1
0
mirror of https://github.com/dkmstr/openuds.git synced 2024-12-22 13:34:04 +03:00

allowed some secure ciphers for TLS1.2 on Actor commms with broker, to keep compat with older load balancers

This commit is contained in:
Adolfo Gómez García 2023-08-25 15:30:15 +02:00
parent e642b2ac34
commit ad05b4b252
No known key found for this signature in database
GPG Key ID: DD1ABF20724CDA23

View File

@ -44,6 +44,18 @@ from .version import VERSION
# Default public listen port
LISTEN_PORT = 43910
SECURE_CIPHERS = (
'TLS_AES_256_GCM_SHA384'
':TLS_CHACHA20_POLY1305_SHA256'
':TLS_AES_128_GCM_SHA256'
':ECDHE-RSA-AES256-GCM-SHA384'
':ECDHE-RSA-AES128-GCM-SHA256'
':ECDHE-RSA-CHACHA20-POLY1305'
':ECDHE-ECDSA-AES128-GCM-SHA256'
':ECDHE-ECDSA-AES256-GCM-SHA384'
':ECDHE-ECDSA-CHACHA20-POLY1305'
)
# Default timeout
TIMEOUT = 5 # 5 seconds is more than enought
@ -115,8 +127,10 @@ class UDSApi: # pylint: disable=too-few-public-methods
if validateCert
else ssl._create_unverified_context(purpose=ssl.Purpose.SERVER_AUTH, check_hostname=False)
)
# Disable SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
context.minimum_version = ssl.TLSVersion.TLSv1_3
context.minimum_version = ssl.TLSVersion.TLSv1_2
context.set_ciphers(SECURE_CIPHERS)
# Configure session security
class UDSHTTPAdapter(requests.adapters.HTTPAdapter):
@ -157,9 +171,7 @@ class UDSApi: # pylint: disable=too-few-public-methods
headers=headers,
# verify=self._validateCert, Not needed, already in session
timeout=TIMEOUT,
proxies=NO_PROXY # type: ignore
if disableProxy
else None, # if not proxies wanted, enforce it
proxies=NO_PROXY if disableProxy else None, # type: ignore # if not proxies wanted, enforce it
)
if result.ok:
@ -298,9 +310,7 @@ class UDSServerApi(UDSApi):
else None,
)
def ready(
self, own_token: str, secret: str, ip: str, port: int
) -> types.CertificateInfoType:
def ready(self, own_token: str, secret: str, ip: str, port: int) -> types.CertificateInfoType:
payload = {'token': own_token, 'secret': secret, 'ip': ip, 'port': port}
result = self._doPost('ready', payload)
@ -311,9 +321,7 @@ class UDSServerApi(UDSApi):
ciphers=result.get('ciphers', ''),
)
def notifyIpChange(
self, own_token: str, secret: str, ip: str, port: int
) -> types.CertificateInfoType:
def notifyIpChange(self, own_token: str, secret: str, ip: str, port: int) -> types.CertificateInfoType:
payload = {'token': own_token, 'secret': secret, 'ip': ip, 'port': port}
result = self._doPost('ipchange', payload)
@ -356,9 +364,7 @@ class UDSServerApi(UDSApi):
secret: typing.Optional[str],
) -> types.LoginResultInfoType:
if not token:
return types.LoginResultInfoType(
ip='0.0.0.0', hostname=UNKNOWN, dead_line=None, max_idle=None
)
return types.LoginResultInfoType(ip='0.0.0.0', hostname=UNKNOWN, dead_line=None, max_idle=None)
payload = {
'type': actor_type or types.MANAGED,
'id': [{'mac': i.mac, 'ip': i.ip} for i in interfaces],
@ -434,9 +440,7 @@ class UDSClientApi(UDSApi):
payLoad = {'callback_url': callbackUrl}
self.post('unregister', payLoad)
def login(
self, username: str, sessionType: typing.Optional[str] = None
) -> types.LoginResultInfoType:
def login(self, username: str, sessionType: typing.Optional[str] = None) -> types.LoginResultInfoType:
payLoad = {
'username': username,
'session_type': sessionType or UNKNOWN,