Browse Source

Merge pull request #18500 from sledgehammer999/tls_webui

Harden the SSL/TLS web server
adaptive-webui-19844
sledgehammer999 2 years ago committed by GitHub
parent
commit
22ea508ff6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 26
      src/base/http/server.cpp

26
src/base/http/server.cpp

@ -56,10 +56,33 @@ namespace
QList<QSslCipher> safeCipherList() QList<QSslCipher> safeCipherList()
{ {
const QStringList badCiphers {u"idea"_qs, u"rc4"_qs}; const QStringList badCiphers {u"idea"_qs, u"rc4"_qs};
// Contains Ciphersuites that use RSA for the Key Exchange but they don't mention it in their name
const QStringList badRSAShorthandSuites {
u"AES256-GCM-SHA384"_qs, u"AES128-GCM-SHA256"_qs, u"AES256-SHA256"_qs,
u"AES128-SHA256"_qs, u"AES256-SHA"_qs, u"AES128-SHA"_qs};
// Contains Ciphersuites that use AES CBC mode but they don't mention it in their name
const QStringList badAESShorthandSuites {
u"ECDHE-ECDSA-AES256-SHA384"_qs, u"ECDHE-RSA-AES256-SHA384"_qs, u"DHE-RSA-AES256-SHA256"_qs,
u"ECDHE-ECDSA-AES128-SHA256"_qs, u"ECDHE-RSA-AES128-SHA256"_qs, u"DHE-RSA-AES128-SHA256"_qs,
u"ECDHE-ECDSA-AES256-SHA"_qs, u"ECDHE-RSA-AES256-SHA"_qs, u"DHE-RSA-AES256-SHA"_qs,
u"ECDHE-ECDSA-AES128-SHA"_qs, u"ECDHE-RSA-AES128-SHA"_qs, u"DHE-RSA-AES128-SHA"_qs};
const QList<QSslCipher> allCiphers {QSslConfiguration::supportedCiphers()}; const QList<QSslCipher> allCiphers {QSslConfiguration::supportedCiphers()};
QList<QSslCipher> safeCiphers; QList<QSslCipher> safeCiphers;
std::copy_if(allCiphers.cbegin(), allCiphers.cend(), std::back_inserter(safeCiphers), [&badCiphers](const QSslCipher &cipher) std::copy_if(allCiphers.cbegin(), allCiphers.cend(), std::back_inserter(safeCiphers),
[&badCiphers, &badRSAShorthandSuites, &badAESShorthandSuites](const QSslCipher &cipher)
{ {
const QString name = cipher.name();
if (name.contains(u"-cbc-"_qs, Qt::CaseInsensitive) // AES CBC mode is considered vulnerable to BEAST attack
|| name.startsWith(u"adh-"_qs, Qt::CaseInsensitive) // Key Exchange: Diffie-Hellman, doesn't support Perfect Forward Secrecy
|| name.startsWith(u"aecdh-"_qs, Qt::CaseInsensitive) // Key Exchange: Elliptic Curve Diffie-Hellman, doesn't support Perfect Forward Secrecy
|| name.startsWith(u"psk-"_qs, Qt::CaseInsensitive) // Key Exchange: Pre-Shared Key, doesn't support Perfect Forward Secrecy
|| name.startsWith(u"rsa-"_qs, Qt::CaseInsensitive) // Key Exchange: Rivest Shamir Adleman (RSA), doesn't support Perfect Forward Secrecy
|| badRSAShorthandSuites.contains(name, Qt::CaseInsensitive)
|| badAESShorthandSuites.contains(name, Qt::CaseInsensitive))
{
return false;
}
return std::none_of(badCiphers.cbegin(), badCiphers.cend(), [&cipher](const QString &badCipher) return std::none_of(badCiphers.cbegin(), badCiphers.cend(), [&cipher](const QString &badCipher)
{ {
return cipher.name().contains(badCipher, Qt::CaseInsensitive); return cipher.name().contains(badCipher, Qt::CaseInsensitive);
@ -78,6 +101,7 @@ Server::Server(IRequestHandler *requestHandler, QObject *parent)
setProxy(QNetworkProxy::NoProxy); setProxy(QNetworkProxy::NoProxy);
QSslConfiguration sslConf {QSslConfiguration::defaultConfiguration()}; QSslConfiguration sslConf {QSslConfiguration::defaultConfiguration()};
sslConf.setProtocol(QSsl::TlsV1_2OrLater);
sslConf.setCiphers(safeCipherList()); sslConf.setCiphers(safeCipherList());
QSslConfiguration::setDefaultConfiguration(sslConf); QSslConfiguration::setDefaultConfiguration(sslConf);

Loading…
Cancel
Save