From c4c78aa5ba69ef24f178b3715e5064478f37e3dc Mon Sep 17 00:00:00 2001
From: Ludwig Behm <ludwig@behm.me>
Date: Wed, 25 Oct 2023 00:35:28 +0200
Subject: [PATCH] Fix apistatusd.py/create_ssl_context: set sane cipher list,
 ecdh_curve, single_ecdh_use

---
 source/server/apistatusd.py | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/source/server/apistatusd.py b/source/server/apistatusd.py
index fe79acf..048e554 100755
--- a/source/server/apistatusd.py
+++ b/source/server/apistatusd.py
@@ -55,14 +55,12 @@ def create_ssl_context(config):
     Creates the ssl context.
     return: context object or None
     '''
-    context = None
     requirement = ssl.CERT_REQUIRED
-    required = config['client']['required'].lower()
-
-    if required == 'false':
-        requirement = ssl.CERT_NONE
-    elif required == 'may':
-        requirement = ssl.CERT_OPTIONAL
+    match config['client']['required'].lower():
+        case 'false':
+            requirement = ssl.CERT_NONE
+        case 'may':
+            requirement = ssl.CERT_OPTIONAL
 
     try:
         context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
@@ -70,17 +68,20 @@ def create_ssl_context(config):
         context.load_cert_chain(certfile=config['server']['cert'],
                                 keyfile=config['server']['key'])
         context.load_verify_locations(cafile=config['client']['cert'])
-        #context.minimum_version = ssl.TLSVersion.TLSv1_2
-        #context.maximum_version = ssl.TLSVersion.TLSv1_2
+        context.set_ciphers("ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256")
+        context.set_ecdh_curve("secp384r1")
+        context.minimum_version = ssl.TLSVersion.TLSv1_2
+        context.maximum_version = ssl.TLSVersion.TLSv1_2
         # ensure, compression is disabled (disabled by default anyway at the moment)
         context.options |= ssl.OP_NO_COMPRESSION
         context.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
+        context.options |= ssl.OP_SINGLE_ECDH_USE
         logging.debug('SSL context created')
+        return context
     except Exception as e:
         logging.error('Failed to create SSL context')
         logging.error('Error: {}'.format(e))
         return None
-    return context
 
 def print_ciphers(cipherlist):
     '''
@@ -449,7 +450,7 @@ def main():
                     Connection = context.wrap_socket(ClientSocket, server_side=True)
                     logging.info('SSL Connection established')
                     Connection.settimeout(float(config['general']['timeout']))
-                    logging.debug('Connection timeout set to {}'.format(config['general']['timeout']))
+                    logging.debug('Connection timeout set to {}'.format(Connection.gettimeout())
                     cert = Connection.getpeercert(binary_form=False)
                     display_peercert(cert)
                 except Exception as e: