Several security improvements:

* Reduced supported actor lists ciphers to only one (AES256-GCM)
* Removed actor client support for protocols previous to 1.3.
   Only user cipher ECDHE-RSA-AES256-GCM-SHA384

actor/src/udsactor/http/server.py

@@ -44,9 +44,6 @@ from .local import LocalProvider
 
 DEFAULT_CIPHERS = (
     'ECDHE-RSA-AES256-GCM-SHA384'
-    ':ECDHE-ECDSA-AES256-GCM-SHA384'
-    ':ECDHE-ECDSA-AES256-CCM'
-    ':DHE-RSA-AES256-SHA256'
 )
 
 # Not imported at runtime, just for type checking

actor/src/udsactor/rest.py

@@ -31,10 +31,12 @@
 # pylint: disable=invalid-name
 import warnings
 import json
+import ssl
 import logging
 import typing
 
 import requests
+import requests.adapters
 
 from . import types
 from .version import VERSION
@@ -82,6 +84,7 @@ NO_PROXY = {
 
 UDS_BASE_URL = 'https://{}/uds/rest/'
 
+
 #
 # Basic UDS Api
 #
@@ -93,6 +96,7 @@ class UDSApi:  # pylint: disable=too-few-public-methods
     _host: str
     _validateCert: bool
     _url: str
+    _session: 'requests.Session'
 
     def __init__(self, host: str, validateCert: bool) -> None:
         self._host = host
@@ -106,6 +110,26 @@ class UDSApi:  # pylint: disable=too-few-public-methods
         except Exception:
             pass
 
+        context = (
+            ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH)
+            if validateCert
+            else ssl._create_unverified_context(purpose=ssl.Purpose.SERVER_AUTH, check_hostname=False)
+        )
+        # Disable SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+        context.minimum_version = ssl.TLSVersion.TLSv1_3
+        # Set cipher
+        context.set_ciphers("ECDHE-RSA-AES256-GCM-SHA384")
+
+        # Configure session security
+        class UDSHTTPAdapter(requests.adapters.HTTPAdapter):
+            def init_poolmanager(self, *args, **kwargs) -> None:
+                kwargs["ssl_context"] = context
+
+                return super().init_poolmanager(*args, **kwargs)
+
+        self._session = requests.Session()
+        self._session.mount("https://", UDSHTTPAdapter())
+
     @property
     def _headers(self) -> typing.MutableMapping[str, str]:
         return {
@@ -125,11 +149,11 @@ class UDSApi:  # pylint: disable=too-few-public-methods
     ) -> typing.Any:
         headers = headers or self._headers
         try:
-            result = requests.post(
+            result = self._session.post(
                 self._apiURL(method),
                 data=json.dumps(payLoad),
                 headers=headers,
-                verify=self._validateCert,
+                # verify=self._validateCert, Not needed, already in session
                 timeout=TIMEOUT,
                 proxies=NO_PROXY  # type: ignore
                 if disableProxy
@@ -162,10 +186,10 @@ class UDSServerApi(UDSApi):
 
     def enumerateAuthenticators(self) -> typing.Iterable[types.AuthenticatorType]:
         try:
-            result = requests.get(
+            result = self._session.get(
                 self._url + 'auth/auths',
                 headers=self._headers,
-                verify=self._validateCert,
+                # verify=self._validateCert,
                 timeout=4,
             )
             if result.ok:
@@ -213,22 +237,22 @@ class UDSServerApi(UDSApi):
             # First, try to login
             authInfo = {'auth': auth, 'username': username, 'password': password}
             headers = self._headers
-            result = requests.post(
+            result = self._session.post(
                 self._url + 'auth/login',
                 data=json.dumps(authInfo),
                 headers=headers,
-                verify=self._validateCert,
+                # verify=self._validateCert,
             )
             if not result.ok or result.json()['result'] == 'error':
                 raise Exception()  # Invalid credentials
 
             headers['X-Auth-Token'] = result.json()['token']
 
-            result = requests.post(
+            result = self._session.post(
                 self._apiURL('register'),
                 data=json.dumps(data),
                 headers=headers,
-                verify=self._validateCert,
+                # verify=self._validateCert,
             )
             if result.ok:
                 return result.json()['result']
@@ -424,10 +448,7 @@ class UDSClientApi(UDSApi):
         )
 
     def logout(self, username: str, sessionType: typing.Optional[str]) -> None:
-        payLoad = {
-            'username': username,
-            'session_type': sessionType or UNKNOWN
-        }
+        payLoad = {'username': username, 'session_type': sessionType or UNKNOWN}
         self.post('logout', payLoad)
 
     def ping(self) -> bool: