0

I can specify a list of ciphers using https = =0,x.crt,x.key,<ciphers>. Documentation for that is here: http://uwsgi-docs.readthedocs.org/en/latest/HTTPS.html#setting-ssl-tls-ciphers

But is there also a way to specify which SSL/TLS protocols are allowed?

I want to disable SSLv2 and SSLv3.

Blaise
  • 103
  • 4

2 Answers2

4

From reading the uwsgi source code, it looks like SSLv2 is automatically disabled, and that SSLv3 can be disabled using the "ssl-enable3" configuration option. The optional ciphers string, while useful, cannot really be used for whitelisting (or disabling) the SSL/TLS protocol versions used by uwsgi, only the cipher suites.

To see that SSLv2 support is disabled, we start with the uwsgi_opt_https function, which parses the "https" option. After parsing the certificate, key, cipher suite, etc, this function calls uwsgi_ssl_new_server_context.

The uwsgi_ssl_new_server_context function is defined here. Of particular interest are the default SSL option flags, which include SSL_OP_NO_SSLv2. And, most interestingly, we see that the SSL_OP_NO_SSLv3 option flag (for disabling SSLv3 support) will also be used, but only if this uwsgi.sslv3 variable is set to false.

How can uwsgi.sslv3 be set to false? For that, we see here that there is an "ssl-enable3" option that you can set in the uswgi configuration:

[uwsgi]
...
ssl-enable3 = false

Now, for bonus points, you might also want to disable TLSv1, and whitelist just TLSv1.1 and TLSv1.2. For accomplishing this, you'd have to do the above and use the "ssl-option" configuration option, e.g.:

[uwsgi]
...
ssl-enable3 = false
ssl-option = 67108864

How did I come up with that magic number "67108864"? The "ssl-option" option takes a number, not a string. Thus we need to the name of the OpenSSL flag we want to set, then determine the numeric value of that flag. So first I had to look at the OpenSSL SSL_CTX_set_options documentation to see that I wanted the value of the SSL_OP_NO_TLSv1 flag. The numeric value is found in the OpenSSL source code: 0x04000000U. But uwsgi wants an integer value for "ssl-option", not hexadecimal, thus:

$ perl -e 'print int(0x04000000), "\n";'
67108864

Hope this helps!

Castaglia
  • 3,349
  • 3
  • 21
  • 42
  • just FYI, ssl-enable3 = false does not work. This option does not accept arguments. i.e., it can only be used to enable the option, not disable it – mathieu Oct 30 '18 at 15:09
0

Just to addition previous answer. You have to specify ssl-option in uwsgi config before https-socket option. Otherwise your ssl configuration won't make any effect.

Pavel Timofeev
  • 29
  • 3