1
0
mirror of https://github.com/dkmstr/openuds.git synced 2025-01-10 01:17:59 +03:00

Merge remote-tracking branch 'origin/v3.6'

This commit is contained in:
Adolfo Gómez García 2023-04-04 01:55:10 +02:00
commit 4bf268764f
No known key found for this signature in database
GPG Key ID: DD1ABF20724CDA23
4 changed files with 11 additions and 10 deletions

View File

@ -42,8 +42,10 @@ from .. import rest
from .public import PublicProvider
from .local import LocalProvider
# a couple of 1.2 ciphers + 1.3 ciphers (implicit)
DEFAULT_CIPHERS = (
'ECDHE-RSA-AES256-GCM-SHA384'
'ECDHE-RSA-AES128-GCM-SHA256'
':ECDHE-RSA-AES256-GCM-SHA384'
)
# Not imported at runtime, just for type checking
@ -187,8 +189,8 @@ class HTTPServerThread(threading.Thread):
# self._server.socket = ssl.wrap_socket(self._server.socket, certfile=self.certFile, server_side=True)
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
# Disable TLSv1.0 and TLSv1.1, disable TLSv1.2, use only TLSv1.3
context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
# Disable TLSv1.0 and TLSv1.1, use only TLSv1.3 or TLSv1.2 with allowed ciphers
context.minimum_version = ssl.TLSVersion.TLSv1_2
# If a configures ciphers are provided, use them, otherwise use the default ones
context.set_ciphers(self._service._certificate.ciphers or DEFAULT_CIPHERS)

View File

@ -116,8 +116,6 @@ class UDSApi: # pylint: disable=too-few-public-methods
)
# Disable SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
context.minimum_version = ssl.TLSVersion.TLSv1_3
# Set cipher
context.set_ciphers("ECDHE-RSA-AES256-GCM-SHA384")
# Configure session security
class UDSHTTPAdapter(requests.adapters.HTTPAdapter):

View File

@ -122,11 +122,12 @@ def connection(
if not verify_ssl:
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) # type: ignore
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0) # type: ignore
# Disable TLS1 and TLS1.1
# 0x304 = TLS1.3, 0x303 = TLS1.2, 0x302 = TLS1.1, 0x301 = TLS1.0, but use ldap module constants
l.set_option(ldap.OPT_X_TLS_PROTOCOL_MIN, ldap.OPT_X_TLS_PROTOCOL_TLS1_2) # type: ignore
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0) # type: ignore
l.simple_bind_s(who=username, cred=password)
except ldap.SERVER_DOWN as e: # type: ignore
raise LDAPError(_('Can\'t contact LDAP server') + ': {}'.format(e))

View File

@ -60,12 +60,12 @@ def createClientSslContext(verify: bool = True) -> ssl.SSLContext:
if verify:
sslContext = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile=certifi.where())
else:
sslContext = (
ssl._create_unverified_context() # nosec: we are creating a context required to be insecure
) # pylint: disable=protected-access
sslContext = ssl._create_unverified_context(purpose=ssl.Purpose.SERVER_AUTH, check_hostname=False)
# Disable TLS1.0 and TLS1.1
sslContext.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
# Redundant, only use minimum_version
# sslContext.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
sslContext.minimum_version = ssl.TLSVersion.TLSv1_2
return sslContext