tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove settings for TLS protocol and ciphers

Browse Source 
Use the recommended default settings instead.
This commit is contained in:
Unrud 2020-02-19 09:48:38 +01:00
parent 4a43b17840
commit 11ea3cc7a4
3 changed files with 9 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
config
View File

@ -39,12 +39,6 @@
# TCP traffic between Radicale and a reverse proxy # TCP traffic between Radicale and a reverse proxy
#certificate_authority = #certificate_authority =
# SSL Protocol used. See python's ssl module for available values
#protocol = PROTOCOL_TLSv1_2
# Available ciphers. See python's ssl module for available ciphers
#ciphers =
[encoding] [encoding]

10
radicale/config.py
View File

@ -127,15 +127,7 @@ DEFAULT_CONFIG_SCHEMA = OrderedDict([
"value": "", "value": "",
"help": "set CA certificate for validating clients", "help": "set CA certificate for validating clients",
"aliases": ["--certificate-authority"], "aliases": ["--certificate-authority"],
"type": filepath}), "type": filepath})])),
("protocol", {
"value": "PROTOCOL_TLSv1_2",
"help": "SSL protocol used",
"type": str}),
("ciphers", {
"value": "",
"help": "available ciphers",
"type": str})])),
("encoding", OrderedDict([ ("encoding", OrderedDict([
("request", { ("request", {
"value": "utf-8", "value": "utf-8",

21
radicale/server.py
View File

@ -162,20 +162,18 @@ class ParallelHTTPSServer(ParallelHTTPServer):
# These class attributes must be set before creating instance # These class attributes must be set before creating instance
certificate = None certificate = None
key = None key = None
protocol = None
ciphers = None
certificate_authority = None certificate_authority = None
def server_bind(self): def server_bind(self):
"""Create server by wrapping HTTP socket in an SSL socket."""
super().server_bind() super().server_bind()
self.socket = ssl.wrap_socket( # Wrap the TCP socket in an SSL socket
self.socket, self.key, self.certificate, server_side=True, context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
cert_reqs=ssl.CERT_REQUIRED if self.certificate_authority else context.load_cert_chain(certfile=self.certificate, keyfile=self.key)
ssl.CERT_NONE, if self.certificate_authority:
ca_certs=self.certificate_authority or None, context.load_verify_locations(cafile=self.certificate_authority)
ssl_version=self.protocol, ciphers=self.ciphers, context.verify_mode = ssl.CERT_REQUIRED
do_handshake_on_connect=False) self.socket = context.wrap_socket(
self.socket, server_side=True, do_handshake_on_connect=False)
def finish_request_locked(self, request, client_address): def finish_request_locked(self, request, client_address):
try: try:
@ -267,9 +265,6 @@ def serve(configuration, shutdown_socket=None):
ServerCopy.key = configuration.get("server", "key") ServerCopy.key = configuration.get("server", "key")
ServerCopy.certificate_authority = configuration.get( ServerCopy.certificate_authority = configuration.get(
"server", "certificate_authority") "server", "certificate_authority")
ServerCopy.ciphers = configuration.get("server", "ciphers")
ServerCopy.protocol = getattr(
ssl, configuration.get("server", "protocol"), ssl.PROTOCOL_SSLv23)
# Test if the SSL files can be read # Test if the SSL files can be read
for name in ["certificate", "key"] + ( for name in ["certificate", "key"] + (
["certificate_authority"] ["certificate_authority"]