
|
|
||||||
def print_ciphers(cipherlist):
|
def print_ciphers(cipherlist):
|
||||||
'''
|
'''
|
||||||
|
@ -449,7 +450,7 @@ def main():
|
||||||
Connection = context.wrap_socket(ClientSocket, server_side=True)
|
Connection = context.wrap_socket(ClientSocket, server_side=True)
|
||||||
logging.info('SSL Connection established')
|
logging.info('SSL Connection established')
|
||||||
Connection.settimeout(float(config['general']['timeout']))
|
Connection.settimeout(float(config['general']['timeout']))
|
||||||
logging.debug('Connection timeout set to {}'.format(config['general']['timeout']))
|
logging.debug('Connection timeout set to {}'.format(Connection.gettimeout())
|
||||||
cert = Connection.getpeercert(binary_form=False)
|
cert = Connection.getpeercert(binary_form=False)
|
||||||
display_peercert(cert)
|
display_peercert(cert)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
|
|
Loading…
Reference in a new issue