ç§ã¯SSL蚌ææžãšããŒã§gunicornã䜿çšããŠããŸãã TLSæ¥ç¶1.0ãæäŸããŸãã TLS 1.2ã䜿çšããããã«gunicornãæ§æããããšã¯å¯èœã§ããïŒ
ããã«ã¡ã¯@ rrajaravi ã httpïŒ //docs.gunicorn.org/en/latest/settings.html#ciphersãèšå®ããŠã¿ãŸãããïŒ
ãã³ã
ãããæ©èœãããã©ãããå€æããæ¹æ³ã¯ïŒ
ãã®åé¡ã解決ã§ããŸããïŒ
TL; DR
Gunicornã¯ä»¥äžããµããŒãããŠããããã§ãã
TLSv1
SSLv2
ãããŠããµããŒãããŠããŸããïŒ
SSLv3
SSLv23
TLSv1_1
TLSv1_2
@berkerpeksagã®ããã¥ã¡ã³ãhttp://docs.gunicorn.org/en/latest/settings.html#ciphersãæ£ãã衚瀺ãããŸããã
ssl.pyã§ãããã³ã«ãèŠã€ããŸããã Ubuntu 14.04 LTSãPython 3.5.1ãOpenSSL 1.0.1fã®ã³ãã³ãã©ã€ã³ãªãã·ã§ã³ã§æäŸãããå ŽåãTLSv1ãšSSLv2ãé€ããŠãããããæ©èœããŸããã2014幎1æ6æ¥
æ®ãã¯ãšã©ãŒã§å€±æããŸãïŒ
[2016-03-22 08:51:49 +0000] [2924] [ãšã©ãŒ]ã¯ãŒã«ãŒããã»ã¹ã®äŸå€ïŒ
ãã¬ãŒã¹ããã¯ïŒæåŸã®æåŸã®åŒã³åºãïŒïŒ
ãã¡ã€ã«ã/home/me/Envs/myproject/lib/python3.5/site-packages/gunicorn/workers/sync.pyããè¡126ããã³ãã«
self.cfg.ssl_optionsïŒwrap_socketå
ã®ãã¡ã€ã« "/usr/local/lib/python3.5/ssl.py"ãè¡1064æå·=æå·ïŒ** initã®ãã¡ã€ã« "/usr/local/lib/python3.5/ssl.py"ãè¡690
self._context.set_ciphersïŒciphersïŒ
ssl.SSLError :( 'æå·ãéžæã§ããŸããã'ãïŒ
/usr/local/lib/python3.5/ssl.py
次ã®å®æ°ã¯ãããŸããŸãªSSLãããã³ã«ããªã¢ã³ããèå¥ããŸãã
PROTOCOL_SSLv2
PROTOCOL_SSLv3
PROTOCOL_SSLv23
PROTOCOL_TLSv1
PROTOCOL_TLSv1_1
PROTOCOL_TLSv1_2
ãããããªã¢ãŒãžããŠãããŠããããšãã@ edwardotisã ããã¥ã¡ã³ããæ確ã«ããããã«ããããåéããŸãã
@berkerpeksagãé©åãªããã©ã«ãã䜿çšããŠããŸããïŒ
TLSv1
ã¯å€ãPythonããŒãžã§ã³ã§ã¯åé¡ãªãããã«èŠããŸãããããã©ã«ãå€ãSSLv23
ã«å€æŽããŠãå©çšå¯èœãªæè¯ã®ãããã³ã«ïŒã¯ã©ã€ã¢ã³ããšãµãŒããŒã®äž¡æ¹ïŒã䜿çšã§ããå¯èœæ§ããããŸãã
ãŸããGunicorn 20ã§SSLv2
ãŸãã¯SSLv3
ã䜿çšãããŠããå ŽåSSLv2
ãäŸå€ãçºçãããå¿
èŠããããšæããŸãïŒæ¬¡ã®19.xãªãªãŒã¹ã§éæšå¥šã«ãªããšäŸ¿å©ã§ãïŒã
@berkerpeksag ïŒ+1ïŒ
誰ãããããã®å€æŽãå®è£
ããŸãããïŒ ããã§ãªãå Žåã¯ãè©ŠããŠã¿ãŠPRãéããŠããã ããã°å¹žãã§ããæå·ãTLSv1.0ãè¶
ãããã®ã«èšå®ã§ããããšã¯ç§ãã¡ã«ãšã£ãŠéèŠã§ããã1ãã倧ããTLSã®ãã¹ãŠã®ããŒãžã§ã³ãèŠãããšãã§ããŸããèšå®ããªãã§ãã ãã..ããã©ã«ãã§1.0ã«æ»ããŸãïŒããã¥ã¡ã³ãã«ãªã¹ããããŠãããã®ãšããã«ãªã¹ããããŠããå®æ°ã¯åœ¹ã«ç«ã¡ãŸããã§ããïŒ- No cipher can be selected
åºåããã ãã§ã
@AndrewJHartããã¯çŽ æŽãããããšã§ãïŒ ïŒïŒ ããããšãïŒ
ä»ã®ããŒãžã§ã³ã䜿çšããããšã¯å¯èœã§ãã ã³ãã³ãã©ã€ã³ã§--ssl-version
ã«å®æ°ãæå®ããå¿
èŠããããŸãã ãããã®å®æ°ã¯ã ssl
stdlibã¢ãžã¥ãŒã«
$ python -c "import ssl; print(ssl.PROTOCOL_SSLv23)"
2
$ python -c "import ssl; print(ssl.PROTOCOL_TLSv1_2)"
5
--ssl-version 2
ãŸãã¯--ssl-version 5
ãæå®ããã ãã§ãTLS1.2æå·ããµããŒãããå¿
èŠããããŸãã
@AndrewJHartã¯ãSSLã®æ¹åã«è²¢ç®ãããå Žåã¯ãïŒ1440ã
ãŸããTLSv1ã®ä»£ããã«SSLv23å®æ°ã䜿çšããããã«gunicorn /config.pyã®ããã©ã«ãå€ãå€æŽããåçŽãªãã«ãªã¯ãšã¹ãã¯çŽ æŽãããã§ãããã
ãã¿ãŸãããïŒ1140ãšèšãã€ããã§ãã
ãã®åé¡ãåéãããçç±ãããããŸããã Gunicornã--ssl-version 2
ãã¹ããããšãããTLS1.2æå·ãæ£åžžã«æ©èœããããšãããããŸããã
ééããŸããã誀ã£ãŠééãããšæãããå Žåã¯ãå床éããŠèª¬æããŠãã ããã
ããã©ã«ãã®å€æŽã远跡ããããã«ïŒ1249ãéããŸããã
ç§ã¯ãããåéããŸããïŒ
aïŒãŠãŒã¶ãŒã¯2
ãŸãã¯5
代ããã«2
'SSLv23'
ãŸãã¯'TLSv1_2'
ãæž¡ãããšãã§ããå¿
èŠããããŸãã
bïŒPythonããã¥ã¡ã³ãã«ãªãã€ã¬ã¯ãããã®ã§ã¯ãªããå©çšå¯èœãªãªãã·ã§ã³ãææžåããå¿
èŠããããŸãã https://docs.python.org/3.5/library/ssl.htmlã¯stdlibã§æãé·ãããã¥ã¡ã³ãã®1ã€ã§ããããŠãŒã¶ãŒã¯å©çšå¯èœãªãªãã·ã§ã³ã確èªããããã ãã«å€ãã®æéãè²»ããã¹ãã§ã¯ãããŸããã
ããã¥ã¡ã³ãã©ãã«ãè¿œå ããŠãå床éããŸããã
19.5ãªãªãŒã¹ã®åïŒã€ãŸãæ°Žææ¥ã®åïŒã«éããããšãã§ããã°ãããã§äœãå¿ èŠãæããŠãã ãã:)
ããã¯ãŸã éããŠãããååä»ãå®æ°ã®ãµããŒãã®ã¿ãæäŸããŸãã
--ssl-ããŒãžã§ã³ãã©ã°ã
æã2016幎5æ2æ¥ã«ã¯ãåå5æ43ããã¯Chesneauã®[email protected]ã¯æžããŸããïŒ
19.5ãªãªãŒã¹ã®åã«éããããšãã§ããå Žåã¯ãããã§äœãå¿ èŠããæããŠãã ãã
ïŒã€ãŸããæ°Žåã«ïŒãã£ãããã§ããã:)â
é/éç¶æ ãå€æŽããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/benoitc/gunicorn/issues/1114#issuecomment -216225302
ä»ã®ãšãã3.xããŒãžã§ã³ãå¿ããŸãããã Pythonã®ãã¹ãŠã®ããŒãžã§ã³ã§ããããµããŒãããããã«è¿œå ããå¿ èŠãããå®æ°ã¯äœã§ããïŒ
æŠå¿µå®èšŒã¯æ¬¡ã®ãšããã§ãïŒ https ïŒ
TLSã®ç¹å®ã®ç°ãªãããŒãžã§ã³ãæå¹ãŸãã¯ç¡å¹ã«ããããšã¯å¯èœã§ããïŒ ããšãã°ãå€ãããŒãžã§ã³ãç¡å¹ãŸãã¯æå¹ã«ã§ããããã«ããã®ãäžè¬çã§ãã ã--ssl-versionãã䜿çšããŠå€ãããŒãžã§ã³ãç¡å¹ã«ã§ããã®ãããããšãè€æ°å䜿çšã§ããã®ãïŒSSL3ãç¡å¹ã«ããŠTLS1.0ãç¡å¹ã«ãããªã©ïŒã¯ãããã¥ã¡ã³ãããã¯ããããŸããã
SSLContext
ã䜿çšããããã«åãæ¿ããŠãæ°ãããªãã·ã§ã³--ssl-options
SSLContext
ãè¿œå ããå¿
èŠããããšæããŸãïŒããããssl.create_default_context()
䜿çšãããããSSLv3ãšTLS 1.0ã¯ããã©ã«ãã§ç¡å¹ã«ãªããŸãïŒçµã¿åãããå€ããã--ssl-version
ãååä»ãå®æ°ãåãå
¥ãããšã¯æããªããããŠãŒã¶ãŒã¯ãããGunicornæ§æãã¡ã€ã«ã«å
¥ããããšãã§ããã
ssl_options = ssl.OP_NO_COMPRESSION | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
PROTOCOL_
*ã䜿çšããŠããããã³ã«ãšæ£ç¢ºãªããŒãžã§ã³ã®äž¡æ¹ãæå®ããããšã¯ãéæšå¥šã«ãªã£ãŠããããã§ãã ssl_options
ãçŸåšå®è£
ãããŠããªããšä»®å®ããŠãç§ã¯ïŒ1680ã調éããŸããã
ãããã誰ããç§ã®ããã«ããã€ãã®ã¬ã€ãã³ã¹ãæã£ãŠãããããããŸãããïŒ ç§ã¯ããã«ãã°ããèŠåŽããŠããŸãã ãããç§ã®ç°å¢ã§ãïŒ
Python 3.4.3
gunicorn==19.9.0
pyOpenSSL==18.0.0
cryptography==2.4.2
gunicornãã©ã°--ssl-version 5
ã䜿çšããŠããŸã
ç§ã®ãµãŒããŒã¯TLS1.2ãæäŸããŠããããã§ãããå®å
šã§ãªãæå·ã¹ã€ãŒãã倧éã«èš±å¯ãããŠããŸãã æå·ã¹ã€ãŒããå¶éããã«ã¯ã©ãããã°ããã§ããïŒ --ciphers
ãã©ã°ãè©ŠããŸããããããŸããããŸããã§ããã
ããããšãïŒ
--ssl-version 5 --ciphers ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256
ããŸãæ©èœããŸãïŒ
ãïŒopenssl s_client -connect localhostïŒ443 -cipher ECDHE-RSA-AES256-GCM-SHA384
æ¥ç¶æžã¿ïŒ00000003ïŒ
æ·±ã= 3 .. ..
ãïŒopenssl s_client -connect localhostïŒ443 -cipher DHE-RSA-AES256-GCM-SHA384
æ¥ç¶æžã¿ïŒ00000003ïŒ
140497569816640ïŒãšã©ãŒïŒ14094410 ïŒSSLã«ãŒãã³ïŒssl3_read_bytes ïŒsslv3ã¢ã©ãŒããã³ãã·ã§ã€ã¯ã®å€±æïŒ../ ssl / record / rec_layer_s3.c ïŒ1407ïŒSSLã¢ã©ãŒãçªå·40
@lemrouchã«æè¬ããŸãã ãªãããã以åç§ã«ãšã£ãŠããŸããããªãã£ãã®ãåãããŸããã ããã¯ä»ç§ã®ããã«åããŠããŸãïŒ
gunicornãã©ã¹ã³ã¢ããªã±ãŒã·ã§ã³ã§TLS1.0ã®ä»£ããã«TLS1.2ã䜿çšããã«ã¯ã©ãããã°ããã§ããïŒ å ¥åããå¿ èŠã®ããã¿ãŒããã«ã³ãã³ããŸãã¯ã³ãŒããå ±æããŠããã ããŸãããïŒ
@rkbalaããã¯ç§ã®ãã©ã¹ã³ã¢ããªã«é¢é£ããã³ãŒããã©ã®ããã«èŠãããã§ãïŒ
...
from ssl import SSLContext, PROTOCOL_TLSv1_2, OP_NO_SSLv3, OP_NO_TLSv1, OP_NO_TLSv1_1
...
ssl = SSLContext(PROTOCOL_TLSv1_2)
ssl.set_ciphers('ECDH+AES256:ECDH+AES128:' +
'!aNULL:!eNULL:!MD5:!DSS:!RC4:!SSLv2:!SSLv3:!TLSv1')
ssl.options |= OP_NO_SSLv3
ssl.options |= OP_NO_TLSv1
ssl.options |= OP_NO_TLSv1_1
ssl.load_cert_chain('/etc/letsencrypt/live/fullchain.pem',
'/etc/letsencrypt/live/privkey.pem')
...
if __name__ == '__main__':
app.run(host='0.0.0.0', port='443', ssl_context=ssl)
@rkbalaããã¯ç§ã®ãã©ã¹ã³ã¢ããªã«é¢é£ããã³ãŒããã©ã®ããã«èŠãããã§ãïŒ
... from ssl import SSLContext, PROTOCOL_TLSv1_2, OP_NO_SSLv3, OP_NO_TLSv1, OP_NO_TLSv1_1 ... ssl = SSLContext(PROTOCOL_TLSv1_2) ssl.set_ciphers('ECDH+AES256:ECDH+AES128:' + '!aNULL:!eNULL:!MD5:!DSS:!RC4:!SSLv2:!SSLv3:!TLSv1') ssl.options |= OP_NO_SSLv3 ssl.options |= OP_NO_TLSv1 ssl.options |= OP_NO_TLSv1_1 ssl.load_cert_chain('/etc/letsencrypt/live/fullchain.pem', '/etc/letsencrypt/live/privkey.pem') ... if __name__ == '__main__': app.run(host='0.0.0.0', port='443', ssl_context=ssl)
@pixelrebelããããšãããããŸã!! è©ŠããŠã¿ãŠãç¥ããããŸãã
ãã®ssl.options | = OP_NO_ *ã¯ã©ãããæå³ã§ããïŒ
æå·ãå€æŽã§ããŸããïŒ ãŸãã¯ãäžèšã®set_ciphersã¯ã©ã³ãã æå·ãèšå®ããŸããïŒ
@rkbalaãªããããåäœã®æŒç®ãå¿ èŠã ã£ãã®ãæãåºããŸããã ããã¯å¿ èŠã§ã¯ãªããããããŸãã...ãã¹ããã䟡å€ããããŸãã
æå·ãTLS1.2ãšäºææ§ã®ãããã®ã«å€æŽã§ããŸãã ç§ã®å Žåãç§ã®ã¢ããªã¯Slackãéä¿¡ããããã®APIãæäŸããŸãã ãããã£ãŠãSlackbotã䜿çšããæå·ããµããŒãããã ãã§æžã¿ãŸããã
@rkbala IOã¯ããªããã®æ§æãå¿ èŠãªã®ãèŠããŠããªãããšãæ確ã«ããå¿ èŠããããŸãããåœæã¯ãã¢ããªãTLS1.2ã®ã¿ã䜿çšãããã以åã®ããŒãžã§ã³ã䜿çšããªãããã«ãOP_NO_ *ãªãã·ã§ã³ãæ瀺çã«æå®ããå¿ èŠããã£ããšæããŸãã
@rkbalaãªããããåäœã®æŒç®ãå¿ èŠã ã£ãã®ãæãåºããŸããã ããã¯å¿ èŠã§ã¯ãªããããããŸãã...ãã¹ããã䟡å€ããããŸãã
æå·ãTLS1.2ãšäºææ§ã®ãããã®ã«å€æŽã§ããŸãã ç§ã®å Žåãç§ã®ã¢ããªã¯Slackãéä¿¡ããããã®APIãæäŸããŸãã ãããã£ãŠãSlackbotã䜿çšããæå·ããµããŒãããã ãã§æžã¿ãŸããã
ãããããé¡ãããŸãã æå®ããªãå Žåãgunicornã¯ããã©ã«ãã®Pythonæå·ã䜿çšãããšæããŸãã ç§ãééã£ãŠããå Žåã¯ç§ãèšæ£ããŠãã ããã
ãŸããäžèšã®ãã©ã¹ã³ã³ãŒãã«ãããgunicornã¯TLSv1.2ã§ã®ã¿ãã©ã¹ã³ã¢ããªãèµ·åããŸããïŒ è³ªåã¯ãgunicornãä»ããŠflaskã¢ããªãå®è¡ãããããã§ãã ä»æ¥ãgunicornã¿ãŒããã«ã³ãã³ããgunicornâssl-version TLSV1_2 projectïŒapp ããtlsv1.2ã§flaskã¢ããªãèµ·åããããšãç¥ããŸããã ã©ã¡ãã®æ¹æ³ãããå¹ççã§ããïŒ
ã¯ããããã¯TLS1.2ã®ã¿ãè¡ããŸãã ãã以å€ã¯ãã¹ãŠéæšå¥šã®AFAIKã§ãã åãå¹æããããšæããŸãããã³ãã³ãã©ã€ã³ãªãã·ã§ã³ã䜿çšãããšãã¹ã¯ãªããã®ãªãã·ã§ã³ãäžæžãããããšæããŸãã ç§ã¯æ±ºããŠgunicornã®å°é家ã§ã¯ãããŸããã ã ããç§ã®ã¢ããã€ã¹ãäžç²ã®å¡©ã§åãæ¢ããŠãã ããã
ã¯ããããã¯TLS1.2ã®ã¿ãè¡ããŸãã ãã以å€ã¯ãã¹ãŠéæšå¥šã®AFAIKã§ãã åãå¹æããããšæããŸãããã³ãã³ãã©ã€ã³ãªãã·ã§ã³ã䜿çšãããšãã¹ã¯ãªããã®ãªãã·ã§ã³ãäžæžãããããšæããŸãã ç§ã¯æ±ºããŠgunicornã®å°é家ã§ã¯ãããŸããã ã ããç§ã®ã¢ããã€ã¹ãäžç²ã®å¡©ã§åãæ¢ããŠãã ããã
ããããšã@pixelrebelç§ã¯ãã®éšåãæ¢æ±ããŸãã