Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable http_check to function with weak ciphers on SSL/TLS. #1975

Merged
merged 3 commits into from
Oct 19, 2015

Conversation

truthbk
Copy link
Member

@truthbk truthbk commented Oct 14, 2015

With this PR we enable the RSA+RC4+MD5 cipher which is considered weak. We can add further weak ciphers if needed. Disabled by default, the user must specify weakciphers: true in their http_check.yaml for this to have any real effect - otherwise weak ciphers are disabled.

Session object has nearly identical request method.

Default value for weakcipher is false.

Adding debug logging for weak ciphers.

Importing datetime differently to urllib3 code.

Added Transport adapter for weak cyphers, requests lib sessions required too.

Session object has nearly identical request method.

Default value for weakcipher is false.

Adding debug logging for weak ciphers.

Importing datetime differently to urllib3 code.

Changing cipherlist for weak ciphers, now it works.

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
…red too.

Session object has nearly identical request method.

Default value for weakcipher is false.

Adding debug logging for weak ciphers.

Importing datetime differently to urllib3 code.

Added Transport adapter for weak cyphers, requests lib sessions required too.

Session object has nearly identical request method.

Default value for weakcipher is false.

Adding debug logging for weak ciphers.

Importing datetime differently to urllib3 code.

Changing cipherlist for weak ciphers, now it works.

is_time_off = datetime.today().date() < urllib3.connection.RECENT_DATE
if is_time_off:
warnings.warn((
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can assume that the system time is correct. If it's not, there are way more things that would be broken

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was actually part of the "parent" connect() method in urllib3, I had to overwrite it because I had to change the way we called ssl_wrap_socket and add the ciphers parameter to the call - the rest of the method is pretty much verbatim.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still we can remove it. It pollutes the code for a case that will cause more issues than this ssl connection not working if it happens and that will be caught in other parts of the agent.

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
fixing flake8 issue.

More flake8 issue.
@truthbk truthbk force-pushed the jaime/httpcheck_weakciph branch from 390258b to 2926384 Compare October 19, 2015 15:45

hostname = self.host
if getattr(self, '_tunnel_host', None):
# _tunnel_host was added in Python 2.6.3
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can assume that python >= 2.6.3

truthbk added a commit that referenced this pull request Oct 19, 2015
Enable http_check to function with weak ciphers on SSL/TLS.
@truthbk truthbk merged commit a3080b1 into master Oct 19, 2015
@truthbk truthbk deleted the jaime/httpcheck_weakciph branch November 9, 2015 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants