Depreciate ssl2/3 (home-assistant#2375)

* Depreciate ssl2/3 Following the best practices as defind here: https://mozilla.github.io/server-side-tls/ssl-config-generator/ * Updated comment with better decription Links to the rational rather than the config generator; explains link. * add comment mentioning intermediate
nnkostov · Jun 26, 2016 · fb3e388 · fb3e388
1 parent 254b1c4
commit fb3e388
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/homeassistant/components/http.py b/homeassistant/components/http.py
@@ -10,6 +10,7 @@
 import mimetypes
 import threading
 import re
+import ssl
 import voluptuous as vol
 
 import homeassistant.core as ha
@@ -36,6 +37,24 @@
 
 DATA_API_PASSWORD = 'api_password'
 
+# TLS configuation follows the best-practice guidelines
+# specified here: https://wiki.mozilla.org/Security/Server_Side_TLS
+# Intermediate guidelines are followed.
+SSL_VERSION = ssl.PROTOCOL_TLSv1
+CIPHERS = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:" \
+          "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" \
+          "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" \
+          "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:" \
+          "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:" \
+          "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:" \
+          "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:" \
+          "ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:" \
+          "DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:" \
+          "DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:" \
+          "ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:" \
+          "AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:" \
+          "AES256-SHA:DES-CBC3-SHA:!DSS"
+
 _FINGERPRINT = re.compile(r'^(.+)-[a-z0-9]{32}\.(\w+)$', re.IGNORECASE)
 
 _LOGGER = logging.getLogger(__name__)
@@ -294,7 +313,8 @@ def start(self):
         sock = eventlet.listen((self.server_host, self.server_port))
         if self.ssl_certificate:
             sock = eventlet.wrap_ssl(sock, certfile=self.ssl_certificate,
-                                     keyfile=self.ssl_key, server_side=True)
+                                     keyfile=self.ssl_key, server_side=True,
+                                     ssl_version=SSL_VERSION, ciphers=CIPHERS)
         wsgi.server(sock, self, log=_LOGGER)
 
     def dispatch_request(self, request):