Disable SSLv2/3 in auto protocol. Add --no-strong-crypto.

Closes #198
ArchiveTeam · Jan 5, 2015 · 71d26aa · 71d26aa
1 parent 4f91e12
commit 71d26aa
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 9 deletions.
diff --git a/doc/changelog.rst b/doc/changelog.rst
@@ -2,6 +2,7 @@
 What's New
 ==========
 
+* Security: SSLv2/SSLv3 is disabled for ``--secure-protocol=auto``. Added ``--no-strong-crypto`` that re-enables them again if needed.
 * Fixed NameError with PhantomJS proxy on Python 3.2.
 * Fixed PhantomJS stop waiting for page load too early.
 * Fixed ``--page-requisites`` exceeding ``--level``.

diff --git a/wpull/app_test.py b/wpull/app_test.py
@@ -191,6 +191,7 @@ def test_app_args(self):
             '--html-parser', 'html5lib',
             '--link-extractors', 'html',
             '--page-requisites-level', '5',
+            '--no-strong-crypto',
         ])
         with cd_tempdir():
             builder = Builder(args, unit_test=True)

diff --git a/wpull/builder.py b/wpull/builder.py
@@ -1203,21 +1203,30 @@ def _build_ssl_options(self):
         The options must be accepted by the `ssl` module.
 
         Returns:
-            dict
+            SSLContext
         '''
-        ssl_options = {}
+        # Logic is based on tornado.netutil.ssl_options_to_context
+        ssl_context = ssl.SSLContext(self._args.secure_protocol)
 
         if self._args.check_certificate:
-            ssl_options['cert_reqs'] = ssl.CERT_REQUIRED
-            ssl_options['ca_certs'] = self._load_ca_certs()
+            ssl_context.verify_mode = ssl.CERT_REQUIRED
+            ssl_context.load_verify_locations(self._load_ca_certs())
         else:
-            ssl_options['cert_reqs'] = ssl.CERT_NONE
+            ssl_context.verify_mode = ssl.CERT_NONE
 
-        ssl_options['ssl_version'] = self._args.secure_protocol
+        if self._args.strong_crypto:
+            ssl_context.options |= ssl.OP_NO_SSLv2
+            ssl_context.options |= ssl.OP_NO_SSLv3  # POODLE
+
+            if hasattr(ssl, 'OP_NO_COMPRESSION'):
+                ssl_context.options |= ssl.OP_NO_COMPRESSION  # CRIME
+            else:
+                _logger.warning(_('Unable to disable TLS compression.'))
 
         if self._args.certificate:
-            ssl_options['certfile'] = self._args.certificate
-            ssl_options['keyfile'] = self._args.private_key
+            ssl_context.load_cert_chain(
+                self._args.certificate, self._args.private_key
+            )
 
         if self._args.edg_file:
             ssl.RAND_egd(self._args.edg_file)
@@ -1227,7 +1236,7 @@ def _build_ssl_options(self):
                 # Use 16KB because Wget
                 ssl.RAND_add(in_file.read(15360), 0.0)
 
-        return ssl_options
+        return ssl_context
 
     def _load_ca_certs(self):
         '''Load the Certificate Authority certificates.

diff --git a/wpull/options.py b/wpull/options.py
@@ -819,6 +819,12 @@ def _add_ssl_args(self):
         if hasattr(ssl, 'PROTOCOL_SSLv2'):
             self._ssl_version_map['SSLv2'] = ssl.PROTOCOL_SSLv2,
 
+        if hasattr(ssl, 'PROTOCOL_TLSv1_1'):
+            self._ssl_version_map['TLSv1.1'] = ssl.PROTOCOL_TLSv1_1,
+
+        if hasattr(ssl, 'PROTOCOL_TLSv1_2'):
+            self._ssl_version_map['TLSv1.2'] = ssl.PROTOCOL_TLSv1_2,
+
         group = self.add_argument_group('SSL')
         group.add_argument(
             '--secure-protocol',
@@ -839,6 +845,13 @@ def _add_ssl_args(self):
             default=True,
             help=_('don’t validate SSL server certificates'),
         )
+        group.add_argument(
+            '--no-strong-crypto',
+            dest='strong_crypto',
+            action='store_false',
+            default=True,
+            help=_('don’t use secure protocols/ciphers')
+        )
         group.add_argument(
             '--certificate',
             metavar='FILE',