Merge pull request #1242 from bersace/ssl

Configure SSL ciphers
dalibo · Aug 30, 2023 · 66a071e · 66a071e
2 parents 04cf720 + dd8b9ae
commit 66a071e
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ Ensure you use consistent title format.
 - Fix logging on light terminal.
 - Pin minor version of Python dependency in debian packages.
 - Remove dependency on distutils.
+- Disable 3DES and other loose SSL algorithmes.
 
 
 **UI changes**

diff --git a/agent/temboardagent/web/service.py b/agent/temboardagent/web/service.py
@@ -39,10 +39,26 @@ def setup(self):
             logger.debug(
                 "Using SSL certificate %s.",
                 self.app.config.temboard.ssl_cert_file)
-            self.server.socket = ssl.wrap_socket(
+            ctx = ssl.SSLContext()
+            ctx.load_cert_chain(
+                self.app.config.temboard.ssl_cert_file,
+                self.app.config.temboard.ssl_key_file,
+            )
+            ctx.set_ciphers(':'.join([
+                # From Mozilla SSL configuration generator. 2023-07-28
+                'ECDHE-ECDSA-AES128-GCM-SHA256',
+                'ECDHE-RSA-AES128-GCM-SHA256',
+                'ECDHE-ECDSA-AES256-GCM-SHA384',
+                'ECDHE-RSA-AES256-GCM-SHA384',
+                'ECDHE-ECDSA-CHACHA20-POLY1305',
+                'ECDHE-RSA-CHACHA20-POLY1305',
+                'DHE-RSA-AES128-GCM-SHA256',
+                'DHE-RSA-AES256-GCM-SHA384',
+                'DHE-RSA-CHACHA20-POLY1305',
+            ]))
+
+            self.server.socket = ctx.wrap_socket(
                 self.server.socket,
-                keyfile=self.app.config.temboard.ssl_key_file,
-                certfile=self.app.config.temboard.ssl_cert_file,
                 server_side=True,
             )
         except Exception as e:

diff --git a/ui/temboardui/cli/app.py b/ui/temboardui/cli/app.py
@@ -290,6 +290,18 @@ def setup(self):
             ssl_ctx = {
                 'certfile': config.temboard.ssl_cert_file,
                 'keyfile': config.temboard.ssl_key_file,
+                'ciphers': ':'.join([
+                    # From Mozilla SSL configuration generator. 2023-07-28
+                    'ECDHE-ECDSA-AES128-GCM-SHA256',
+                    'ECDHE-RSA-AES128-GCM-SHA256',
+                    'ECDHE-ECDSA-AES256-GCM-SHA384',
+                    'ECDHE-RSA-AES256-GCM-SHA384',
+                    'ECDHE-ECDSA-CHACHA20-POLY1305',
+                    'ECDHE-RSA-CHACHA20-POLY1305',
+                    'DHE-RSA-AES128-GCM-SHA256',
+                    'DHE-RSA-AES256-GCM-SHA384',
+                    'DHE-RSA-CHACHA20-POLY1305',
+                ]),
             }
             server = AutoHTTPSServer(self.app.tornado_app, ssl_options=ssl_ctx)
         else: