From 0bae08571a45caff204a9e9e1637aa7381eca115 Mon Sep 17 00:00:00 2001
From: Yann Leboulanger <asterix@lagaule.org>
Date: Tue, 5 Nov 2013 11:21:56 +0100
Subject: [PATCH] [fedor] improve Jingle XTLS security. Fixes #7544

---
 src/common/jingle_xtls.py | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/common/jingle_xtls.py b/src/common/jingle_xtls.py
index 39d62bca6..6f708cc3e 100644
--- a/src/common/jingle_xtls.py
+++ b/src/common/jingle_xtls.py
@@ -92,7 +92,10 @@ def get_context(fingerprint, verify_cb=None):
     """
     constructs and returns the context objects
     """
-    ctx = SSL.Context(SSL.TLSv1_METHOD)
+    ctx = SSL.Context(SSL.SSLv23_METHOD)
+    flags = (SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3 | SSL.OP_SINGLE_DH_USE)
+    ctx.set_options(flags)
+    ctx.set_cipher_list('HIGH:!aNULL:!eNULL')
 
     if fingerprint == 'server': # for testing purposes only
         ctx.set_verify(SSL.VERIFY_NONE|SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
@@ -174,12 +177,12 @@ def createKeyPair(type, bits):
     pkey.generate_key(type, bits)
     return pkey
 
-def createCertRequest(pkey, digest="md5", **name):
+def createCertRequest(pkey, digest="sha1", **name):
     """
     Create a certificate request.
 
     Arguments: pkey   - The key to associate with the request
-               digest - Digestion method to use for signing, default is md5
+               digest - Digestion method to use for signing, default is sha1
                **name - The name of the subject of the request, possible
                         arguments are:
                           C     - Country name
@@ -201,7 +204,7 @@ def createCertRequest(pkey, digest="md5", **name):
     req.sign(pkey, digest)
     return req
 
-def createCertificate(req, (issuerCert, issuerKey), serial, (notBefore, notAfter), digest="md5"):
+def createCertificate(req, (issuerCert, issuerKey), serial, (notBefore, notAfter), digest="sha1"):
     """
     Generate a certificate given a certificate request.
 
@@ -213,7 +216,7 @@ def createCertificate(req, (issuerCert, issuerKey), serial, (notBefore, notAfter
                             starts being valid
                notAfter   - Timestamp (relative to now) when the certificate
                             stops being valid
-               digest     - Digest method to use for signing, default is md5
+               digest     - Digest method to use for signing, default is sha1
     Returns:   The signed certificate in an X509 object
     """
     cert = crypto.X509()
@@ -233,10 +236,12 @@ def make_certs(filepath, CN):
     and '.cert' extensions
     CN : common name
     """
-    key = createKeyPair(TYPE_RSA, 1024)
+    key = createKeyPair(TYPE_RSA, 4096)
     req = createCertRequest(key, CN=CN)
     cert = createCertificate(req, (req, key), 0, (0, 60*60*24*365*5)) # five years
-    open(filepath + '.pkey', 'w').write(crypto.dump_privatekey(
+    private_key_file = open(filepath + '.pkey', 'w')
+    os.chmod(filepath + '.pkey', 0600)
+    private_key_file.write(crypto.dump_privatekey(
         crypto.FILETYPE_PEM, key))
     open(filepath + '.cert', 'w').write(crypto.dump_certificate(
         crypto.FILETYPE_PEM, cert))