From 94b55efef3bf1728eb2dcdec9457d4d9beef7f4a Mon Sep 17 00:00:00 2001
From: Hmmbob <33529490+hmmbob@users.noreply.github.com>
Date: Fri, 29 Jun 2018 23:18:44 +0200
Subject: [PATCH] Stop supporting deprecated TLS ciphers (#15217)

* Stop supporting deprecated TLS ciphers

* Lint
---
 homeassistant/components/http/__init__.py | 24 +++++++++--------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/homeassistant/components/http/__init__.py b/homeassistant/components/http/__init__.py
index 9d43a741ba5..485433434fd 100644
--- a/homeassistant/components/http/__init__.py
+++ b/homeassistant/components/http/__init__.py
@@ -51,24 +51,18 @@ CONF_IP_BAN_ENABLED = 'ip_ban_enabled'
 
 # TLS configuration follows the best-practice guidelines specified here:
 # https://wiki.mozilla.org/Security/Server_Side_TLS
-# Intermediate guidelines are followed.
-SSL_VERSION = ssl.PROTOCOL_SSLv23
-SSL_OPTS = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
+# Modern guidelines are followed.
+SSL_VERSION = ssl.PROTOCOL_TLS  # pylint: disable=no-member
+SSL_OPTS = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | \
+           ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | \
+           ssl.OP_CIPHER_SERVER_PREFERENCE
 if hasattr(ssl, 'OP_NO_COMPRESSION'):
     SSL_OPTS |= ssl.OP_NO_COMPRESSION
-CIPHERS = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:" \
+CIPHERS = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" \
+          "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:" \
           "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" \
-          "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" \
-          "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:" \
-          "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:" \
-          "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:" \
-          "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:" \
-          "ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:" \
-          "DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:" \
-          "DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:" \
-          "ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:" \
-          "AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:" \
-          "AES256-SHA:DES-CBC3-SHA:!DSS"
+          "ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:" \
+          "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
 
 _LOGGER = logging.getLogger(__name__)