Don't use weak ciphers for client HTTPS connections

https://pagure.io/freeipa/issue/6730 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-01-26 16:16:31 -06:00 · 2017-02-23 14:31:50 +01:00 · 2017-02-23 14:31:50 +01:00 · fda22c3344
commit fda22c3344
parent 61cd4372e1
2 changed files with 8 additions and 1 deletions
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@ -296,3 +296,6 @@ TLS_VERSIONS = [
    "tls1.2"
 ]
 TLS_VERSION_MINIMAL = "tls1.0"
+# high ciphers without RC4, MD5, TripleDES, pre-shared key
+# and secure remote password
+TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP"
--- a/ipalib/util.py
+++ b/ipalib/util.py
@ -52,7 +52,7 @@ except ImportError:
 from ipalib import errors, messages
 from ipalib.constants import (
    DOMAIN_LEVEL_0,
-    TLS_VERSIONS, TLS_VERSION_MINIMAL
+    TLS_VERSIONS, TLS_VERSION_MINIMAL, TLS_HIGH_CIPHERS
 )
 from ipalib.text import _
 from ipapython.ssh import SSHPublicKey
@ -303,6 +303,10 @@ def create_https_connection(
        ssl.OP_SINGLE_ECDH_USE
    )

+    # high ciphers without RC4, MD5, TripleDES, pre-shared key
+    # and secure remote password
+    ctx.set_ciphers(TLS_HIGH_CIPHERS)
+
    # pylint: enable=no-member
    # set up the correct TLS version flags for the SSL context
    for version in TLS_VERSIONS: