From fb3e388f0441240fe207274f0167f01e034ba4b6 Mon Sep 17 00:00:00 2001
From: Dan <Daniel.Kemp@especiallyrelative.net>
Date: Sun, 26 Jun 2016 14:49:46 -0400
Subject: [PATCH] Depreciate ssl2/3 (#2375)

* Depreciate ssl2/3

Following the best practices as defind here:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

* Updated comment with better decription

Links to the rational rather than the config generator; explains link.

* add comment mentioning intermediate
---
 homeassistant/components/http.py | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/homeassistant/components/http.py b/homeassistant/components/http.py
index d7ce8e78013..1f77aac5ad4 100644
--- a/homeassistant/components/http.py
+++ b/homeassistant/components/http.py
@@ -10,6 +10,7 @@ import logging
 import mimetypes
 import threading
 import re
+import ssl
 import voluptuous as vol
 
 import homeassistant.core as ha
@@ -36,6 +37,24 @@ CONF_CORS_ORIGINS = 'cors_allowed_origins'
 
 DATA_API_PASSWORD = 'api_password'
 
+# TLS configuation follows the best-practice guidelines
+# specified here: https://wiki.mozilla.org/Security/Server_Side_TLS
+# Intermediate guidelines are followed.
+SSL_VERSION = ssl.PROTOCOL_TLSv1
+CIPHERS = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:" \
+          "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" \
+          "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" \
+          "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:" \
+          "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:" \
+          "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:" \
+          "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:" \
+          "ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:" \
+          "DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:" \
+          "DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:" \
+          "ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:" \
+          "AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:" \
+          "AES256-SHA:DES-CBC3-SHA:!DSS"
+
 _FINGERPRINT = re.compile(r'^(.+)-[a-z0-9]{32}\.(\w+)$', re.IGNORECASE)
 
 _LOGGER = logging.getLogger(__name__)
@@ -294,7 +313,8 @@ class HomeAssistantWSGI(object):
         sock = eventlet.listen((self.server_host, self.server_port))
         if self.ssl_certificate:
             sock = eventlet.wrap_ssl(sock, certfile=self.ssl_certificate,
-                                     keyfile=self.ssl_key, server_side=True)
+                                     keyfile=self.ssl_key, server_side=True,
+                                     ssl_version=SSL_VERSION, ciphers=CIPHERS)
         wsgi.server(sock, self, log=_LOGGER)
 
     def dispatch_request(self, request):
-- 
GitLab