From 0e405f894deec51dd4bfaa41fe380a95def7e7da Mon Sep 17 00:00:00 2001
From: berhsi <berhsi@web.de>
Date: Fri, 2 Aug 2019 14:20:08 +0200
Subject: [PATCH] statusd.py: set some ssl-options

---
 statusd.py | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/statusd.py b/statusd.py
index 53a324a..b44288d 100755
--- a/statusd.py
+++ b/statusd.py
@@ -204,7 +204,12 @@ def set_values(raw_data):
 def main():
     '''
     The main function - opens a socket, create a ssl context, load certs and
-    listen for connections.
+    listen for connections. at ssl context we set some security options like 
+    OP_NO_SSLv2 (SSLv3): they are insecure
+    PROTOCOL_TLS: only use tls
+    OP_NO_COMPRESSION: prevention against crime attack
+    OP_DONT_ISERT_EMPTY_FRAGMENTS: prevention agains cbc 4 attack (cve-2011-3389)
+
     '''
     CONFIG = {
         'HOST': 'localhost',
@@ -231,12 +236,17 @@ def main():
         exit()
 
     context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+    context.options &= ~ssl.OP_NO_SSLv2
+    context.options &= ~ssl.OP_NO_SSLv3
     context.options &= ~ssl.PROTOCOL_TLS
+    context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE
+    # context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS
+    context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
+    # context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS')
     context.verify_mode = ssl.CERT_REQUIRED
     context.load_cert_chain(certfile = CONFIG['SERVER_CERT'],
                             keyfile = CONFIG['SERVER_KEY'])
     context.load_verify_locations(cafile = CONFIG['CLIENT_CERT'])
-    context.options &= ~ssl.OP_NO_SSLv3
     logging.debug('SSL context created')
 
     with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
@@ -290,6 +300,7 @@ def main():
             except Exception as e:
                 logging.error('{}'.format(e))
                 continue
+    return 0
 
 
 if __name__ == '__main__':