Merge pull request #26 from dmulder/dmulder/configure_openssl_seclevel

Make the openssl security level configurable
openSUSE · Nov 28, 2022 · d2fbac3 · d2fbac3
2 parents 260a7a6 + 1b36808
commit d2fbac3
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 3 deletions.
diff --git a/bin/cepces-submit b/bin/cepces-submit
@@ -24,6 +24,7 @@ import os
 import sys
 import traceback
 import argparse
+import requests
 from cepces.certmonger.core import Result
 from cepces.certmonger.operation import Operation
 from cepces.config import Configuration
@@ -62,6 +63,8 @@ def main(global_overrides, krb5_overrides):
             # Load the configuration and instantiate a service.
             config = Configuration.load(global_overrides=global_overrides,
                                         krb5_overrides=krb5_overrides)
+            if config.openssl_seclevel and config.openssl_seclevel.isnumeric():
+                requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'ALL:@SECLEVEL=%s' % config.openssl_seclevel
             service = Service(config)
 
             # Call the operation.
@@ -88,6 +91,7 @@ if __name__ == '__main__':
     parser.add_argument('--keytab', help='Use the specified keytab')
     parser.add_argument('--principals',
         help='A list of principals to try when requesting a ticket')
+    parser.add_argument('--openssl-seclevel', help='The openssl security level')
     args = parser.parse_args()
     g_overrides = {}
     if args.server is not None:
@@ -98,6 +102,8 @@ if __name__ == '__main__':
         g_overrides['endpoint'] = endpoint
     if args.poll_interval is not None:
         g_overrides['poll_interval'] = args.poll_interval
+    if args.openssl_seclevel is not None:
+        g_overrides['openssl_seclevel'] = args.openssl_seclevel
     k_overrides = {}
     if args.keytab is not None:
         k_overrides['keytab'] = args.keytab

diff --git a/cepces/config.py b/cepces/config.py
@@ -55,14 +55,15 @@ class Configuration(Base):
         'Certificate': SOAPAuth.TransportCertificateAuthentication,
     }
 
-    def __init__(self, endpoint, endpoint_type, cas, auth, poll_interval):
+    def __init__(self, endpoint, endpoint_type, cas, auth, poll_interval, openssl_seclevel):
         super().__init__()
 
         self._endpoint = endpoint
         self._endpoint_type = endpoint_type
         self._cas = cas
         self._auth = auth
         self._poll_interval = poll_interval
+        self._openssl_seclevel = openssl_seclevel
 
     @property
     def endpoint(self):
@@ -89,6 +90,11 @@ def poll_interval(self):
         """Return the poll interval."""
         return self._poll_interval
 
+    @property
+    def openssl_seclevel(self):
+        """Return the openssl security level."""
+        return self._openssl_seclevel
+
     @classmethod
     def load(cls, files=None, dirs=None, global_overrides=None,
              krb5_overrides=None):
@@ -116,6 +122,10 @@ def load(cls, files=None, dirs=None, global_overrides=None,
         config['DEFAULT']['shortname'] = shortname.lower()
         config['DEFAULT']['SHORTNAME'] = shortname.upper()
 
+        if not config.has_section('global'):
+            config.add_section('global')
+        config['global']['openssl_seclevel'] = ''
+
         if files is None:
             files = DEFAULT_CONFIG_FILES
 
@@ -155,7 +165,7 @@ def from_parser(cls, parser):
         section = parser['global']
 
         # Ensure certain required variables are present.
-        for var in ['endpoint', 'auth', 'type', 'poll_interval']:
+        for var in ['endpoint', 'auth', 'type', 'poll_interval', 'openssl_seclevel']:
             if var not in section:
                 raise RuntimeError(
                     'Missing "{}/{}" variable in configuration.'.format(
@@ -178,8 +188,9 @@ def from_parser(cls, parser):
         authn = Configuration.AUTH_HANDLER_MAP[section['auth']](parser)
         cas = section.get('cas', True)
         poll_interval = section.get('poll_interval')
+        openssl_seclevel = section.get('openssl_seclevel')
 
         if cas == '':
             cas = False
 
-        return Configuration(endpoint, endpoint_type, cas, authn.handle(), poll_interval)
+        return Configuration(endpoint, endpoint_type, cas, authn.handle(), poll_interval, openssl_seclevel)
diff --git a/conf/cepces.conf.dist b/conf/cepces.conf.dist
@@ -48,6 +48,15 @@ endpoint=https://${server}/ADPolicyProvider_CEP_${auth}/service.svc/CEP
 # Time in seconds before re-checking if the certificate has been issued
 poll_interval=3600
 
+# This is the openssl security level. The latest openssl sets the default to
+# level 2, which disables some less secure ciphers. You may encounter an error
+# of '[SSL: DH_KEY_TOO_SMALL] dh key too small' if this level is set to high
+# for your server. If this happens, you can work around this issue by setting
+# openssl_seclevel to 1.
+#
+# Default: 2
+#openssl_seclevel=2
+
 [kerberos]
 # Use the specified keytab. If unspecified, the system default is used.
 #