Rework legacy_tls handling to be consistent across our services. All of them

jonasbardino · jonasbardino · commit cc6dd09f86ad · 2026-04-24T08:44:40.000+02:00
now default to TLSv1.2+ and only adjust ciphers offered if the service-specific
`enable_SVC_legacy_tls` conf option is set.
Drop the outdated client comments and disable ftps tls_legacy now that modern
pyOpenSSL is available on every supported platform.
Add `enable_openid_legacy_tls` conf option and implement the same cipher
handling in the built-in OpenID service.
diff --git a/mig/install/MiGserver-template.conf b/mig/install/MiGserver-template.conf
@@ -586,24 +586,15 @@ enable_sftp_subsys = __ENABLE_SFTP_SUBSYS__
 # Pure Python WsgiDAV-based webdav(s) daemon
 enable_davs = __ENABLE_DAVS__
 # Allow sub-optimal but still relatively strong legacy TLS support in WebDAVS
-# NOTE: Python-2.7.x ssl supports TLSv1.2+ with strong ciphers and all popular
+# NOTE: Python-2.7+ ssl supports TLSv1.2+ with strong ciphers and all popular
 #       clients (including Windows 10+ native WebDAVS) also work with those.
-# NOTE: Apparently Win 7 (+8.1?) native WebDAVS only works with semi-strong
-#       legacy ciphers and TLSv1.0+v1.1 unless updated and enabled 
-# NOTE: Win 7 went EoL in January 2020 and should no longer be needed
 #enable_davs_legacy_tls = False
 # Pure Python pyftpdlib-based ftp(s) daemon
 enable_ftps = __ENABLE_FTPS__
 # Allow sub-optimal but still relatively strong legacy TLS supports in FTPS
-# NOTE: Recent PyOpenSSL supports TLSv1.2+ with strong ciphers and all popular
+# NOTE: Modern PyOpenSSL supports TLSv1.2+ with strong ciphers and all popular
 #       clients also work with those.
-# NOTE: CentOS 7 native pyOpenSSL 0.13 does NOT support elliptic curve ciphers
-#       and FileZilla fails on listdir with remaining strong DHE ciphers.
-#       Installing a recent pyopenssl e.g. from the centos-openstack-X repo
-#       allows disabling legacy tls support without breaking FileZilla support.
-# TODO: disable as soon as a recent pyopenssl version is available - the one
-#       from pip breaks paramiko so do NOT go there.
-enable_ftps_legacy_tls = True
+#enable_ftps_legacy_tls = False
 # Enable WSGI served web pages (faster than CGI) - requires apache wsgi module
 enable_wsgi = __ENABLE_WSGI__
 # Enable system notify helper used e.g. to warn about failed user logins
@@ -638,6 +629,10 @@ peers_explicit_fields = __PEERS_EXPLICIT_FIELDS__
 peers_contact_hint = __PEERS_CONTACT_HINT__
 # Enable OpenID daemon for web access with user/pw from local user DB
 enable_openid = __ENABLE_OPENID__
+# Allow sub-optimal but still relatively strong legacy TLS support in OpenID 2.0
+# NOTE: Python-2.7+ ssl supports TLSv1.2+ with strong ciphers and all popular
+#       clients also work with those.
+#enable_openid_legacy_tls = False
 # Enable share links for easy external exchange of data with anyone
 enable_sharelinks = __ENABLE_SHARELINKS__
 # Enable storage quota
diff --git a/mig/server/grid_ftps.py b/mig/server/grid_ftps.py
@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # grid_ftps - secure ftp server wrapping ftp in tls/ssl and mapping user home
-# Copyright (C) 2014-2022  The MiG Project lead by Brian Vinter
+# Copyright (C) 2014-2026  The MiG Project by the Science HPC Center at UCPH
 #
 # This file is part of MiG.
 #
@@ -20,7 +20,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
+# USA.
 #
 # -- END_HEADER ---
 #
@@ -95,6 +96,7 @@
 from mig.shared.accountstate import check_account_accessible
 from mig.shared.base import invisible_path, force_utf8, force_native_str
 from mig.shared.conf import get_configuration_object
+from mig.shared.defaults import STRONG_TLS_CIPHERS, STRONG_TLS_LEGACY_CIPHERS
 from mig.shared.fileio import user_chroot_exceptions
 from mig.shared.griddaemons.ftps import default_max_user_hits, \
     default_user_abuse_hits, default_proto_abuse_hits, \
@@ -333,7 +335,7 @@ class MiGRestrictedFilesystem(AbstractedFS):
 
     def _acceptable_chmod(self, ftps_path, mode):
         """Wrap helper"""
-        #logger.debug("acceptable_chmod: %s" % ftps_path)
+        # logger.debug("acceptable_chmod: %s" % ftps_path)
         reply = acceptable_chmod(ftps_path, mode, self.chmod_exceptions)
         if not reply:
             logger.warning("acceptable_chmod failed: %s %s %s" %
@@ -352,7 +354,7 @@ def validpath(self, path):
         try:
             get_fs_path(configuration, path, self.root,
                         daemon_conf['chroot_exceptions'])
-            #logger.debug("accepted access to %s" % path)
+            # logger.debug("accepted access to %s" % path)
             return True
         except ValueError as err:
             logger.warning("rejected illegal access to %s :: %s" % (path, err))
@@ -490,14 +492,22 @@ def start_service(conf):
         handler.tls_data_required = True
         keyfile = certfile = conf.user_ftps_key
         handler.certfile = certfile
+        # Mimic cipher setup from other daemons
+        ciphers = daemon_conf['ssl_ciphers'] = None
         # Harden TLS/SSL if possible, requires recent pyftpdlib
         if hasattr(handler, 'ssl_context'):
-            dhparamsfile = configuration.user_shared_dhparams
+            dhparams_path = configuration.user_shared_dhparams
             legacy_tls = configuration.site_enable_ftps_legacy_tls
+            if ciphers is not None:
+                use_ciphers = ciphers
+            elif legacy_tls:
+                use_ciphers = STRONG_TLS_LEGACY_CIPHERS
+            else:
+                use_ciphers = STRONG_TLS_CIPHERS
             ssl_ctx = hardened_openssl_context(conf, OpenSSL, keyfile,
                                                certfile,
-                                               dhparamsfile=dhparamsfile,
-                                               allow_pre_tlsv12=legacy_tls)
+                                               dhparamsfile=dhparams_path,
+                                               ciphers=use_ciphers)
             handler.ssl_context = ssl_ctx
         else:
             logger.warning("Unable to enforce explicit strong TLS connections")
diff --git a/mig/server/grid_openid.py b/mig/server/grid_openid.py
@@ -102,6 +102,8 @@
     from mig.shared.base import client_id_dir, cert_field_map, force_utf8, \
         force_native_str
     from mig.shared.conf import get_configuration_object
+    from mig.shared.defaults import STRONG_TLS_CIPHERS, \
+        STRONG_TLS_LEGACY_CIPHERS
     from mig.shared.griddaemons.openid import default_max_user_hits, \
         default_user_abuse_hits, default_proto_abuse_hits, \
         default_username_validator, refresh_user_creds, update_login_map, \
@@ -1654,6 +1656,8 @@ def start_service(configuration):
     data_path = configuration.openid_store
     daemon_conf = configuration.daemon_conf
     nossl = daemon_conf['nossl']
+    # Mimic cipher setup from other daemons
+    ciphers = daemon_conf['ssl_ciphers'] = None
     addr = (host, port)
     # TODO: is this threaded version robust enough (thread safety)?
     # OpenIDServer = OpenIDHTTPServer
@@ -1675,12 +1679,20 @@ def start_service(configuration):
         # Use best possible SSL/TLS args for this python version
         key_path = cert_path = configuration.user_openid_key
         dhparams_path = configuration.user_shared_dhparams
+        legacy_tls = configuration.site_enable_openid_legacy_tls
+        if ciphers is not None:
+            use_ciphers = ciphers
+        elif legacy_tls:
+            use_ciphers = STRONG_TLS_LEGACY_CIPHERS
+        else:
+            use_ciphers = STRONG_TLS_CIPHERS
         if not os.path.isfile(cert_path):
             logger.error('No such server key: %s' % cert_path)
             sys.exit(1)
         logger.info('Wrapping connections in SSL')
         ssl_ctx = hardened_ssl_context(configuration, key_path, cert_path,
-                                       dhparams_path)
+                                       dhparamsfile=dhparams_path,
+                                       ciphers=use_ciphers)
         httpserver.socket = ssl_ctx.wrap_socket(httpserver.socket,
                                                 server_side=True)
         # Override default SSLSocket accept function to inject timeout support
diff --git a/mig/server/grid_webdavs.py b/mig/server/grid_webdavs.py
@@ -335,8 +335,7 @@ def __init__(self, certificate, private_key, certificate_chain=None,
         context to use in all future connections in the wrap method.
 
         If the optional legacy_tls arg is set the STRONG_TLS_LEGACY_CIPHERS
-        are used instead of the STRONG_TLS_CIPHERS, and the limitation to
-        TLSv1.2+ is left out to allow legacy TLSv1.0 and TLSv1.1 connections.
+        are used instead of the STRONG_TLS_CIPHERS.
         This is required to support e.g. native Windows 7 WebDAVS access with
         the weak ECDHE-RSA-AES128-SHA cipher.
         """
@@ -345,17 +344,17 @@ def __init__(self, certificate, private_key, certificate_chain=None,
                                                  certificate_chain, ciphers)
         # logger.debug("proceed with hardening of ssl contetx")
         # Set up hardened SSL context once and for all
-        dhparams = configuration.user_shared_dhparams
+        dhparams_path = configuration.user_shared_dhparams
         if ciphers is not None:
             use_ciphers = ciphers
         elif legacy_tls:
             use_ciphers = STRONG_TLS_LEGACY_CIPHERS
         else:
             use_ciphers = STRONG_TLS_CIPHERS
         self.context = hardened_ssl_context(configuration, self.private_key,
-                                            self.certificate, dhparams,
-                                            ciphers=use_ciphers,
-                                            allow_pre_tlsv12=legacy_tls)
+                                            self.certificate,
+                                            dhparamsfile=dhparams_path,
+                                            ciphers=use_ciphers)
         # logger.debug("established hardened ssl contetx")
 
     def __force_close(self, socket_list):
diff --git a/mig/shared/configuration.py b/mig/shared/configuration.py
@@ -1600,6 +1600,11 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
                 'SITE', 'enable_openid')
         else:
             self.site_enable_openid = False
+        if config.has_option('SITE', 'enable_openid_legacy_tls'):
+            self.site_enable_openid_legacy_tls = config.getboolean(
+                'SITE', 'enable_openid_legacy_tls')
+        else:
+            self.site_enable_openid_legacy_tls = False
         if config.has_option('GLOBAL', 'user_openid_address'):
             self.user_openid_address = config.get('GLOBAL',
                                                   'user_openid_address')
diff --git a/tests/fixture/confs-stdlocal/MiGserver.conf b/tests/fixture/confs-stdlocal/MiGserver.conf
@@ -586,24 +586,15 @@ enable_sftp_subsys = False
 # Pure Python WsgiDAV-based webdav(s) daemon
 enable_davs = False
 # Allow sub-optimal but still relatively strong legacy TLS support in WebDAVS
-# NOTE: Python-2.7.x ssl supports TLSv1.2+ with strong ciphers and all popular
+# NOTE: Python-2.7+ ssl supports TLSv1.2+ with strong ciphers and all popular
 #       clients (including Windows 10+ native WebDAVS) also work with those.
-# NOTE: Apparently Win 7 (+8.1?) native WebDAVS only works with semi-strong
-#       legacy ciphers and TLSv1.0+v1.1 unless updated and enabled 
-# NOTE: Win 7 went EoL in January 2020 and should no longer be needed
 #enable_davs_legacy_tls = False
 # Pure Python pyftpdlib-based ftp(s) daemon
 enable_ftps = False
 # Allow sub-optimal but still relatively strong legacy TLS supports in FTPS
-# NOTE: Recent PyOpenSSL supports TLSv1.2+ with strong ciphers and all popular
+# NOTE: Modern PyOpenSSL supports TLSv1.2+ with strong ciphers and all popular
 #       clients also work with those.
-# NOTE: CentOS 7 native pyOpenSSL 0.13 does NOT support elliptic curve ciphers
-#       and FileZilla fails on listdir with remaining strong DHE ciphers.
-#       Installing a recent pyopenssl e.g. from the centos-openstack-X repo
-#       allows disabling legacy tls support without breaking FileZilla support.
-# TODO: disable as soon as a recent pyopenssl version is available - the one
-#       from pip breaks paramiko so do NOT go there.
-enable_ftps_legacy_tls = True
+#enable_ftps_legacy_tls = False
 # Enable WSGI served web pages (faster than CGI) - requires apache wsgi module
 enable_wsgi = True
 # Enable system notify helper used e.g. to warn about failed user logins
@@ -638,6 +629,10 @@ peers_explicit_fields =
 peers_contact_hint = employed here and authorized to invite external users
 # Enable OpenID daemon for web access with user/pw from local user DB
 enable_openid = False
+# Allow sub-optimal but still relatively strong legacy TLS support in OpenID 2.0
+# NOTE: Python-2.7+ ssl supports TLSv1.2+ with strong ciphers and all popular
+#       clients also work with those.
+#enable_openid_legacy_tls = False
 # Enable share links for easy external exchange of data with anyone
 enable_sharelinks = True
 # Enable storage quota
