diff --git a/management/univention-management-console/debian/univention-management-console-server.univention-config-registry-variables b/management/univention-management-console/debian/univention-management-console-server.univention-config-registry-variables index 2881e65..799ea27 100644 --- a/management/univention-management-console/debian/univention-management-console-server.univention-config-registry-variables +++ b/management/univention-management-console/debian/univention-management-console-server.univention-config-registry-variables @@ -51,3 +51,9 @@ Description[de]=Die Variable deaktiviert die Sicherheitsspezifischen Restriktion Description[en]=This variable deactivates the security related restrictions against XSRF attacks in the UMC-Server. This is necessary for UCS 4.1 systems in the domain to communicate with UCS 4.2 systems. Type=bool Categories=management-umc + +[umc/server/ssl/ciphers] +Description[de]=Diese Variable spezifiziert die SSL Cipher Liste, die für SSL Verbindungen akzeptiert und genutzt wird. +Description[en]=This variable specifies the SSL cipher list which is accepted and used for ssl connections. +Type=str +Categories=management-umc diff --git a/management/univention-management-console/src/univention/management/console/protocol/client.py b/management/univention-management-console/src/univention/management/console/protocol/client.py index f82567b..216fc41 100644 --- a/management/univention-management-console/src/univention/management/console/protocol/client.py +++ b/management/univention-management-console/src/univention/management/console/protocol/client.py @@ -42,6 +42,7 @@ from .message import Request, Response, IncompleteMessageError, ParseError from .definitions import RECV_BUFFER_SIZE, BAD_REQUEST_AUTH_FAILED, SUCCESS, status_description from ..log import CORE, PROTOCOL +from ..config import ucr from OpenSSL import SSL import notifier @@ -97,8 +98,10 @@ def __init__(self, servername='localhost', port=6670, unix=None, ssl=True): self.__ssl = ssl self.__unix = unix if self.__ssl and not self.__unix: - self.__crypto_context = SSL.Context(SSL.SSLv23_METHOD) - self.__crypto_context.set_cipher_list('DEFAULT') + self.__crypto_context = SSL.Context(SSL.TLSv1_METHOD) + self.__crypto_context.set_cipher_list(ucr.get('umc/server/ssl/ciphers', 'DEFAULT')) + self.__crypto_context.set_options(SSL.OP_NO_SSLv2) + self.__crypto_context.set_options(SSL.OP_NO_SSLv3) self.__crypto_context.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, self.__verify_cert_cb) try: self.__crypto_context.load_verify_locations(os.path.join('/etc/univention/ssl/ucsCA', 'CAcert.pem')) diff --git a/management/univention-management-console/src/univention/management/console/protocol/server.py b/management/univention-management-console/src/univention/management/console/protocol/server.py index 0641c51..f3c4669 100644 --- a/management/univention-management-console/src/univention/management/console/protocol/server.py +++ b/management/univention-management-console/src/univention/management/console/protocol/server.py @@ -275,9 +275,10 @@ def __init__(self, port=6670, ssl=True, unix=None, magic=True, magicClass=MagicB if self.__ssl and not self.__unix: CORE.info('Setting up SSL configuration') - self.crypto_context = SSL.Context(SSL.SSLv23_METHOD) - self.crypto_context.set_cipher_list('DEFAULT') + self.crypto_context = SSL.Context(SSL.TLSv1_METHOD) + self.crypto_context.set_cipher_list(ucr.get('umc/server/ssl/ciphers', 'DEFAULT')) self.crypto_context.set_options(SSL.OP_NO_SSLv2) + self.crypto_context.set_options(SSL.OP_NO_SSLv3) self.crypto_context.set_verify(SSL.VERIFY_PEER, self.__verify_cert_cb) dir = '/etc/univention/ssl/%s.%s' % (ucr['hostname'], ucr['domainname']) try: