mirror of
https://github.com/dkmstr/openuds.git
synced 2025-01-10 01:17:59 +03:00
Merge remote-tracking branch 'origin/v3.6'
This commit is contained in:
commit
4bf268764f
@ -42,8 +42,10 @@ from .. import rest
|
||||
from .public import PublicProvider
|
||||
from .local import LocalProvider
|
||||
|
||||
# a couple of 1.2 ciphers + 1.3 ciphers (implicit)
|
||||
DEFAULT_CIPHERS = (
|
||||
'ECDHE-RSA-AES256-GCM-SHA384'
|
||||
'ECDHE-RSA-AES128-GCM-SHA256'
|
||||
':ECDHE-RSA-AES256-GCM-SHA384'
|
||||
)
|
||||
|
||||
# Not imported at runtime, just for type checking
|
||||
@ -187,8 +189,8 @@ class HTTPServerThread(threading.Thread):
|
||||
# self._server.socket = ssl.wrap_socket(self._server.socket, certfile=self.certFile, server_side=True)
|
||||
|
||||
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
|
||||
# Disable TLSv1.0 and TLSv1.1, disable TLSv1.2, use only TLSv1.3
|
||||
context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
|
||||
# Disable TLSv1.0 and TLSv1.1, use only TLSv1.3 or TLSv1.2 with allowed ciphers
|
||||
context.minimum_version = ssl.TLSVersion.TLSv1_2
|
||||
|
||||
# If a configures ciphers are provided, use them, otherwise use the default ones
|
||||
context.set_ciphers(self._service._certificate.ciphers or DEFAULT_CIPHERS)
|
||||
|
@ -116,8 +116,6 @@ class UDSApi: # pylint: disable=too-few-public-methods
|
||||
)
|
||||
# Disable SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
|
||||
context.minimum_version = ssl.TLSVersion.TLSv1_3
|
||||
# Set cipher
|
||||
context.set_ciphers("ECDHE-RSA-AES256-GCM-SHA384")
|
||||
|
||||
# Configure session security
|
||||
class UDSHTTPAdapter(requests.adapters.HTTPAdapter):
|
||||
|
@ -122,11 +122,12 @@ def connection(
|
||||
|
||||
if not verify_ssl:
|
||||
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) # type: ignore
|
||||
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0) # type: ignore
|
||||
# Disable TLS1 and TLS1.1
|
||||
# 0x304 = TLS1.3, 0x303 = TLS1.2, 0x302 = TLS1.1, 0x301 = TLS1.0, but use ldap module constants
|
||||
l.set_option(ldap.OPT_X_TLS_PROTOCOL_MIN, ldap.OPT_X_TLS_PROTOCOL_TLS1_2) # type: ignore
|
||||
|
||||
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0) # type: ignore
|
||||
|
||||
l.simple_bind_s(who=username, cred=password)
|
||||
except ldap.SERVER_DOWN as e: # type: ignore
|
||||
raise LDAPError(_('Can\'t contact LDAP server') + ': {}'.format(e))
|
||||
|
@ -60,12 +60,12 @@ def createClientSslContext(verify: bool = True) -> ssl.SSLContext:
|
||||
if verify:
|
||||
sslContext = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile=certifi.where())
|
||||
else:
|
||||
sslContext = (
|
||||
ssl._create_unverified_context() # nosec: we are creating a context required to be insecure
|
||||
) # pylint: disable=protected-access
|
||||
sslContext = ssl._create_unverified_context(purpose=ssl.Purpose.SERVER_AUTH, check_hostname=False)
|
||||
|
||||
|
||||
# Disable TLS1.0 and TLS1.1
|
||||
sslContext.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
|
||||
# Redundant, only use minimum_version
|
||||
# sslContext.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
|
||||
sslContext.minimum_version = ssl.TLSVersion.TLSv1_2
|
||||
return sslContext
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user