From e073ff3c736f70fbf0ae9767db9b223becee0b4e Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Wed, 26 Nov 2014 21:06:25 +0100 Subject: force tls v1 in soledad client. Partially fixes #6437 --- client/changes/bug_6437_use_tls | 1 + client/src/leap/soledad/client/__init__.py | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 client/changes/bug_6437_use_tls diff --git a/client/changes/bug_6437_use_tls b/client/changes/bug_6437_use_tls new file mode 100644 index 00000000..7138d962 --- /dev/null +++ b/client/changes/bug_6437_use_tls @@ -0,0 +1 @@ + o Use TLS v1 in soledad client. Fixes partially #6437 diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py index 586e3389..4703133c 100644 --- a/client/src/leap/soledad/client/__init__.py +++ b/client/src/leap/soledad/client/__init__.py @@ -1335,7 +1335,8 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): self.sock = ssl.wrap_socket(sock, ca_certs=SOLEDAD_CERT, - cert_reqs=ssl.CERT_REQUIRED) + cert_reqs=ssl.CERT_REQUIRED, + ssl_version=ssl.PROTOCOL_TLSv1) match_hostname(self.sock.getpeercert(), self.host) -- cgit v1.2.3 From c88472a94c15adef4275242934f2a3eec9778dd4 Mon Sep 17 00:00:00 2001 From: drebs Date: Wed, 26 Nov 2014 20:20:52 -0200 Subject: Enforce TLSv1 in soledad server (#6437). --- server/changes/bug_6437_avoid-sslv3 | 1 + server/pkg/soledad | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 server/changes/bug_6437_avoid-sslv3 diff --git a/server/changes/bug_6437_avoid-sslv3 b/server/changes/bug_6437_avoid-sslv3 new file mode 100644 index 00000000..5d41fbb3 --- /dev/null +++ b/server/changes/bug_6437_avoid-sslv3 @@ -0,0 +1 @@ + o Avoid use of SSLv3 (#6437). diff --git a/server/pkg/soledad b/server/pkg/soledad index 841233d1..62b7c5f8 100644 --- a/server/pkg/soledad +++ b/server/pkg/soledad @@ -19,6 +19,7 @@ CERT_PATH=/etc/leap/soledad-server.pem PRIVKEY_PATH=/etc/leap/soledad-server.key TWISTD_PATH=/usr/bin/twistd HOME=/var/lib/soledad/ +SSL_METHOD=TLSv1_METHOD [ -r /etc/default/soledad ] && . /etc/default/soledad @@ -35,7 +36,7 @@ case "$1" in --logfile=$LOGFILE \ web \ --wsgi=$OBJ \ - --port=ssl:$HTTPS_PORT:privateKey=$PRIVKEY_PATH:certKey=$CERT_PATH + --port=ssl:${HTTPS_PORT}:privateKey=${PRIVKEY_PATH}:certKey=${CERT_PATH}:sslmethod=${SSL_METHOD} echo "." ;; -- cgit v1.2.3 From 6b6b4af8edc807726341b848165c91ff02e9148b Mon Sep 17 00:00:00 2001 From: drebs Date: Wed, 26 Nov 2014 20:23:33 -0200 Subject: Run daemon as user soledad (#6436). --- server/changes/bug_6436_run-daemon-as-user-soledad | 1 + server/pkg/soledad | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 server/changes/bug_6436_run-daemon-as-user-soledad diff --git a/server/changes/bug_6436_run-daemon-as-user-soledad b/server/changes/bug_6436_run-daemon-as-user-soledad new file mode 100644 index 00000000..886964f1 --- /dev/null +++ b/server/changes/bug_6436_run-daemon-as-user-soledad @@ -0,0 +1 @@ + o Run daemon as user soledad (#6436). diff --git a/server/pkg/soledad b/server/pkg/soledad index 62b7c5f8..7f48e2c8 100644 --- a/server/pkg/soledad +++ b/server/pkg/soledad @@ -20,6 +20,8 @@ PRIVKEY_PATH=/etc/leap/soledad-server.key TWISTD_PATH=/usr/bin/twistd HOME=/var/lib/soledad/ SSL_METHOD=TLSv1_METHOD +USER=soledad +GROUP=soledad [ -r /etc/default/soledad ] && . /etc/default/soledad @@ -31,7 +33,9 @@ test -r /etc/leap/ || exit 0 case "$1" in start) echo -n "Starting soledad: twistd" - start-stop-daemon --start --quiet --exec $TWISTD_PATH -- \ + start-stop-daemon --start --quiet \ + --user=$USER --group=$GROUP \ + --exec $TWISTD_PATH -- \ --pidfile=$PIDFILE \ --logfile=$LOGFILE \ web \ -- cgit v1.2.3 From 4f7a1e1063199cb91535ab9cd3ca428bca2ced96 Mon Sep 17 00:00:00 2001 From: drebs Date: Fri, 28 Nov 2014 09:39:41 -0200 Subject: Enclose server initscript variables in curly brackets. --- server/pkg/soledad | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/server/pkg/soledad b/server/pkg/soledad index 7f48e2c8..bf24dac2 100644 --- a/server/pkg/soledad +++ b/server/pkg/soledad @@ -30,16 +30,16 @@ test -r /etc/leap/ || exit 0 . /lib/lsb/init-functions -case "$1" in +case "${1}" in start) echo -n "Starting soledad: twistd" start-stop-daemon --start --quiet \ - --user=$USER --group=$GROUP \ - --exec $TWISTD_PATH -- \ - --pidfile=$PIDFILE \ - --logfile=$LOGFILE \ + --user=${USER} --group=${GROUP} \ + --exec ${TWISTD_PATH} -- \ + --pidfile=${PIDFILE} \ + --logfile=${LOGFILE} \ web \ - --wsgi=$OBJ \ + --wsgi=${OBJ} \ --port=ssl:${HTTPS_PORT}:privateKey=${PRIVKEY_PATH}:certKey=${CERT_PATH}:sslmethod=${SSL_METHOD} echo "." ;; @@ -47,21 +47,21 @@ case "$1" in stop) echo -n "Stopping soledad: twistd" start-stop-daemon --stop --quiet \ - --pidfile $PIDFILE + --pidfile ${PIDFILE} echo "." ;; restart) - $0 stop - $0 start + ${0} stop + ${0} start ;; force-reload) - $0 restart + ${0} restart ;; status) - status_of_proc -p $PIDFILE $TWISTD_PATH soledad && exit 0 || exit $? + status_of_proc -p ${PIDFILE} ${TWISTD_PATH} soledad && exit 0 || exit ${?} ;; *) -- cgit v1.2.3 From 6fc80e14d568d83df7899e516d1422b2e011d2cb Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Wed, 3 Dec 2014 00:22:18 +0100 Subject: Use SSL negotiation. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Although the API can be misleading, PROTOCOL_SSLv23 selects the highest protocol version that both the client and server support. Despite the name, this option can select “TLS” protocols as well as “SSL”. In this way, we can use TLSv1.2 (PROTOCOL_TLSv1 will *only* give us TLS v1.0) In the client side, we try to disable SSLv2 and SSLv3 options explicitely. The python version in wheezy does not offer PROTOCOL_TLSv1_2 nor OP_NO_SSLv2 or OP_NO_SSLv3 (It's new in 2.7.9) --- client/src/leap/soledad/client/__init__.py | 21 +++++++++++++++++---- server/pkg/soledad | 2 +- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py index 4703133c..7ef5f6a9 100644 --- a/client/src/leap/soledad/client/__init__.py +++ b/client/src/leap/soledad/client/__init__.py @@ -1333,10 +1333,23 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): self.sock = sock self._tunnel() - self.sock = ssl.wrap_socket(sock, - ca_certs=SOLEDAD_CERT, - cert_reqs=ssl.CERT_REQUIRED, - ssl_version=ssl.PROTOCOL_TLSv1) + # negotiate the best availabe version... + ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + + # but if possible, we want to disable bad ones + # needs python 2.7.9+ + try: + ctx.options |= ssl.OP_NO_SSLv2 + ctx.options |= ssl.OP_NO_SSLv3 + except AttributeError: + pass + + ctx.load_cert_chain(certfile=SOLEDAD_CERT) + ctx.verify_mode = ssl.CERT_REQUIRED + + self.sock = ctx.wrap_socket( + sock, server_side=True, server_hostname=self.host) + match_hostname(self.sock.getpeercert(), self.host) diff --git a/server/pkg/soledad b/server/pkg/soledad index bf24dac2..ccb3e9b0 100644 --- a/server/pkg/soledad +++ b/server/pkg/soledad @@ -19,7 +19,7 @@ CERT_PATH=/etc/leap/soledad-server.pem PRIVKEY_PATH=/etc/leap/soledad-server.key TWISTD_PATH=/usr/bin/twistd HOME=/var/lib/soledad/ -SSL_METHOD=TLSv1_METHOD +SSL_METHOD=SSLv23_METHOD USER=soledad GROUP=soledad -- cgit v1.2.3 From 527c28c73d22b5f852273e2c5d1713e82a2c49fd Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Thu, 4 Dec 2014 18:13:06 +0100 Subject: fix ssl negotiation since ssl.SSLContext does not exist prior to python 2.7.9 --- client/src/leap/soledad/client/__init__.py | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/client/src/leap/soledad/client/__init__.py b/client/src/leap/soledad/client/__init__.py index 7ef5f6a9..c350d021 100644 --- a/client/src/leap/soledad/client/__init__.py +++ b/client/src/leap/soledad/client/__init__.py @@ -1333,22 +1333,25 @@ class VerifiedHTTPSConnection(httplib.HTTPSConnection): self.sock = sock self._tunnel() - # negotiate the best availabe version... - ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + highest_supported = ssl.PROTOCOL_SSLv23 - # but if possible, we want to disable bad ones - # needs python 2.7.9+ try: + # needs python 2.7.9+ + # negotiate the best available version, + # but explicitely disabled bad ones. + ctx = ssl.SSLContext(highest_supported) ctx.options |= ssl.OP_NO_SSLv2 ctx.options |= ssl.OP_NO_SSLv3 - except AttributeError: - pass - ctx.load_cert_chain(certfile=SOLEDAD_CERT) - ctx.verify_mode = ssl.CERT_REQUIRED + ctx.load_cert_chain(certfile=SOLEDAD_CERT) + ctx.verify_mode = ssl.CERT_REQUIRED + self.sock = ctx.wrap_socket( + sock, server_side=True, server_hostname=self.host) - self.sock = ctx.wrap_socket( - sock, server_side=True, server_hostname=self.host) + except AttributeError: + self.sock = ssl.wrap_socket( + sock, ca_certs=SOLEDAD_CERT, cert_reqs=ssl.CERT_REQUIRED, + ssl_version=highest_supported) match_hostname(self.sock.getpeercert(), self.host) -- cgit v1.2.3 From 2abe641215b6435fa3c18ae802a621a23d01f643 Mon Sep 17 00:00:00 2001 From: drebs Date: Mon, 8 Dec 2014 14:36:25 -0200 Subject: Fold in changes. --- CHANGELOG | 8 ++++++++ client/changes/bug_6437_use_tls | 1 - server/changes/bug_6436_run-daemon-as-user-soledad | 1 - server/changes/bug_6437_avoid-sslv3 | 1 - 4 files changed, 8 insertions(+), 3 deletions(-) delete mode 100644 client/changes/bug_6437_use_tls delete mode 100644 server/changes/bug_6436_run-daemon-as-user-soledad delete mode 100644 server/changes/bug_6437_avoid-sslv3 diff --git a/CHANGELOG b/CHANGELOG index 0dce4847..7cf5a3b4 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,11 @@ +0.6.1 Dec 08 2014: +Client: + o Use TLS v1 in soledad client. Fixes partially #6437 + +Server: + o Run daemon as user soledad (#6436). + o Avoid use of SSLv3 (#6437). + 0.6.0 Jul 18, 2014: Client: o Close all connections after syncing. Fixes #5518. diff --git a/client/changes/bug_6437_use_tls b/client/changes/bug_6437_use_tls deleted file mode 100644 index 7138d962..00000000 --- a/client/changes/bug_6437_use_tls +++ /dev/null @@ -1 +0,0 @@ - o Use TLS v1 in soledad client. Fixes partially #6437 diff --git a/server/changes/bug_6436_run-daemon-as-user-soledad b/server/changes/bug_6436_run-daemon-as-user-soledad deleted file mode 100644 index 886964f1..00000000 --- a/server/changes/bug_6436_run-daemon-as-user-soledad +++ /dev/null @@ -1 +0,0 @@ - o Run daemon as user soledad (#6436). diff --git a/server/changes/bug_6437_avoid-sslv3 b/server/changes/bug_6437_avoid-sslv3 deleted file mode 100644 index 5d41fbb3..00000000 --- a/server/changes/bug_6437_avoid-sslv3 +++ /dev/null @@ -1 +0,0 @@ - o Avoid use of SSLv3 (#6437). -- cgit v1.2.3