restrict available ciphers
only EECDH+AESGCM is allowed. now it uses only tls 1.2 and 1.3
This commit is contained in:
parent
c8814f322b
commit
fef38a278b
1 changed files with 14 additions and 7 deletions
21
statusd.py
21
statusd.py
|
@ -80,6 +80,16 @@ def print_config(CONFIG):
|
|||
return True
|
||||
|
||||
|
||||
def print_ciphers(cipherlist):
|
||||
print('Available ciphers')
|
||||
for i in cipherlist:
|
||||
print('\n')
|
||||
for j in i.keys():
|
||||
print('{}: {}'.format(j, i[j]))
|
||||
print('\n')
|
||||
return True
|
||||
|
||||
|
||||
def display_peercert(cert):
|
||||
for i in cert.keys():
|
||||
print(i)
|
||||
|
@ -211,18 +221,15 @@ def main():
|
|||
exit()
|
||||
|
||||
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
||||
context.options &= ~ssl.OP_NO_SSLv2
|
||||
context.options &= ~ssl.OP_NO_SSLv3
|
||||
context.options &= ~ssl.PROTOCOL_TLS
|
||||
context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE
|
||||
# context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS
|
||||
context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
|
||||
# context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS')
|
||||
context.verify_mode = ssl.CERT_REQUIRED
|
||||
context.load_cert_chain(certfile = CONFIG['SERVER_CERT'],
|
||||
keyfile = CONFIG['SERVER_KEY'])
|
||||
context.load_verify_locations(cafile = CONFIG['CLIENT_CERT'])
|
||||
context.set_ciphers('EECDH+AESGCM') # only ciphers for tls 1.2 and 1.3
|
||||
context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
|
||||
context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
|
||||
logging.debug('SSL context created')
|
||||
# print_ciphers(context.get_ciphers())
|
||||
|
||||
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
|
||||
logging.debug('Socket created')
|
||||
|
|
Loading…
Reference in a new issue