restrict available ciphers

only EECDH+AESGCM is allowed. now it uses only tls 1.2 and 1.3

statusd.py

@@ -80,6 +80,16 @@ def print_config(CONFIG):
     return True
 
 
+def print_ciphers(cipherlist):
+    print('Available ciphers')
+    for i in cipherlist:
+        print('\n')
+        for j in i.keys():
+            print('{}: {}'.format(j, i[j]))
+    print('\n')
+    return True
+
+
 def display_peercert(cert):
     for i in cert.keys():
         print(i)
@@ -211,18 +221,15 @@ def main():
         exit()
 
     context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-    context.options &= ~ssl.OP_NO_SSLv2
-    context.options &= ~ssl.OP_NO_SSLv3
-    context.options &= ~ssl.PROTOCOL_TLS
-    context.options &= ~ssl.OP_CIPHER_SERVER_PREFERENCE
-    # context.options &= ~ssl.OP_DONT_INSERT_EMPTY_FRAGMENTS
-    context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
-    # context.set_ciphers('HIGHT:!aNULL:!RC4:!DSS')
     context.verify_mode = ssl.CERT_REQUIRED
     context.load_cert_chain(certfile = CONFIG['SERVER_CERT'],
                             keyfile = CONFIG['SERVER_KEY'])
     context.load_verify_locations(cafile = CONFIG['CLIENT_CERT'])
+    context.set_ciphers('EECDH+AESGCM')   # only ciphers for tls 1.2 and 1.3
+    context.options = ssl.OP_CIPHER_SERVER_PREFERENCE
+    context.options |= getattr(ssl._ssl, 'OP_NO_COMPRESSION', 0)
     logging.debug('SSL context created')
+    # print_ciphers(context.get_ciphers())
 
     with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as mySocket:
         logging.debug('Socket created')