search

kryskool / yubico-yubiserve

Automatically exported from code.google.com/p/yubico-yubiserve
GNU General Public License v3.0
1 stars 1 forks source link

Missing modern TLS security #36

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Hi,

I noticed in the sourcecode that you manually establish TLS connections with 
OpenSSL.

https://code.google.com/p/yubico-yubiserve/source/browse/trunk/yubiserve.py#451

Since every TLS protocol below 1.2 is cryptographically broken you should 
really follow these guidelines when establishing TLS connections 
(https://docs.python.org/3/library/ssl.html), and make sure TLS 1.2 is used and 
established correctly. Since with this specific application there won't be 
problems with e.g. legacy clients, it's easy to switch this part of the 
codebase for a more sound TLS server procedure.

Example code:
https://gist.github.com/azet/09416f8e63b31e0b05d5 (you wan't to use 
non-blocking io though: 
https://docs.python.org/3/library/ssl.html#notes-on-non-blocking-sockets)

Thanks,
Aaron

Original issue reported on code.google.com by a...@azet.org on 5 Jan 2015 at 8:00