Allow SSL ciphers to be overridden in HTTP server

Users of this class, such as the RAPI server, might want to override or adjust
the default SSL cipher defined in a constant.

Signed-off-by: Michael Hanselmann <hansmi@google.com>
Reviewed-by: Iustin Pop <iustin@google.com>

diff --git a/lib/http/__init__.py b/lib/http/__init__.py
index a42c496..1e39f21 100644 (file)
--- a/lib/http/__init__.py
+++ b/lib/http/__init__.py
@@ -595,7 +595,10 @@ class HttpBase(object):
 
     ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
     ctx.set_options(OpenSSL.SSL.OP_NO_SSLv2)
-    ctx.set_cipher_list(constants.OPENSSL_CIPHERS)
+
+    ciphers = self.GetSslCiphers()
+    logging.debug("Setting SSL cipher string %s", ciphers)
+    ctx.set_cipher_list(ciphers)
 
     ctx.use_privatekey(self._ssl_key)
     ctx.use_certificate(self._ssl_cert)
@@ -608,6 +611,12 @@ class HttpBase(object):
 
     return OpenSSL.SSL.Connection(ctx, sock)
 
+  def GetSslCiphers(self):
+    """Returns the ciphers string for SSL.
+
+    """
+    return constants.OPENSSL_CIPHERS
+
   def _SSLVerifyCallback(self, conn, cert, errnum, errdepth, ok):
     """Verify the certificate provided by the peer