restrict available ciphers
only EECDH+AESGCM is allowed. now it uses only tls 1.2 and 1.3
This commit is contained in:
parent
c8814f322b
commit
fef38a278b
1 changed files with 14 additions and 7 deletions
21
statusd.py
21
statusd.py
|
@ -80,6 +80,16 @@ def print_config(CONFIG):
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
def print_ciphers(cipherlist):
|
||||||
|
print('Available ciphers')
|
||||||
|
for i in cipherlist:
|
||||||
|
print('\n')
|
||||||
|
for j in i.keys():
|
||||||
|
print('{}: {}'.format(j, i[j]))
|
||||||
|
print('\n')
|
||||||
|
return True
|
||||||
|
|
||||||
|
|
||||||
def display_peercert(cert):
|
def display_peercert(cert):
|
||||||
for i in cert.keys():
|
for i in cert.keys():
|
||||||
print(i)
|
print(i)
|
||||||
|
@ -211,18 +221,15 @@ def main():
|
||||||
exit()
|
exit()
|
||||||
|
|
||||||
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
||||||
context.options &= ~ssl.OP_NO_SSLv2
|
|
||||||
context.options &= ~ssl.OP_NO_SSLv3
|
|
||||||
context.options &= ~ssl.PROTOCOL_TLS
|
|
||||||
context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE
|
|
||||||
# context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS
|
|
||||||
context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
|
|
||||||
# context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS')
|
|
||||||
context.verify_mode = ssl.CERT_REQUIRED
|
context.verify_mode = ssl.CERT_REQUIRED
|
||||||
context.load_cert_chain(certfile = CONFIG['SERVER_CERT'],
|
context.load_cert_chain(certfile = CONFIG['SERVER_CERT'],
|
||||||
keyfile = CONFIG['SERVER_KEY'])
|
keyfile = CONFIG['SERVER_KEY'])
|
||||||
context.load_verify_locations(cafile = CONFIG['CLIENT_CERT'])
|
context.load_verify_locations(cafile = CONFIG['CLIENT_CERT'])
|
||||||
|
context.set_ciphers('EECDH+AESGCM') # only ciphers for tls 1.2 and 1.3
|
||||||
|
context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
|
||||||
|
context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
|
||||||
logging.debug('SSL context created')
|
logging.debug('SSL context created')
|
||||||
|
# print_ciphers(context.get_ciphers())
|
||||||
|
|
||||||
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
|
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
|
||||||
logging.debug('Socket created')
|
logging.debug('Socket created')
|
||||||
|
|
Loading…
Reference in a new issue