From 4348d9160bf3c01601d256d62e09b3c2fe001cec Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Wed, 26 Aug 2020 09:43:55 -0400
Subject: [PATCH] Provide ability for config file to specify cipher list

The default set of TLS 1.3 and TLS1.2 restricted ciphers are
generally considered strong today, but for future or special
circumstances, provide ability to override the defaults.
---
 confluent_server/confluent/sockapi.py | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/confluent_server/confluent/sockapi.py b/confluent_server/confluent/sockapi.py
index 623b33f7..96df5045 100644
--- a/confluent_server/confluent/sockapi.py
+++ b/confluent_server/confluent/sockapi.py
@@ -38,6 +38,7 @@ import eventlet
 
 import confluent.auth as auth
 import confluent.credserver as credserver
+import confluent.config.conf as conf
 import confluent.tlvdata as tlvdata
 import confluent.consoleserver as consoleserver
 import confluent.config.configmanager as configmanager
@@ -371,15 +372,19 @@ if ffi:
 def _tlsstartup(cnn):
     authname = None
     cert = None
+    conf.init_config()
+    configfile = conf.get_config()
+    if configfile.has_option('security', 'cipher_list'):
+        ciphers = configfile.get('security', 'cipher_list')
+    else:
+        ciphers = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384'
     if libssl:
         # most fully featured SSL function
         ctx = libssl.Context(libssl.SSLv23_METHOD)
         ctx.set_options(libssl.OP_NO_SSLv2 | libssl.OP_NO_SSLv3 |
                         libssl.OP_NO_TLSv1 | libssl.OP_NO_TLSv1_1 |
                         libssl.OP_CIPHER_SERVER_PREFERENCE)
-        ctx.set_cipher_list(
-            'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:'
-            'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384')
+        ctx.set_cipher_list(ciphers)
         ctx.set_tmp_ecdh(crypto.get_elliptic_curve('secp384r1'))
         ctx.use_certificate_file('/etc/confluent/srvcert.pem')
         ctx.use_privatekey_file('/etc/confluent/privkey.pem')
@@ -397,18 +402,12 @@ def _tlsstartup(cnn):
             ctx.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
             ctx.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
             ctx.options |= ssl.OP_CIPHER_SERVER_PREFERENCE
-            ctx.set_ciphers(
-                'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:'
-                'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384')
+            ctx.set_ciphers(ciphers)
             ctx.load_cert_chain('/etc/confluent/srvcert.pem',
                                 '/etc/confluent/privkey.pem')
             cnn = ctx.wrap_socket(cnn, server_side=True)
         except AttributeError:
-            # Python 2.6 era, go with best effort
-            cnn = ssl.wrap_socket(cnn, keyfile="/etc/confluent/privkey.pem",
-                                  certfile="/etc/confluent/srvcert.pem",
-                                  ssl_version=ssl.PROTOCOL_TLSv1,
-                                  server_side=True)
+            raise Exception('Unable to find workable SSL support')
     sessionhdl(cnn, authname, cert=cert)
 
 def removesocket():