Reduce the set of supported client SSL ciphers

python-glanceclient (like, for example, curl) can advertise the default
set of supported OpenSSL ciphers in its ClientHello packet.

This patches reduces that to a stronger subset.

Change-Id: I7c30465e79d8a32f43458cd6253a98fcf067dc38
Closes-bug: #1370283

1 files changed, 6 insertions, 0 deletions

diff --git a/glanceclient/common/https.py b/glanceclient/common/https.py
index 4f0e6f5..15b41b0 100644
--- a/glanceclient/common/https.py
+++ b/glanceclient/common/https.py
@@ -133,6 +133,11 @@ class VerifiedHTTPSConnection(HTTPSConnection):
     Note: Much of this functionality can eventually be replaced
           with native Python 3.3 code.
     """
+    # Restrict the set of client supported cipher suites
+    CIPHERS = 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:'\
+              'eCDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:'\
+              'RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
+
     def __init__(self, host, port=None, key_file=None, cert_file=None,
                  cacert=None, timeout=None, insecure=False,
                  ssl_compression=True):
@@ -219,6 +224,7 @@ class VerifiedHTTPSConnection(HTTPSConnection):
         Set up the OpenSSL context.
         """
         self.context = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
+        self.context.set_cipher_list(self.CIPHERS)
 
         if self.ssl_compression is False:
             self.context.set_options(0x20000)  # SSL_OP_NO_COMPRESSION