Improve TLS security

2015-03-31 01:04:05 +02:00 · 2015-03-31 01:04:05 +02:00 · 7c367b7b8a
commit 7c367b7b8a
parent 3f6c3d9310
3 changed files with 21 additions and 13 deletions
--- a/hyp/init.py
+++ b/hyp/init.py
@ -1,5 +1 @@
-from .hyp import UploadHandler, check_cert, serve
-
-if __name__ == '__main__':
-	from .hyp import main
-	main()
+from .hyp import UploadHandler, check_cert, serve
--- a/hyp/hyp.py
+++ b/hyp/hyp.py
@ -81,15 +81,20 @@ def serve(address, port, tls_dir, upload):
            server = http.HTTPServer(bind, http.SimpleHTTPRequestHandler)
        if use_tls:
            try:
-                protocol = ssl.PROTOCOL_TLSv1_2
+                context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
            except AttributeError:
                print('hyp needs TLSv1.2. You must have openssl >= 1.0.1')
                sys.exit(1)
-            tls_socket = ssl.wrap_socket(server.socket, server_side=True,
-                    certfile=path.join(tls_dir, 'https-cert.pem'),
-                    keyfile=path.join(tls_dir,'https-key.pem'),
-                    ssl_version=protocol)
-            server.socket = tls_socket
+            context.set_ecdh_curve('prime256v1')
+            context.set_ciphers('AES256+EECDH:AES256+EDH')
+            context.options = (ssl.OP_ALL |
+                               ssl.OP_NO_COMPRESSION | 
+                               ssl.OP_SINGLE_ECDH_USE |
+                               ssl.OP_CIPHER_SERVER_PREFERENCE)
+            context.load_cert_chain(
+                        certfile=path.join(tls_dir, 'https-cert.pem'),
+                        keyfile=path.join(tls_dir,'https-key.pem'))
+            server.socket = context.wrap_socket(server.socket, server_side=True)
    except Exception as e:
        print('Error %d: %s' % e.args)
        sys.exit(e.errno)
--- a/setup.py
+++ b/setup.py
@ -1,7 +1,7 @@
 from setuptools import setup

 setup(name='hyp-server',
-    version='1.0.0',
+    version='1.1.0',
    description='Hyperminimal https server',
    url='http://github.com/rnhmjoj/hyp',
    author='rnhmjoj',
@ -11,4 +11,11 @@ setup(name='hyp-server',
    entry_points={
        'console_scripts': ['hyp = hyp.hyp:main']
    },
-    )
+    keywords=['http', 'https', 'ssl', 'tls', 'upload', 'server'],
+    classifiers=[
+        'Topic :: Internet :: WWW/HTTP :: HTTP Servers',
+        'Topic :: Communications :: File Sharing',
+        'Programming Language :: Python :: 3 :: Only',
+        'License :: OSI Approved :: MIT License',
+        'License :: OSI Approved :: GNU General Public License (GPL)',
+    ])