theforeman · brandonweeks · Nov 25, 2015 · dmitri-d · Nov 26, 2015 · brandonweeks
diff --git a/lib/launcher.rb b/lib/launcher.rb
@@ -40,6 +40,11 @@ def https_app
           ::Proxy::Plugins.enabled_plugins.each {|p| instance_eval(p.https_rackup)}
         end
 
+        ssl_options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options]
+        ssl_options |= OpenSSL::SSL::OP_CIPHER_SERVER_PREFERENCE if defined?(OpenSSL::SSL::OP_CIPHER_SERVER_PREFERENCE)
+        ssl_options |= OpenSSL::SSL::OP_NO_TLSv1 if defined?(OpenSSL::SSL::OP_NO_TLSv1)
+        ssl_options |= OpenSSL::SSL::OP_NO_TLSv1_1 if defined?(OpenSSL::SSL::OP_NO_TLSv1_1)
+
         Rack::Server.new(
           :app => app,
           :server => :webrick,
@@ -51,6 +56,7 @@ def https_app
           :SSLPrivateKey => load_ssl_private_key(SETTINGS.ssl_private_key),
           :SSLCertificate => load_ssl_certificate(SETTINGS.ssl_certificate),
           :SSLCACertificateFile => SETTINGS.ssl_ca_file,
+          :SSLOptions => ssl_options,
           :daemonize => false)
       end
     end

diff --git a/lib/poodles-fix.rb b/lib/poodles-fix.rb
diff --git a/lib/smart_proxy_main.rb b/lib/smart_proxy_main.rb
@@ -36,7 +36,7 @@
 require 'sinatra'
 require 'sinatra-patch'
 require 'sinatra/authorization'
-require 'poodles-fix'
+require 'webrick-patch'
 
 module Proxy
   SETTINGS = Settings.load_global_settings

diff --git a/lib/webrick-patch.rb b/lib/webrick-patch.rb
@@ -0,0 +1,34 @@
+require 'webrick/https'
+
+CIPHERS = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES256-CBC-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA'
+
+module WEBrick
+  class GenericServer
+    def setup_ssl_context(config) # :nodoc:
+      unless config[:SSLCertificate]
+        cn = config[:SSLCertName]
+        comment = config[:SSLCertComment]
+        cert, key = Utils::create_self_signed_cert(1024, cn, comment)
+        config[:SSLCertificate] = cert
+        config[:SSLPrivateKey] = key
+      end
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.set_params
+      ctx.ciphers = CIPHERS
+      ctx.key = config[:SSLPrivateKey]
+      ctx.cert = config[:SSLCertificate]
+      ctx.client_ca = config[:SSLClientCA]
+      ctx.extra_chain_cert = config[:SSLExtraChainCert]
+      ctx.ca_file = config[:SSLCACertificateFile]
+      ctx.ca_path = config[:SSLCACertificatePath]
+      ctx.cert_store = config[:SSLCertificateStore]
+      ctx.tmp_dh_callback = config[:SSLTmpDhCallback]
+      ctx.verify_mode = config[:SSLVerifyClient]
+      ctx.verify_depth = config[:SSLVerifyDepth]
+      ctx.verify_callback = config[:SSLVerifyCallback]
+      ctx.timeout = config[:SSLTimeout]
+      ctx.options |= config[:SSLOptions] unless config[:SSLOptions].nil?
+      ctx
+    end
+  end
+end