diff options
author | DjLegolas <DjLegolas@users.noreply.github.com> | 2018-06-24 20:39:04 +0300 |
---|---|---|
committer | Calum Lind <calumlind+deluge@gmail.com> | 2018-09-06 19:14:13 +0100 |
commit | b9a9e06c1d7a370aee87bdca2237eb79c7e7890f (patch) | |
tree | bb21452a2d535c20c4f669192e307febfe1350c3 /deluge/ui/web/server.py | |
parent | 456e720b756c39408402410f2ad9d421c1a1b01b (diff) | |
download | deluge-b9a9e06c1d7a370aee87bdca2237eb79c7e7890f.tar.gz deluge-b9a9e06c1d7a370aee87bdca2237eb79c7e7890f.tar.bz2 deluge-b9a9e06c1d7a370aee87bdca2237eb79c7e7890f.zip |
[WebUI][Daemon] Enhance TLS Security
This applies the following for both WebUI and Daemon:
1. Raised minimal TLS version to TLSv1.2
2. Added specific cipher suite list
3. Added support for ECDSA auth keys
4. Added support for ECDHE key exchange algorithm
We disabled the ability to perform TLS/SSL renegotiation and therefore
will prevent the clients from renegotiating, which can be exploit for
DoS attacks.
New security tests now will be skipped when running `pydef` and `trial`
testenvs. To run the test, use the testenv `security` or add the environment
variable `SECURITY_TESTS` before running the tests. Also should only run when
adding to the commit message the string `SECURITY_TEST`.
Diffstat (limited to 'deluge/ui/web/server.py')
-rw-r--r-- | deluge/ui/web/server.py | 26 |
1 files changed, 11 insertions, 15 deletions
diff --git a/deluge/ui/web/server.py b/deluge/ui/web/server.py index 52dc60140..8e84c040d 100644 --- a/deluge/ui/web/server.py +++ b/deluge/ui/web/server.py @@ -16,15 +16,14 @@ import mimetypes import os import tempfile -from OpenSSL.crypto import FILETYPE_PEM from twisted.application import internet, service from twisted.internet import defer, reactor -from twisted.internet.ssl import SSL, Certificate, CertificateOptions, KeyPair, TLSVersion from twisted.web import http, resource, server, static from deluge import common, component, configmanager from deluge.common import is_ipv6 from deluge.core.rpcserver import check_ssl_keys +from deluge.crypto_utils import get_context_factory from deluge.ui.tracker_icons import TrackerIcons from deluge.ui.translations_util import set_language, setup_translations from deluge.ui.web.auth import Auth @@ -623,6 +622,8 @@ class DelugeWeb(component.Component): setup_translations(setup_gettext=True, setup_pygtk=False) + # Remove twisted version number from 'server' http-header for security reasons + server.version = 'TwistedWeb' self.site = server.Site(self.top_level) self.web_api = WebApi() self.web_utils = WebUtils() @@ -684,20 +685,15 @@ class DelugeWeb(component.Component): check_ssl_keys() log.debug('Enabling SSL with PKey: %s, Cert: %s', self.pkey, self.cert) - with open(configmanager.get_config_dir(self.cert)) as cert: - certificate = Certificate.loadPEM(cert.read()).original - with open(configmanager.get_config_dir(self.pkey)) as pkey: - private_key = KeyPair.load(pkey.read(), FILETYPE_PEM).original - options = CertificateOptions( - privateKey=private_key, - certificate=certificate, - raiseMinimumTo=TLSVersion.TLSv1_2, - ) - ctx = options.getContext() - ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) - ctx.use_certificate_chain_file(configmanager.get_config_dir(self.cert)) + cert = configmanager.get_config_dir(self.cert) + pkey = configmanager.get_config_dir(self.pkey) - self.socket = reactor.listenSSL(self.port, self.site, options, interface=self.interface) + self.socket = reactor.listenSSL( + self.port, + self.site, + get_context_factory(cert, pkey), + interface=self.interface + ) ip = self.socket.getHost().host ip = '[%s]' % ip if is_ipv6(ip) else ip log.info('Serving at https://%s:%s%s', ip, self.port, self.base) |