summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMathieu Pasquet <mathieui@mathieui.net>2014-01-15 18:28:23 +0100
committermathieui <mathieui@mathieui.net>2014-02-13 00:50:32 +0100
commit05a9e03d5392103e2e17b0d3da58532ef5b3f671 (patch)
tree7123242ce8f943ee4f98e2a6dbf44e15cb1ca906
parent7e3efccb537ae11e9550ddf14ea6ca4ba472804a (diff)
downloadpoezio-05a9e03d5392103e2e17b0d3da58532ef5b3f671.tar.gz
poezio-05a9e03d5392103e2e17b0d3da58532ef5b3f671.tar.bz2
poezio-05a9e03d5392103e2e17b0d3da58532ef5b3f671.tar.xz
poezio-05a9e03d5392103e2e17b0d3da58532ef5b3f671.zip
Add a configurable way of setting cipher suites
And put reasonable defaults
-rw-r--r--data/default_config.cfg10
-rw-r--r--doc/source/configuration.rst10
-rw-r--r--doc/source/misc/ssl.rst40
-rw-r--r--src/connection.py3
4 files changed, 54 insertions, 9 deletions
diff --git a/data/default_config.cfg b/data/default_config.cfg
index ace8907a..17d74745 100644
--- a/data/default_config.cfg
+++ b/data/default_config.cfg
@@ -41,11 +41,17 @@ resource =
# Make sure the server you're using accepts anonymous authentication
server = anon.jeproteste.info
-# SSL Certificate fingerprint
+# TLS Certificate fingerprint
# Do not touch this if you don’t know what you are doing
certificate =
-# Skip the SSL certificate fingerprint verification
+# List of ciphers allowed when connecting to the server,
+# this list prioritizes forward secrecy and forbids anything
+# weaker than 128 bits.
+# You should probably leave it as it is
+ciphers = HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL
+
+# Skip the TLS certificate fingerprint verification
# Should be false in most cases, as you want to check that the server keeps
# the same certificate.
ignore_certificate = false
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 7a48a286..b584359b 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -111,6 +111,14 @@ section of this documentation.
The fingerprint of the SSL certificate as a hexadecimal string, you should
not touch it, except if know what you are doing.
+ ciphers
+
+ **Default value:** ``HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL``
+
+ The TLS cipher suites allowed, in `OpenSSL format`_. Modify this if
+ you know what you are doing, see the :ref:`ciphers` dedicated section
+ for more details.
+
connection_check_interval
**Default value:** ``60``
@@ -942,3 +950,5 @@ found.
Only for MUC tabs: if true the tab will change its color to notify you when a new message is received.
You will still be notified of highlights. Set to ``false`` if you’re not interested in a room non-highlight notifications.
+
+.. _OpenSSL format: https://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT
diff --git a/doc/source/misc/ssl.rst b/doc/source/misc/ssl.rst
index a012ebed..f4995f3f 100644
--- a/doc/source/misc/ssl.rst
+++ b/doc/source/misc/ssl.rst
@@ -1,6 +1,31 @@
-SSL Management
+TLS Management
==============
+Security of the connection
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. _ciphers:
+
+Ciphers
+-------
+
+From the version 0.8, poezio offers the possibility to define your own set of
+ciphers.
+
+You can set this with the :term:`ciphers` option, the default for poezio being
+``HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL``.
+You can check what ciphers are enabled by that list by running the command
+``openssl ciphers -v 'cipher list'``. The default list prioritizes `Forward Secrecy`_
+and does not have any cipher suite providing less than 128 bits of security.
+
+You should change this if you either cannot connect to your server (but in this
+case, you should notify the administrator that his XMPP server configuration
+is probably not great), or if you want to be even more restrictive (only allowing
+256 bits of security *and* forward secrecy, for example).
+
+Cert valididty
+~~~~~~~~~~~~~~
+
Starting from version 0.7.5, poezio offers some options to check the validity
of a X.509 certificate.
@@ -38,10 +63,10 @@ endpoints, you might be bothered by having to validate the change each time,
and you may want to check only if it the same authority delivered the
certificate.
-You can then set the *ca_cert_path* option to the path of a file containing
-the validation chain in `PEM format`_ ; those certificates are usually in
-/usr/share/ca-certificates/ but it may vary depending of your distribution.
-
+You can then set the :term:`ca_cert_path` option to the path of a file
+containing the validation chain in `PEM format`_ ; those certificates are
+usually in /usr/share/ca-certificates/ but it may vary depending of your
+distribution.
If the authority does not match when connecting, you should be disconnected.
@@ -50,11 +75,12 @@ None
If you do not want to bother with certificate validation at all (which can be
the case when you run poezio on the same computer as your jabber server), you
-can set the *ignore_certificate* value to true, and let the *ca_cert_path*
-option empty (or even remove it).
+can set the :term:`ignore_certificate` value to true, and let the
+:term:`ca_cert_path` option empty (or even remove it).
.. warning:: Only do this if you know what you are doing, or you will be open
to Man in The Middle attacks!
+.. _Forward Secrecy: https://en.wikipedia.org/wiki/Forward_secrecy
.. _TOFU/TUFU: https://en.wikipedia.org/wiki/User:Dotdotike/Trust_Upon_First_Use
.. _PEM format: https://tools.ietf.org/html/rfc1422.html
diff --git a/src/connection.py b/src/connection.py
index b60f3b71..fed43d88 100644
--- a/src/connection.py
+++ b/src/connection.py
@@ -61,6 +61,9 @@ class Connection(sleekxmpp.ClientXMPP):
self.auto_reconnect = True if config.get('auto_reconnect', 'false').lower() in ('true', '1') else False
self.reconnect_max_attempts = 0
self.auto_authorize = None
+ # prosody defaults, lowest is AES128-SHA, it should be a minimum
+ # for anything that came out after 2002
+ self.ciphers = config.get('ciphers', 'HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL')
self.ca_certs = config.get('ca_cert_path', '') or None
interval = config.get('whitespace_interval', '300')
if interval.isdecimal() and int(interval) > 0: