summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRatan Gupta <ratagupt@in.ibm.com>2018-01-14 12:57:41 +0530
committerBrad Bishop <bradleyb@fuzziesquirrel.com>2018-01-23 12:20:08 -0500
commit91ff11046014765563f4b22fc9eaaf1bebc56497 (patch)
tree73311a3d2c3a23b65ef9ce78ef9412ed35ccd680
parent91b46f89fdbfffd45010db29126bd4da495e69ed (diff)
downloadphosphor-rest-server-91ff11046014765563f4b22fc9eaaf1bebc56497.zip
phosphor-rest-server-91ff11046014765563f4b22fc9eaaf1bebc56497.tar.gz
Security: Disable weak ciphers
Configure the strong ciphers while web server starts. Partially Resolves openbmc/openbmc#2423 Change-Id: I6aad0b292d3755a879e407784dce6a57fd217948 Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
-rw-r--r--servers/gevent/phosphor-gevent19
1 files changed, 18 insertions, 1 deletions
diff --git a/servers/gevent/phosphor-gevent b/servers/gevent/phosphor-gevent
index 70ac66d..fe69fdb 100644
--- a/servers/gevent/phosphor-gevent
+++ b/servers/gevent/phosphor-gevent
@@ -42,6 +42,23 @@ if __name__ == '__main__':
kw['have_wsock'] = True
app = App(**kw)
+ # ECDH - Allow Elliptic Curve Diffie Hellman
+ # kDH - Allow Key Exchange algorithm as Diffie Hellman
+ # kEDH - Allow Key Exchange algorithm as Ephemeral Diffie Hellman
+ # kRSA - Allow Key Exchange algorithm as RSA
+ # !SSLv3 - Disallows any ciphers specific to SSLv3
+ # !SSLv2 - Disallows any ciphers specific to SSLv2 protocol
+ # !aNULL - Disallows anonymous authentication or no authentication
+ # !eNULL - Disallows connection with NULL encryption
+ # !LOW - Disallows any low strength ciphers
+ # !MEDIUM- Disallows medium strength ciphers
+
+ ssl_ciphers = (
+ 'ECDH:kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!LOW:!MEDIUM:@STRENGTH'
+ )
+
+ app = App()
+
if os.environ.get('LISTEN_PID', None) == str(os.getpid()):
FIRST_SYSTEMD_SOCKET_FD = 3
bind = gevent.socket.fromfd(FIRST_SYSTEMD_SOCKET_FD,
@@ -54,5 +71,5 @@ if __name__ == '__main__':
if have_wsock:
kw['handler_class'] = WebSocketHandler
server = WSGIServer(
- bind, app, keyfile=default_cert, certfile=default_cert, **kw)
+ bind, app, keyfile=default_cert, certfile=default_cert, ciphers=ssl_ciphers)
server.serve_forever()
OpenPOWER on IntegriCloud