mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 15:13:50 -06:00
Remove contrib/nssciphersuite
The directory contained a script to generate mod_nss configuration snippet. Since FreeIPA moved to mod_ssl, it is no longer of use. Fixes: https://pagure.io/freeipa/issue/5673 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
parent
3c66e388de
commit
a4418963ce
@ -1,5 +1,4 @@
|
||||
SUBDIRS = completion
|
||||
|
||||
EXTRA_DIST = \
|
||||
nssciphersuite \
|
||||
lite-server.py
|
||||
|
@ -1,36 +0,0 @@
|
||||
Cipher suite for mod_nss
|
||||
------------------------
|
||||
|
||||
The nssciphersuite.py script parses mod_nss' nss_engine_cipher.c file and
|
||||
creates a list of secure cipher suites for TLS. The script filters out
|
||||
insecure, obsolete and slow ciphers according to some rules.
|
||||
|
||||
As of January 2016 and mod_nss 1.0.12 the cipher suite list contains 14
|
||||
cipher suites for TLS 1.0, 1.1 and 1.2 for RSA and ECDSA certificates. The
|
||||
cipher suite list also supports Perfect Forward Secrecy with ephemeral ECDH
|
||||
key exchange. https://www.ssllabs.com/ gives a 'A' grade.
|
||||
|
||||
Note:
|
||||
No suite is compatible with IE 8 and earlier on Windows XP. If you need IE 8
|
||||
support, append "+rsa_3des_sha" to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA.
|
||||
|
||||
# disabled cipher attributes: SSL_3DES, SSL_CAMELLIA, SSL_CAMELLIA128, SSL_CAMELLIA256, SSL_DES, SSL_DSS, SSL_MD5, SSL_RC2, SSL_RC4, SSL_aDSS, SSL_aNULL, SSL_eNULL, SSL_kECDHe, SSL_kECDHr, kECDH
|
||||
# weak strength: SSL_EXPORT40, SSL_EXPORT56, SSL_LOW, SSL_STRONG_NONE
|
||||
# enabled cipher suites:
|
||||
# TLS_RSA_WITH_AES_128_CBC_SHA256
|
||||
# TLS_RSA_WITH_AES_256_CBC_SHA256
|
||||
# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||
# TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||
# TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||
# TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
# TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||
# TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||
# TLS_RSA_WITH_AES_128_CBC_SHA
|
||||
# TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
# TLS_RSA_WITH_AES_256_CBC_SHA
|
||||
#
|
||||
|
||||
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
|
@ -1,150 +0,0 @@
|
||||
#!/usr/bin/python3
|
||||
#
|
||||
# Authors:
|
||||
# Christian Heimes <cheimes@redhat.com>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; version 2 of the License.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License along
|
||||
# with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Copyright (C) 2016 Red Hat, Inc.
|
||||
# All rights reserved.
|
||||
#
|
||||
"""Generate safe NSSCipherSuite stanza for mod_nss
|
||||
"""
|
||||
from __future__ import print_function
|
||||
|
||||
import operator
|
||||
import re
|
||||
|
||||
# pylint: disable=import-error,no-name-in-module
|
||||
from urllib.request import urlopen
|
||||
# pylint: enable=import-error,no-name-in-module
|
||||
|
||||
SOURCE = "https://git.fedorahosted.org/cgit/mod_nss.git/plain/nss_engine_cipher.c"
|
||||
|
||||
CIPHER_RE = re.compile(
|
||||
r'\s*\{'
|
||||
r'\"(?P<name>\w+)\",\s*'
|
||||
r'(?P<num>(TLS|SSL)_\w+),\s*'
|
||||
r'\"(?P<openssl_name>[\w-]+)\",\s*'
|
||||
r'(?P<attr>[\w|]+),\s*'
|
||||
r'(?P<version>\w+),\s*'
|
||||
r'(?P<strength>\w+),\s*'
|
||||
r'(?P<bits>\d+),\s*'
|
||||
r'(?P<alg_bits>\d+)'
|
||||
)
|
||||
|
||||
DISABLED_CIPHERS = {
|
||||
# ciphers without encryption or authentication
|
||||
'SSL_eNULL', 'SSL_aNULL',
|
||||
# MD5 is broken
|
||||
# SHA-1 is still required as PRF algorithm for TLSv1.0
|
||||
'SSL_MD5',
|
||||
# RC2 and RC4 stream ciphers are broken.
|
||||
'SSL_RC2', 'SSL_RC4',
|
||||
# DES is broken and Triple DES is too weak.
|
||||
'SSL_DES', 'SSL_3DES',
|
||||
# DSA is problematic.
|
||||
'SSL_DSS', 'SSL_aDSS',
|
||||
# prefer AES over Camellia.
|
||||
'SSL_CAMELLIA128', 'SSL_CAMELLIA256', 'SSL_CAMELLIA',
|
||||
# non-ephemeral EC Diffie-Hellmann with fixed parameters are not
|
||||
# used by common browser and are therefore irrelevant for HTTPS.
|
||||
'kECDH', 'SSL_kECDHr', 'SSL_kECDHe'
|
||||
}
|
||||
|
||||
WEAK_STRENGTH = {
|
||||
'SSL_STRONG_NONE',
|
||||
'SSL_EXPORT40',
|
||||
'SSL_EXPORT56',
|
||||
'SSL_LOW'
|
||||
}
|
||||
|
||||
|
||||
def parse_nss_engine_cipher(lines, encoding='utf-8'):
|
||||
"""Parse nss_engine_cipher.c and get list of ciphers
|
||||
|
||||
:param lines: iterable or list of lines
|
||||
:param encoding: default encoding
|
||||
:return: list of cipher dicts
|
||||
"""
|
||||
ciphers = []
|
||||
start = False
|
||||
for line in lines:
|
||||
if not isinstance(line, str):
|
||||
line = line.decode(encoding)
|
||||
|
||||
if line.startswith('cipher_properties'):
|
||||
start = True
|
||||
elif not start:
|
||||
continue
|
||||
elif line.startswith('};'):
|
||||
break
|
||||
|
||||
mo = CIPHER_RE.match(line)
|
||||
if not mo:
|
||||
continue
|
||||
|
||||
match = mo.groupdict()
|
||||
match['attr'] = set(match['attr'].split('|'))
|
||||
match['bits'] = int(match['bits'])
|
||||
match['alg_bits'] = int(match['alg_bits'])
|
||||
|
||||
# some cipher elemets aren't flagged
|
||||
for algo in ['SHA256', 'SHA384']:
|
||||
if match['num'].endswith(algo):
|
||||
match['attr'].add('SSL_{}'.format(algo))
|
||||
|
||||
# cipher block chaining isn't tracked
|
||||
if '_CBC' in match['num']:
|
||||
match['attr'].add('SSL_CBC')
|
||||
|
||||
if match['attr'].intersection(DISABLED_CIPHERS):
|
||||
match['enabled'] = False
|
||||
elif match['strength'] in WEAK_STRENGTH:
|
||||
match['enabled'] = False
|
||||
else:
|
||||
match['enabled'] = True
|
||||
|
||||
# EECDH + AES-CBC and large hash functions is slow and not more secure
|
||||
if (match['attr'].issuperset({'SSL_CBC', 'SSL_kEECDH'}) and
|
||||
match['attr'].intersection({'SSL_SHA256', 'SSL_SHA384'})):
|
||||
match['enabled'] = False
|
||||
|
||||
ciphers.append(match)
|
||||
|
||||
ciphers.sort(key=operator.itemgetter('name'))
|
||||
return ciphers
|
||||
|
||||
|
||||
def main():
|
||||
with urlopen(SOURCE) as r:
|
||||
ciphers = parse_nss_engine_cipher(r)
|
||||
# with open('nss_engine_cipher.c') as f:
|
||||
# ciphers = parse_nss_engine_cipher(f)
|
||||
|
||||
print("# disabled cipher attributes: {}".format(
|
||||
', '.join(sorted(DISABLED_CIPHERS))))
|
||||
print("# weak strength: {}".format(', '.join(sorted(WEAK_STRENGTH))))
|
||||
print("# enabled cipher suites:")
|
||||
suite = []
|
||||
for cipher in ciphers:
|
||||
if cipher['enabled']:
|
||||
print("# {:36}".format(cipher['num']))
|
||||
suite.append('+{}'.format(cipher['name']))
|
||||
print()
|
||||
print("NSSCipherSuite {}".format(','.join(suite)))
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
Loading…
Reference in New Issue
Block a user