Fix apistatusd.py/create_ssl_context: set sane cipher list, ecdh_curve, single_ecdh_use

This commit is contained in:
Ludwig Behm 2023-10-25 00:35:28 +02:00
parent 66bc266f2e
commit c4c78aa5ba
Signed by untrusted user: l.behm
GPG key ID: D344835D63B89384

View file

@ -55,13 +55,11 @@ def create_ssl_context(config):
Creates the ssl context. Creates the ssl context.
return: context object or None return: context object or None
''' '''
context = None
requirement = ssl.CERT_REQUIRED requirement = ssl.CERT_REQUIRED
required = config['client']['required'].lower() match config['client']['required'].lower():
case 'false':
if required == 'false':
requirement = ssl.CERT_NONE requirement = ssl.CERT_NONE
elif required == 'may': case 'may':
requirement = ssl.CERT_OPTIONAL requirement = ssl.CERT_OPTIONAL
try: try:
@ -70,17 +68,20 @@ def create_ssl_context(config):
context.load_cert_chain(certfile=config['server']['cert'], context.load_cert_chain(certfile=config['server']['cert'],
keyfile=config['server']['key']) keyfile=config['server']['key'])
context.load_verify_locations(cafile=config['client']['cert']) context.load_verify_locations(cafile=config['client']['cert'])
#context.minimum_version = ssl.TLSVersion.TLSv1_2 context.set_ciphers("ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256")
#context.maximum_version = ssl.TLSVersion.TLSv1_2 context.set_ecdh_curve("secp384r1")
context.minimum_version = ssl.TLSVersion.TLSv1_2
context.maximum_version = ssl.TLSVersion.TLSv1_2
# ensure, compression is disabled (disabled by default anyway at the moment) # ensure, compression is disabled (disabled by default anyway at the moment)
context.options |= ssl.OP_NO_COMPRESSION context.options |= ssl.OP_NO_COMPRESSION
context.options |= ssl.OP_CIPHER_SERVER_PREFERENCE context.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
context.options |= ssl.OP_SINGLE_ECDH_USE
logging.debug('SSL context created') logging.debug('SSL context created')
return context
except Exception as e: except Exception as e:
logging.error('Failed to create SSL context') logging.error('Failed to create SSL context')
logging.error('Error: {}'.format(e)) logging.error('Error: {}'.format(e))
return None return None
return context
def print_ciphers(cipherlist): def print_ciphers(cipherlist):
''' '''
@ -449,7 +450,7 @@ def main():
Connection = context.wrap_socket(ClientSocket, server_side=True) Connection = context.wrap_socket(ClientSocket, server_side=True)
logging.info('SSL Connection established') logging.info('SSL Connection established')
Connection.settimeout(float(config['general']['timeout'])) Connection.settimeout(float(config['general']['timeout']))
logging.debug('Connection timeout set to {}'.format(config['general']['timeout'])) logging.debug('Connection timeout set to {}'.format(Connection.gettimeout())
cert = Connection.getpeercert(binary_form=False) cert = Connection.getpeercert(binary_form=False)
display_peercert(cert) display_peercert(cert)
except Exception as e: except Exception as e: