diff options
| author | Stanislav Laznicka <slaznick@redhat.com> | 2017-02-23 14:31:50 +0100 |
|---|---|---|
| committer | Tomas Krizek <tkrizek@redhat.com> | 2017-03-09 10:27:55 +0100 |
| commit | fda22c33441d3b2c541a272e411ac1503a20fb01 (patch) | |
| tree | f6875bfd340cdf5d48cbc57f59720d04b017d662 | |
| parent | 61cd4372e142662c06c881886709fe1b573102a9 (diff) | |
| download | freeipa-fda22c33441d3b2c541a272e411ac1503a20fb01.tar.gz freeipa-fda22c33441d3b2c541a272e411ac1503a20fb01.tar.xz freeipa-fda22c33441d3b2c541a272e411ac1503a20fb01.zip | |
Don't use weak ciphers for client HTTPS connections
https://pagure.io/freeipa/issue/6730
Reviewed-By: Martin Basti <mbasti@redhat.com>
| -rw-r--r-- | ipalib/constants.py | 3 | ||||
| -rw-r--r-- | ipalib/util.py | 6 |
2 files changed, 8 insertions, 1 deletions
diff --git a/ipalib/constants.py b/ipalib/constants.py index 8789a95d0..5a26173d2 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -296,3 +296,6 @@ TLS_VERSIONS = [ "tls1.2" ] TLS_VERSION_MINIMAL = "tls1.0" +# high ciphers without RC4, MD5, TripleDES, pre-shared key +# and secure remote password +TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP" diff --git a/ipalib/util.py b/ipalib/util.py index 2beabf1c7..e9d410577 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -52,7 +52,7 @@ except ImportError: from ipalib import errors, messages from ipalib.constants import ( DOMAIN_LEVEL_0, - TLS_VERSIONS, TLS_VERSION_MINIMAL + TLS_VERSIONS, TLS_VERSION_MINIMAL, TLS_HIGH_CIPHERS ) from ipalib.text import _ from ipapython.ssh import SSHPublicKey @@ -303,6 +303,10 @@ def create_https_connection( ssl.OP_SINGLE_ECDH_USE ) + # high ciphers without RC4, MD5, TripleDES, pre-shared key + # and secure remote password + ctx.set_ciphers(TLS_HIGH_CIPHERS) + # pylint: enable=no-member # set up the correct TLS version flags for the SSL context for version in TLS_VERSIONS: |