Remove settings for TLS protocol and ciphers

Use the recommended default settings instead.
This commit is contained in:
Unrud 2020-02-19 09:48:38 +01:00
parent 4a43b17840
commit 11ea3cc7a4
3 changed files with 9 additions and 28 deletions

6
config
View File

@ -39,12 +39,6 @@
# TCP traffic between Radicale and a reverse proxy
#certificate_authority =
# SSL Protocol used. See python's ssl module for available values
#protocol = PROTOCOL_TLSv1_2
# Available ciphers. See python's ssl module for available ciphers
#ciphers =
[encoding]

View File

@ -127,15 +127,7 @@ DEFAULT_CONFIG_SCHEMA = OrderedDict([
"value": "",
"help": "set CA certificate for validating clients",
"aliases": ["--certificate-authority"],
"type": filepath}),
("protocol", {
"value": "PROTOCOL_TLSv1_2",
"help": "SSL protocol used",
"type": str}),
("ciphers", {
"value": "",
"help": "available ciphers",
"type": str})])),
"type": filepath})])),
("encoding", OrderedDict([
("request", {
"value": "utf-8",

View File

@ -162,20 +162,18 @@ class ParallelHTTPSServer(ParallelHTTPServer):
# These class attributes must be set before creating instance
certificate = None
key = None
protocol = None
ciphers = None
certificate_authority = None
def server_bind(self):
"""Create server by wrapping HTTP socket in an SSL socket."""
super().server_bind()
self.socket = ssl.wrap_socket(
self.socket, self.key, self.certificate, server_side=True,
cert_reqs=ssl.CERT_REQUIRED if self.certificate_authority else
ssl.CERT_NONE,
ca_certs=self.certificate_authority or None,
ssl_version=self.protocol, ciphers=self.ciphers,
do_handshake_on_connect=False)
# Wrap the TCP socket in an SSL socket
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile=self.certificate, keyfile=self.key)
if self.certificate_authority:
context.load_verify_locations(cafile=self.certificate_authority)
context.verify_mode = ssl.CERT_REQUIRED
self.socket = context.wrap_socket(
self.socket, server_side=True, do_handshake_on_connect=False)
def finish_request_locked(self, request, client_address):
try:
@ -267,9 +265,6 @@ def serve(configuration, shutdown_socket=None):
ServerCopy.key = configuration.get("server", "key")
ServerCopy.certificate_authority = configuration.get(
"server", "certificate_authority")
ServerCopy.ciphers = configuration.get("server", "ciphers")
ServerCopy.protocol = getattr(
ssl, configuration.get("server", "protocol"), ssl.PROTOCOL_SSLv23)
# Test if the SSL files can be read
for name in ["certificate", "key"] + (
["certificate_authority"]