URL: https://github.com/freeipa/freeipa/pull/544 Author: stlaz Title: #544: Don't use weak ciphers for client HTTPS connections Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/544/head:pr544 git checkout pr544
From 2ba5889ff71093b9b8fffd03a310412e3bf60f2d Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Thu, 23 Feb 2017 14:31:50 +0100 Subject: [PATCH] Don't use weak ciphers for client HTTPS connections https://pagure.io/freeipa/issue/6730 --- ipalib/constants.py | 3 +++ ipalib/util.py | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 8789a95..5a26173 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -296,3 +296,6 @@ "tls1.2" ] TLS_VERSION_MINIMAL = "tls1.0" +# high ciphers without RC4, MD5, TripleDES, pre-shared key +# and secure remote password +TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP" diff --git a/ipalib/util.py b/ipalib/util.py index 2beabf1..e9d4105 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -52,7 +52,7 @@ from ipalib import errors, messages from ipalib.constants import ( DOMAIN_LEVEL_0, - TLS_VERSIONS, TLS_VERSION_MINIMAL + TLS_VERSIONS, TLS_VERSION_MINIMAL, TLS_HIGH_CIPHERS ) from ipalib.text import _ from ipapython.ssh import SSHPublicKey @@ -303,6 +303,10 @@ def create_https_connection( ssl.OP_SINGLE_ECDH_USE ) + # high ciphers without RC4, MD5, TripleDES, pre-shared key + # and secure remote password + ctx.set_ciphers(TLS_HIGH_CIPHERS) + # pylint: enable=no-member # set up the correct TLS version flags for the SSL context for version in TLS_VERSIONS:
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
