Univention Bugzilla – Attachment 8934 Details for
Bug 40998
Disable SSLv3 in UMC (make ciphers/protocol versions configurable)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
40998.patch (text/plain), 3.73 KB, created by
Florian Best
on 2017-06-19 20:07:31 CEST
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Florian Best
Created:
2017-06-19 20:07:31 CEST
Size:
3.73 KB
patch
obsolete
>diff --git a/management/univention-management-console/debian/univention-management-console-server.univention-config-registry-variables b/management/univention-management-console/debian/univention-management-console-server.univention-config-registry-variables >index 2881e65..799ea27 100644 >--- a/management/univention-management-console/debian/univention-management-console-server.univention-config-registry-variables >+++ b/management/univention-management-console/debian/univention-management-console-server.univention-config-registry-variables >@@ -51,3 +51,9 @@ Description[de]=Die Variable deaktiviert die Sicherheitsspezifischen Restriktion > Description[en]=This variable deactivates the security related restrictions against XSRF attacks in the UMC-Server. This is necessary for UCS 4.1 systems in the domain to communicate with UCS 4.2 systems. > Type=bool > Categories=management-umc >+ >+[umc/server/ssl/ciphers] >+Description[de]=Diese Variable spezifiziert die SSL Cipher Liste, die für SSL Verbindungen akzeptiert und genutzt wird. >+Description[en]=This variable specifies the SSL cipher list which is accepted and used for ssl connections. >+Type=str >+Categories=management-umc >diff --git a/management/univention-management-console/src/univention/management/console/protocol/client.py b/management/univention-management-console/src/univention/management/console/protocol/client.py >index f82567b..216fc41 100644 >--- a/management/univention-management-console/src/univention/management/console/protocol/client.py >+++ b/management/univention-management-console/src/univention/management/console/protocol/client.py >@@ -42,6 +42,7 @@ > from .message import Request, Response, IncompleteMessageError, ParseError > from .definitions import RECV_BUFFER_SIZE, BAD_REQUEST_AUTH_FAILED, SUCCESS, status_description > from ..log import CORE, PROTOCOL >+from ..config import ucr > from OpenSSL import SSL > > import notifier >@@ -97,8 +98,10 @@ def __init__(self, servername='localhost', port=6670, unix=None, ssl=True): > self.__ssl = ssl > self.__unix = unix > if self.__ssl and not self.__unix: >- self.__crypto_context = SSL.Context(SSL.SSLv23_METHOD) >- self.__crypto_context.set_cipher_list('DEFAULT') >+ self.__crypto_context = SSL.Context(SSL.TLSv1_METHOD) >+ self.__crypto_context.set_cipher_list(ucr.get('umc/server/ssl/ciphers', 'DEFAULT')) >+ self.__crypto_context.set_options(SSL.OP_NO_SSLv2) >+ self.__crypto_context.set_options(SSL.OP_NO_SSLv3) > self.__crypto_context.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, self.__verify_cert_cb) > try: > self.__crypto_context.load_verify_locations(os.path.join('/etc/univention/ssl/ucsCA', 'CAcert.pem')) >diff --git a/management/univention-management-console/src/univention/management/console/protocol/server.py b/management/univention-management-console/src/univention/management/console/protocol/server.py >index 0641c51..f3c4669 100644 >--- a/management/univention-management-console/src/univention/management/console/protocol/server.py >+++ b/management/univention-management-console/src/univention/management/console/protocol/server.py >@@ -275,9 +275,10 @@ def __init__(self, port=6670, ssl=True, unix=None, magic=True, magicClass=MagicB > > if self.__ssl and not self.__unix: > CORE.info('Setting up SSL configuration') >- self.crypto_context = SSL.Context(SSL.SSLv23_METHOD) >- self.crypto_context.set_cipher_list('DEFAULT') >+ self.crypto_context = SSL.Context(SSL.TLSv1_METHOD) >+ self.crypto_context.set_cipher_list(ucr.get('umc/server/ssl/ciphers', 'DEFAULT')) > self.crypto_context.set_options(SSL.OP_NO_SSLv2) >+ self.crypto_context.set_options(SSL.OP_NO_SSLv3) > self.crypto_context.set_verify(SSL.VERIFY_PEER, self.__verify_cert_cb) > dir = '/etc/univention/ssl/%s.%s' % (ucr['hostname'], ucr['domainname']) > try:
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8934">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 40998
:
7579
| 8934