Security: Disable weak ciphers
Configure the strong ciphers while web server starts.
Partially Resolves openbmc/openbmc#2423
Change-Id: I6aad0b292d3755a879e407784dce6a57fd217948
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
diff --git a/servers/gevent/phosphor-gevent b/servers/gevent/phosphor-gevent
index 70ac66d..fe69fdb 100644
--- a/servers/gevent/phosphor-gevent
+++ b/servers/gevent/phosphor-gevent
@@ -42,6 +42,23 @@
kw['have_wsock'] = True
app = App(**kw)
+ # ECDH - Allow Elliptic Curve Diffie Hellman
+ # kDH - Allow Key Exchange algorithm as Diffie Hellman
+ # kEDH - Allow Key Exchange algorithm as Ephemeral Diffie Hellman
+ # kRSA - Allow Key Exchange algorithm as RSA
+ # !SSLv3 - Disallows any ciphers specific to SSLv3
+ # !SSLv2 - Disallows any ciphers specific to SSLv2 protocol
+ # !aNULL - Disallows anonymous authentication or no authentication
+ # !eNULL - Disallows connection with NULL encryption
+ # !LOW - Disallows any low strength ciphers
+ # !MEDIUM- Disallows medium strength ciphers
+
+ ssl_ciphers = (
+ 'ECDH:kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!LOW:!MEDIUM:@STRENGTH'
+ )
+
+ app = App()
+
if os.environ.get('LISTEN_PID', None) == str(os.getpid()):
FIRST_SYSTEMD_SOCKET_FD = 3
bind = gevent.socket.fromfd(FIRST_SYSTEMD_SOCKET_FD,
@@ -54,5 +71,5 @@
if have_wsock:
kw['handler_class'] = WebSocketHandler
server = WSGIServer(
- bind, app, keyfile=default_cert, certfile=default_cert, **kw)
+ bind, app, keyfile=default_cert, certfile=default_cert, ciphers=ssl_ciphers)
server.serve_forever()