Revision 971bbd84

b/lib/constants.py
204 204
# 2010 on.
205 205
RSA_KEY_BITS = 2048
206 206

  
207
# Ciphers allowed for SSL connections. For the format, see ciphers(1). A better
208
# way to disable ciphers would be to use the exclamation mark (!), but socat
209
# versions below 1.5 can't parse exclamation marks in options properly. When
210
# modifying the ciphers, ensure to not accidentially add something after it's
211
# been removed. Use the "openssl" utility to check the allowed ciphers, e.g.
212
# "openssl ciphers -v HIGH:-DES".
213
OPENSSL_CIPHERS = "HIGH:-DES:-3DES:-EXPORT:-ADH"
214

  
207 215
# Digest used to sign certificates ("openssl x509" uses SHA1 by default)
208 216
X509_CERT_SIGN_DIGEST = "SHA1"
209 217

  
b/lib/http/__init__.py
595 595

  
596 596
    ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
597 597
    ctx.set_options(OpenSSL.SSL.OP_NO_SSLv2)
598
    ctx.set_cipher_list(constants.OPENSSL_CIPHERS)
598 599

  
599 600
    ctx.use_privatekey(self._ssl_key)
600 601
    ctx.use_certificate(self._ssl_cert)
b/lib/impexpd/__init__.py
77 77

  
78 78
# Common options for socat
79 79
SOCAT_TCP_OPTS = ["keepalive", "keepidle=60", "keepintvl=10", "keepcnt=5"]
80
SOCAT_OPENSSL_OPTS = ["verify=1", "cipher=HIGH", "method=TLSv1"]
80
SOCAT_OPENSSL_OPTS = ["verify=1", "method=TLSv1",
81
                      "cipher=%s" % constants.OPENSSL_CIPHERS]
81 82

  
82 83
SOCAT_OPTION_MAXLEN = 400
83 84

  

Also available in: Unified diff