From fef38a278ba77241015705a10d28e9e341d19c35 Mon Sep 17 00:00:00 2001 From: berhsi Date: Tue, 10 Sep 2019 15:33:27 +0200 Subject: [PATCH] restrict available ciphers only EECDH+AESGCM is allowed. now it uses only tls 1.2 and 1.3 --- statusd.py | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/statusd.py b/statusd.py index f3060f4..e0f1462 100755 --- a/statusd.py +++ b/statusd.py @@ -80,6 +80,16 @@ def print_config(CONFIG): return True +def print_ciphers(cipherlist): + print('Available ciphers') + for i in cipherlist: + print('\n') + for j in i.keys(): + print('{}: {}'.format(j, i[j])) + print('\n') + return True + + def display_peercert(cert): for i in cert.keys(): print(i) @@ -211,18 +221,15 @@ def main(): exit() context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) - context.options &= ~ssl.OP_NO_SSLv2 - context.options &= ~ssl.OP_NO_SSLv3 - context.options &= ~ssl.PROTOCOL_TLS - context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE - # context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS - context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0) - # context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS') context.verify_mode = ssl.CERT_REQUIRED context.load_cert_chain(certfile = CONFIG['SERVER_CERT'], keyfile = CONFIG['SERVER_KEY']) context.load_verify_locations(cafile = CONFIG['CLIENT_CERT']) + context.set_ciphers('EECDH+AESGCM') # only ciphers for tls 1.2 and 1.3 + context.options = ssl.OP_CIPHER_SERVER_PREFERENCE + context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0) logging.debug('SSL context created') + # print_ciphers(context.get_ciphers()) with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket: logging.debug('Socket created')