diff options
author | Patrick Maia and Victor Shyba <pixelated-team+pmaia+vshyba@thoughtworks.com> | 2014-11-28 14:37:24 -0300 |
---|---|---|
committer | Patrick Maia <pmaia@thoughtworks.com> | 2014-12-01 14:15:55 -0300 |
commit | 7b81228d18e047330307d83d90842cd746538bf0 (patch) | |
tree | 4f2d0c0e13578d2a7c4ff2fe31909c546334a6ec | |
parent | 98d5996497530a1069e227f6c9933789c001af30 (diff) |
Card #149 - ensure server only accepts good ciphers
-rw-r--r-- | service/pixelated/config/app_factory.py | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/service/pixelated/config/app_factory.py b/service/pixelated/config/app_factory.py index 15577bb8..ede19e60 100644 --- a/service/pixelated/config/app_factory.py +++ b/service/pixelated/config/app_factory.py @@ -16,6 +16,7 @@ import sys from OpenSSL import SSL +from OpenSSL import crypto from twisted.internet import reactor from twisted.internet import ssl from twisted.web import resource @@ -139,10 +140,16 @@ def listen_without_ssl(app, args): def listen_with_ssl(app, args): - sslContext = ssl.DefaultOpenSSLContextFactory(privateKeyFileName=args.sslkey, - certificateFileName=args.sslcert, - sslmethod=SSL.TLSv1_METHOD) - reactor.listenSSL(args.ssl_port, Site(app.resource()), sslContext, interface=args.host) + pkey, cert = None, None + with open(args.sslkey) as keyfile: + pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, keyfile.read()) + with open(args.sslcert) as certfile: + cert = crypto.load_certificate(crypto.FILETYPE_PEM, certfile.read()) + + acceptable = ssl.AcceptableCiphers.fromOpenSSLCipherString('ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH') + options = ssl.CertificateOptions(privateKey=pkey, certificate=cert, method=SSL.TLSv1_2_METHOD, acceptableCiphers=acceptable) + + reactor.listenSSL(args.ssl_port, Site(app.resource()), options, interface=args.host) reactor.listenTCP(args.port, Site(RedirectToSSL(args.ssl_port))) return reactor |