Remove settings for TLS protocol and ciphers

Use the recommended default settings instead.
2020-02-19 09:48:38 +01:00 · 2020-02-19 09:48:38 +01:00 · 11ea3cc7a4
commit 11ea3cc7a4
parent 4a43b17840
3 changed files with 9 additions and 28 deletions
--- a/6
+++ b/6
@ -39,12 +39,6 @@
 # TCP traffic between Radicale and a reverse proxy
 #certificate_authority =

-# SSL Protocol used. See python's ssl module for available values
-#protocol = PROTOCOL_TLSv1_2
-
-# Available ciphers. See python's ssl module for available ciphers
-#ciphers =
-

 [encoding]

--- a/radicale/config.py
+++ b/radicale/config.py
@ -127,15 +127,7 @@ DEFAULT_CONFIG_SCHEMA = OrderedDict([
            "value": "",
            "help": "set CA certificate for validating clients",
            "aliases": ["--certificate-authority"],
-            "type": filepath}),
-        ("protocol", {
-            "value": "PROTOCOL_TLSv1_2",
-            "help": "SSL protocol used",
-            "type": str}),
-        ("ciphers", {
-            "value": "",
-            "help": "available ciphers",
-            "type": str})])),
+            "type": filepath})])),
    ("encoding", OrderedDict([
        ("request", {
            "value": "utf-8",
--- a/radicale/server.py
+++ b/radicale/server.py
@ -162,20 +162,18 @@ class ParallelHTTPSServer(ParallelHTTPServer):
    # These class attributes must be set before creating instance
    certificate = None
    key = None
-    protocol = None
-    ciphers = None
    certificate_authority = None

    def server_bind(self):
-        """Create server by wrapping HTTP socket in an SSL socket."""
        super().server_bind()
-        self.socket = ssl.wrap_socket(
-            self.socket, self.key, self.certificate, server_side=True,
-            cert_reqs=ssl.CERT_REQUIRED if self.certificate_authority else
-            ssl.CERT_NONE,
-            ca_certs=self.certificate_authority or None,
-            ssl_version=self.protocol, ciphers=self.ciphers,
-            do_handshake_on_connect=False)
+        # Wrap the TCP socket in an SSL socket
+        context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+        context.load_cert_chain(certfile=self.certificate, keyfile=self.key)
+        if self.certificate_authority:
+            context.load_verify_locations(cafile=self.certificate_authority)
+            context.verify_mode = ssl.CERT_REQUIRED
+        self.socket = context.wrap_socket(
+            self.socket, server_side=True, do_handshake_on_connect=False)

    def finish_request_locked(self, request, client_address):
        try:
@ -267,9 +265,6 @@ def serve(configuration, shutdown_socket=None):
        ServerCopy.key = configuration.get("server", "key")
        ServerCopy.certificate_authority = configuration.get(
            "server", "certificate_authority")
-        ServerCopy.ciphers = configuration.get("server", "ciphers")
-        ServerCopy.protocol = getattr(
-            ssl, configuration.get("server", "protocol"), ssl.PROTOCOL_SSLv23)
        # Test if the SSL files can be read
        for name in ["certificate", "key"] + (
                ["certificate_authority"]