From 971bbd841b90051d91dc43c653ff39b115db43c6 Mon Sep 17 00:00:00 2001
From: Michael Hanselmann <hansmi@google.com>
Date: Mon, 14 Jun 2010 17:37:47 +0200
Subject: [PATCH] Disallow DES for SSL connections

Older OpenSSL versions include DES-CBC3-* ciphers when specifying the
HIGH group of ciphers. Removing potentially weak ciphers from the list
of allowed ciphers ensures only strong ciphers are considered for SSL
connections.

Signed-off-by: Michael Hanselmann <hansmi@google.com>
Reviewed-by: Guido Trotter <ultrotter@google.com>
---
 lib/constants.py        | 8 ++++++++
 lib/http/__init__.py    | 1 +
 lib/impexpd/__init__.py | 3 ++-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/constants.py b/lib/constants.py
index 5a57629f0..0a8f407cb 100644
--- a/lib/constants.py
+++ b/lib/constants.py
@@ -204,6 +204,14 @@ SOCAT_ESCAPE_CODE = "0x1d"
 # 2010 on.
 RSA_KEY_BITS = 2048
 
+# Ciphers allowed for SSL connections. For the format, see ciphers(1). A better
+# way to disable ciphers would be to use the exclamation mark (!), but socat
+# versions below 1.5 can't parse exclamation marks in options properly. When
+# modifying the ciphers, ensure to not accidentially add something after it's
+# been removed. Use the "openssl" utility to check the allowed ciphers, e.g.
+# "openssl ciphers -v HIGH:-DES".
+OPENSSL_CIPHERS = "HIGH:-DES:-3DES:-EXPORT:-ADH"
+
 # Digest used to sign certificates ("openssl x509" uses SHA1 by default)
 X509_CERT_SIGN_DIGEST = "SHA1"
 
diff --git a/lib/http/__init__.py b/lib/http/__init__.py
index 2fc9cd204..a42c496ef 100644
--- a/lib/http/__init__.py
+++ b/lib/http/__init__.py
@@ -595,6 +595,7 @@ class HttpBase(object):
 
     ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
     ctx.set_options(OpenSSL.SSL.OP_NO_SSLv2)
+    ctx.set_cipher_list(constants.OPENSSL_CIPHERS)
 
     ctx.use_privatekey(self._ssl_key)
     ctx.use_certificate(self._ssl_cert)
diff --git a/lib/impexpd/__init__.py b/lib/impexpd/__init__.py
index b405f1bc1..5b14adcb3 100644
--- a/lib/impexpd/__init__.py
+++ b/lib/impexpd/__init__.py
@@ -77,7 +77,8 @@ BUFSIZE = 1024 * 1024
 
 # Common options for socat
 SOCAT_TCP_OPTS = ["keepalive", "keepidle=60", "keepintvl=10", "keepcnt=5"]
-SOCAT_OPENSSL_OPTS = ["verify=1", "cipher=HIGH", "method=TLSv1"]
+SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLSv1",
+                      "cipher=%s" % constants.OPENSSL_CIPHERS]
 
 SOCAT_OPTION_MAXLEN = 400
 
-- 
GitLab