Merge pull request #138 from telefonicaid/hardening/107_tlsv1_instead…

…_of_sslv3 hardening/107_force_tls_cosmos_auth
telefonicaid · Jan 8, 2016 · 32da865 · 32da865
2 parents cf66b27 + d15d6ee
commit 32da865
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE
@@ -14,4 +14,5 @@
 - [cosmos-gui] [HARDENING] Add readthedocs and AGPL badges to the README (#125)
 - [cosmos-sinfonier] [DOC] Adding documentation realted Stream component Sinfonier. Docs include how to create new topologies and modules (Spouts, Bolts and Drains).
 - [cosmos-gui] [FEATURE] Allow changing the Cosmos password (#132)
+- [cosmos-auth] [HARDENING] Force the usage of TLSv1 instead of SSLv3 (#107)
 - [cosmos-gui] [BUG] /new_password route now provisions the new password (#134)
diff --git a/cosmos-auth/README.md b/cosmos-auth/README.md
@@ -104,9 +104,9 @@ cosmos-auth typically listens in the TCP/13000 port (TLS encryption), but you ca
 ##<a name="usage"></a>Usage
 Apart from the version method, there is only one available operation in this RESTful API. Use curl this way in order to get an access token:
 
-    curl -X POST "https://<host_running_the_api>:13000/cosmos-auth/v1/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password&username=<your_idm_username>&password=<your_idm_password>"
+    curl -k -X POST "https://<host_running_the_api>:13000/cosmos-auth/v1/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password&username=<your_idm_username>&password=<your_idm_password>"
 
-Resposne have the following format (JSON encoding):
+The response should have the following format (JSON encoding):
 
     {"access_token": "M2ir2989wWhs5mAmj9OJLQdok0MeGl", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "nEy34Tc74HhlA6Hk34uCihUGRppLO9"}
 

diff --git a/cosmos-auth/src/server.js b/cosmos-auth/src/server.js
@@ -31,6 +31,7 @@ var config = require('../conf/cosmos-auth.json');
 var client = require('./client.js');
 var fs = require('fs');
 var logger = require('./logger.js');
+var constants = require('constants');
 
 // Create a Hapi server with a host and port
 var server = new Hapi.Server();
@@ -39,6 +40,7 @@ server.connection({
     host: config.host,
     port: config.port,
     tls: {
+        secureOptions: constants.SSL_OP_NO_SSLv3,
         key: fs.readFileSync(config.private_key_file),
         cert: fs.readFileSync(config.certificate_file)
     }