restrict available ciphers

only EECDH+AESGCM is allowed. now it uses only tls 1.2 and 1.3
This commit is contained in:
berhsi 2019-09-10 15:33:27 +02:00
parent c8814f322b
commit fef38a278b

View file

@ -80,6 +80,16 @@ def print_config(CONFIG):
return True
def print_ciphers(cipherlist):
print('Available ciphers')
for i in cipherlist:
print('\n')
for j in i.keys():
print('{}: {}'.format(j, i[j]))
print('\n')
return True
def display_peercert(cert):
for i in cert.keys():
print(i)
@ -211,18 +221,15 @@ def main():
exit()
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.options &= ~ssl.OP_NO_SSLv2
context.options &= ~ssl.OP_NO_SSLv3
context.options &= ~ssl.PROTOCOL_TLS
context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE
# context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS
context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
# context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS')
context.verify_mode = ssl.CERT_REQUIRED
context.load_cert_chain(certfile = CONFIG['SERVER_CERT'],
keyfile = CONFIG['SERVER_KEY'])
context.load_verify_locations(cafile = CONFIG['CLIENT_CERT'])
context.set_ciphers('EECDH+AESGCM') # only ciphers for tls 1.2 and 1.3
context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
logging.debug('SSL context created')
# print_ciphers(context.get_ciphers())
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
logging.debug('Socket created')