From 7b81228d18e047330307d83d90842cd746538bf0 Mon Sep 17 00:00:00 2001 From: Patrick Maia and Victor Shyba Date: Fri, 28 Nov 2014 14:37:24 -0300 Subject: Card #149 - ensure server only accepts good ciphers --- service/pixelated/config/app_factory.py | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'service/pixelated/config') diff --git a/service/pixelated/config/app_factory.py b/service/pixelated/config/app_factory.py index 15577bb8..ede19e60 100644 --- a/service/pixelated/config/app_factory.py +++ b/service/pixelated/config/app_factory.py @@ -16,6 +16,7 @@ import sys from OpenSSL import SSL +from OpenSSL import crypto from twisted.internet import reactor from twisted.internet import ssl from twisted.web import resource @@ -139,10 +140,16 @@ def listen_without_ssl(app, args): def listen_with_ssl(app, args): - sslContext = ssl.DefaultOpenSSLContextFactory(privateKeyFileName=args.sslkey, - certificateFileName=args.sslcert, - sslmethod=SSL.TLSv1_METHOD) - reactor.listenSSL(args.ssl_port, Site(app.resource()), sslContext, interface=args.host) + pkey, cert = None, None + with open(args.sslkey) as keyfile: + pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, keyfile.read()) + with open(args.sslcert) as certfile: + cert = crypto.load_certificate(crypto.FILETYPE_PEM, certfile.read()) + + acceptable = ssl.AcceptableCiphers.fromOpenSSLCipherString('ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH') + options = ssl.CertificateOptions(privateKey=pkey, certificate=cert, method=SSL.TLSv1_2_METHOD, acceptableCiphers=acceptable) + + reactor.listenSSL(args.ssl_port, Site(app.resource()), options, interface=args.host) reactor.listenTCP(args.port, Site(RedirectToSSL(args.ssl_port))) return reactor -- cgit v1.2.3