Commit 971bbd84 authored by Michael Hanselmann's avatar Michael Hanselmann
Browse files

Disallow DES for SSL connections



Older OpenSSL versions include DES-CBC3-* ciphers when specifying the
HIGH group of ciphers. Removing potentially weak ciphers from the list
of allowed ciphers ensures only strong ciphers are considered for SSL
connections.
Signed-off-by: default avatarMichael Hanselmann <hansmi@google.com>
Reviewed-by: default avatarGuido Trotter <ultrotter@google.com>
parent 7f7b730a
......@@ -204,6 +204,14 @@ SOCAT_ESCAPE_CODE = "0x1d"
# 2010 on.
RSA_KEY_BITS = 2048
# Ciphers allowed for SSL connections. For the format, see ciphers(1). A better
# way to disable ciphers would be to use the exclamation mark (!), but socat
# versions below 1.5 can't parse exclamation marks in options properly. When
# modifying the ciphers, ensure to not accidentially add something after it's
# been removed. Use the "openssl" utility to check the allowed ciphers, e.g.
# "openssl ciphers -v HIGH:-DES".
OPENSSL_CIPHERS = "HIGH:-DES:-3DES:-EXPORT:-ADH"
# Digest used to sign certificates ("openssl x509" uses SHA1 by default)
X509_CERT_SIGN_DIGEST = "SHA1"
......
......@@ -595,6 +595,7 @@ class HttpBase(object):
ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
ctx.set_options(OpenSSL.SSL.OP_NO_SSLv2)
ctx.set_cipher_list(constants.OPENSSL_CIPHERS)
ctx.use_privatekey(self._ssl_key)
ctx.use_certificate(self._ssl_cert)
......
......@@ -77,7 +77,8 @@ BUFSIZE = 1024 * 1024
# Common options for socat
SOCAT_TCP_OPTS = ["keepalive", "keepidle=60", "keepintvl=10", "keepcnt=5"]
SOCAT_OPENSSL_OPTS = ["verify=1", "cipher=HIGH", "method=TLSv1"]
SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLSv1",
"cipher=%s" % constants.OPENSSL_CIPHERS]
SOCAT_OPTION_MAXLEN = 400
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment