2020#
2121# You should have received a copy of the GNU General Public License
2222# along with this program; if not, write to the Free Software
23- # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
23+ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
24+ # USA.
2425#
2526# -- END_HEADER ---
2627#
4041def hardened_ssl_context (configuration , keyfile , certfile , dhparamsfile = None ,
4142 ciphers = STRONG_TLS_CIPHERS ,
4243 curve_priority = STRONG_TLS_CURVES ,
43- allow_pre_tlsv12 = False ,
4444 allow_pre_tlsv13 = True ,
4545 allow_renegotiation = False ,
4646 ):
4747 """Build and return a hardened native SSL context to apply to a socket"""
4848 _logger = configuration .logger
4949 _logger .info ("enforcing strong SSL/TLS connections" )
5050 _logger .debug ("using SSL/TLS ciphers: %s" % ciphers )
51- ssl_protocol = ssl .PROTOCOL_SSLv23
52- ssl_ctx = ssl .SSLContext ( ssl_protocol )
51+ ssl_ctx = ssl .create_default_context ()
52+ ssl_ctx . minimum_version = ssl .TLSVersion . TLSv1_2
5353 ssl_ctx .load_cert_chain (certfile , keyfile )
5454 ssl_options = 0
5555 # NOTE: Override a number of weak and insecure legacy configurations
@@ -58,11 +58,7 @@ def hardened_ssl_context(configuration, keyfile, certfile, dhparamsfile=None,
5858 ssl_options |= getattr (ssl , 'OP_NO_SSLv2' , 0x1000000 )
5959 ssl_options |= getattr (ssl , 'OP_NO_SSLv3' , 0x2000000 )
6060 ssl_options |= getattr (ssl , 'OP_NO_TLSv1' , 0x4000000 )
61- ssl_ctx .minimum_version = ssl .TLSVersion .TLSv1_1
62- # NOTE: refuse weak TLS protocols unless allow_pre_tlsv12
63- if not allow_pre_tlsv12 :
64- ssl_options |= getattr (ssl , 'OP_NO_TLSv1_1' , 0x10000000 )
65- ssl_ctx .minimum_version = ssl .TLSVersion .TLSv1_2
61+ ssl_options |= getattr (ssl , 'OP_NO_TLSv1_1' , 0x10000000 )
6662 # NOTE: refuse slightly dated TLS 1.2 protocol unless allow_pre_tlsv13
6763 if not allow_pre_tlsv13 :
6864 if getattr (ssl , 'HAS_TLSv1_3' , False ):
@@ -78,17 +74,13 @@ def hardened_ssl_context(configuration, keyfile, certfile, dhparamsfile=None,
7874 ssl_options |= getattr (ssl , 'OP_CIPHER_SERVER_PREFERENCE' , 0x400000 )
7975 ssl_options |= getattr (ssl , 'OP_SINGLE_ECDH_USE' , 0x80000 )
8076 ssl_options |= getattr (ssl , 'OP_SINGLE_DH_USE' , 0x100000 )
81- # Useful for debugging
82- # ssl_options |= getattr(ssl, 'OP_NO_TICKET', 0x0004000)
83- # ssl_options |= getattr(ssl, 'OP_NO_TLSv1_1', 0x10000000)
84- # ssl_options |= getattr(ssl, 'OP_NO_TLSv1_2', 0x8000000)
85- if sys .version_info [:2 ] >= (2 , 7 ) and ssl_ctx :
77+ if sys .version_info [:2 ] >= (3 , 7 ) and ssl_ctx :
8678 _logger .info ("enforcing strong SSL/TLS options" )
8779 _logger .debug ("SSL/TLS options: %s" % ssl_options )
8880 ssl_ctx .options |= ssl_options
8981 else :
9082 _logger .info ("can't enforce strong SSL/TLS options" )
91- _logger .warning ("Upgrade to python 2.7.9 + for maximum security" )
83+ _logger .warning ("Upgrade to python 3.7 + for maximum security" )
9284
9385 pfs_available = False
9486 if dhparamsfile :
@@ -134,7 +126,6 @@ def hardened_openssl_context(configuration, OpenSSL, keyfile, certfile,
134126 cacertfile = None , dhparamsfile = None ,
135127 ciphers = STRONG_TLS_CIPHERS ,
136128 curve_priority = STRONG_TLS_CURVES ,
137- allow_pre_tlsv12 = False ,
138129 allow_pre_tlsv13 = True ,
139130 allow_renegotiation = False ,
140131 ):
@@ -143,8 +134,10 @@ def hardened_openssl_context(configuration, OpenSSL, keyfile, certfile,
143134 SSL , crypto = OpenSSL .SSL , OpenSSL .crypto
144135 _logger .info ("enforcing strong SSL/TLS connections" )
145136 _logger .debug ("using SSL/TLS ciphers: %s" % ciphers )
146- ssl_protocol = SSL .SSLv23_METHOD
147- ssl_ctx = SSL .Context (ssl_protocol )
137+ ssl_ctx = SSL .Context (SSL .TLS_SERVER_METHOD )
138+ ssl_ctx .set_min_proto_version (SSL .TLS1_2_VERSION )
139+ # Mimic native ssl exposure of options
140+ ssl_ctx ._minimum_version = SSL .TLS1_2_VERSION
148141 ssl_ctx .use_certificate_chain_file (certfile )
149142 ssl_ctx .use_privatekey_file (keyfile )
150143 if cacertfile :
@@ -157,15 +150,7 @@ def hardened_openssl_context(configuration, OpenSSL, keyfile, certfile,
157150 ssl_options |= getattr (SSL , 'OP_NO_SSLv2' , 0x1000000 )
158151 ssl_options |= getattr (SSL , 'OP_NO_SSLv3' , 0x2000000 )
159152 ssl_options |= getattr (SSL , 'OP_NO_TLSv1' , 0x4000000 )
160- ssl_ctx .set_min_proto_version (SSL .TLS1_1_VERSION )
161- # Mimic native ssl exposure of options
162- ssl_ctx ._minimum_version = SSL .TLS1_1_VERSION
163- # NOTE: refuse weak TLS protocols unless allow_pre_tlsv12
164- if not allow_pre_tlsv12 :
165- ssl_options |= getattr (SSL , 'OP_NO_TLSv1_1' , 0x10000000 )
166- ssl_ctx .set_min_proto_version (SSL .TLS1_2_VERSION )
167- # Mimic native ssl exposure of options
168- ssl_ctx ._minimum_version = SSL .TLS1_2_VERSION
153+ ssl_options |= getattr (SSL , 'OP_NO_TLSv1_1' , 0x10000000 )
169154 # NOTE: refuse slightly dated TLS 1.2 protocol unless allow_pre_tlsv13
170155 if not allow_pre_tlsv13 :
171156 # IMPORTANT: OpenSSL doesn't have TLSv1.3 support marker at the moment,
@@ -186,15 +171,15 @@ def hardened_openssl_context(configuration, OpenSSL, keyfile, certfile,
186171 ssl_options |= getattr (SSL , 'OP_CIPHER_SERVER_PREFERENCE' , 0x400000 )
187172 ssl_options |= getattr (SSL , 'OP_SINGLE_ECDH_USE' , 0x80000 )
188173 ssl_options |= getattr (SSL , 'OP_SINGLE_DH_USE' , 0x100000 )
189- if sys .version_info [:2 ] >= (2 , 7 ) and ssl_ctx :
174+ if sys .version_info [:2 ] >= (3 , 7 ) and ssl_ctx :
190175 _logger .info ("enforcing strong SSL/TLS options" )
191176 _logger .debug ("SSL/TLS options: %s" % ssl_options )
192177 ssl_ctx .set_options (ssl_options )
193178 # Mimic native ssl exposure of options
194179 ssl_ctx ._options = ssl_options
195180 else :
196181 _logger .info ("can't enforce strong SSL/TLS options" )
197- _logger .warning ("Upgrade to python 2.7.9 + for maximum security" )
182+ _logger .warning ("Upgrade to python 3.7 + for maximum security" )
198183 # Mimic native ssl exposure of options
199184 ssl_ctx ._options = None
200185
0 commit comments