Closed gaby closed 11 months ago
By default CherryPy is listening for unsecured ciphers that leave instances exposed to several CVE's. Using the Mozilla TLS configurator I was able to generate the following list which could be used as the default cipher list for CherryPy.
cherrypy_cfg["server.ssl_ciphers"] = ( "ECDHE-ECDSA-AES128-GCM-SHA256:" "ECDHE-RSA-AES128-GCM-SHA256:" "ECDHE-ECDSA-AES256-GCM-SHA384:" "ECDHE-RSA-AES256-GCM-SHA384:" "ECDHE-ECDSA-CHACHA20-POLY1305:" "ECDHE-RSA-CHACHA20-POLY1305:" "DHE-RSA-AES128-GCM-SHA256:" "DHE-RSA-AES256-GCM-SHA384:" "DHE-RSA-CHACHA20-POLY1305" )
Using this configuration CherryPy should only listen for secure TLSv1.2 and TLSv1.3 connections.
By default CherryPy is listening for unsecured ciphers that leave instances exposed to several CVE's. Using the Mozilla TLS configurator I was able to generate the following list which could be used as the default cipher list for CherryPy.
Using this configuration CherryPy should only listen for secure TLSv1.2 and TLSv1.3 connections.