[CalendarServer-changes] [5576] CalendarServer/trunk

source_changes at macosforge.org source_changes at macosforge.org
Fri May 7 19:45:22 PDT 2010


Revision: 5576
          http://trac.macosforge.org/projects/calendarserver/changeset/5576
Author:   dre at apple.com
Date:     2010-05-07 19:45:17 -0700 (Fri, 07 May 2010)
Log Message:
-----------
Disable weak SSL ciphers; add support for SSLCiphers caldavd.plist key

Modified Paths:
--------------
    CalendarServer/trunk/calendarserver/tap/caldav.py
    CalendarServer/trunk/twext/internet/ssl.py
    CalendarServer/trunk/twistedcaldav/stdconfig.py

Modified: CalendarServer/trunk/calendarserver/tap/caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/caldav.py	2010-05-07 19:30:30 UTC (rev 5575)
+++ CalendarServer/trunk/calendarserver/tap/caldav.py	2010-05-08 02:45:17 UTC (rev 5576)
@@ -534,6 +534,7 @@
             certificateChainFile=config.SSLAuthorityChain,
             passwdCallback=getSSLPassphrase,
             sslmethod=getattr(OpenSSL.SSL, config.SSLMethod),
+            ciphers=config.SSLCiphers.strip()
         )
 
 

Modified: CalendarServer/trunk/twext/internet/ssl.py
===================================================================
--- CalendarServer/trunk/twext/internet/ssl.py	2010-05-07 19:30:30 UTC (rev 5575)
+++ CalendarServer/trunk/twext/internet/ssl.py	2010-05-08 02:45:17 UTC (rev 5576)
@@ -31,10 +31,11 @@
     def __init__(
         self, privateKeyFileName, certificateFileName,
         sslmethod=SSLv3_METHOD, certificateChainFile=None,
-        passwdCallback=None
+        passwdCallback=None, ciphers=None
     ):
         self.certificateChainFile = certificateChainFile
         self.passwdCallback = passwdCallback
+        self.ciphers = ciphers
 
         DefaultOpenSSLContextFactory.__init__(
             self,
@@ -47,6 +48,9 @@
         # Unfortunate code duplication.
         ctx = SSLContext(self.sslmethod)
 
+        if self.ciphers is not None:
+            ctx.set_cipher_list(self.ciphers)
+
         if self.passwdCallback is not None:
             ctx.set_passwd_cb(self.passwdCallback)
 

Modified: CalendarServer/trunk/twistedcaldav/stdconfig.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/stdconfig.py	2010-05-07 19:30:30 UTC (rev 5575)
+++ CalendarServer/trunk/twistedcaldav/stdconfig.py	2010-05-08 02:45:17 UTC (rev 5576)
@@ -130,6 +130,7 @@
     "SSLPort" : 0,                 # SSL port (0 to disable HTTPS)
     "RedirectHTTPToHTTPS" : False, # If True, all nonSSL requests redirected to an SSL Port
     "SSLMethod" : "SSLv3_METHOD",  # SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD
+    "SSLCiphers" : "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM",
 
     #
     # Network address configuration information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20100507/4e618f8f/attachment.html>


More information about the calendarserver-changes mailing list