ephemeral key exchange and enable TLS 1.1 and TLS 1.2 when connecting using client cert authentification
problem
If client cert/key pair is used for authentication, only TLS 1 is used. New protocols TLS 1.1 and TLS 1.2 are not enabled during connection to the server.
analysis
Replace OpenSSL.SSL.TLSv1_METHOD with OpenSSL.SSL.SSLv23_METHOD in OpenSSL.SSL.Context. and use OpenSSL.SSL.OP_NO_SSLv3 flag to disable SSL v3.
Please enable also ephemeral key exchange for "forward secrecy", use flag OP_SINGLE_DH_USE https://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html
enhancement recommendation
diff -r cabaea232b6e nbxmpp/tls_nb.py
--- a/nbxmpp/tls_nb.py Mon Sep 09 16:56:14 2013 +0200
+++ b/nbxmpp/tls_nb.py Sun Nov 03 08:07:21 2013 +0100
@@ -356,7 +356,10 @@
# FIXME make a checkbox for Client Cert / SSLv23 / TLSv1
# If we are going to use a client cert/key pair for authentication,
# we choose TLSv1 method.
- tcpsock._sslContext = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
+ tcpsock._sslContext = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
+ flags = (OpenSSL.SSL.OP_NO_SSLv2 | OpenSSL.SSL.OP_NO_SSLv3
+ | OpenSSL.SSL.OP_SINGLE_DH_USE)
+ tcpsock._sslContext.set_options(flags)
log.debug('Using client cert and key from %s' % conn.client_cert)
try:
p12 = OpenSSL.crypto.load_pkcs12(open(conn.client_cert).read(),
@@ -385,7 +388,7 @@
else:
# See http://docs.python.org/dev/library/ssl.html
tcpsock._sslContext = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
- flags = OpenSSL.SSL.OP_NO_SSLv2
+ flags = OpenSSL.SSL.OP_NO_SSLv2 | OpenSSL.SSL.OP_SINGLE_DH_USE
try:
flags |= OpenSSL.SSL.OP_NO_TICKET
except AttributeError, e: