Stop supporting deprecated TLS ciphers (#15217)

* Stop supporting deprecated TLS ciphers

* Lint

homeassistant/components/http/__init__.py

@@ -51,24 +51,18 @@ CONF_IP_BAN_ENABLED = 'ip_ban_enabled'
 
 # TLS configuration follows the best-practice guidelines specified here:
 # https://wiki.mozilla.org/Security/Server_Side_TLS
-# Intermediate guidelines are followed.
-SSL_VERSION = ssl.PROTOCOL_SSLv23
-SSL_OPTS = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
+# Modern guidelines are followed.
+SSL_VERSION = ssl.PROTOCOL_TLS  # pylint: disable=no-member
+SSL_OPTS = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | \
+           ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | \
+           ssl.OP_CIPHER_SERVER_PREFERENCE
 if hasattr(ssl, 'OP_NO_COMPRESSION'):
     SSL_OPTS |= ssl.OP_NO_COMPRESSION
-CIPHERS = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:" \
+CIPHERS = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" \
+          "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:" \
           "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" \
-          "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" \
-          "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:" \
-          "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:" \
-          "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:" \
-          "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:" \
-          "ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:" \
-          "DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:" \
-          "DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:" \
-          "ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:" \
-          "AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:" \
-          "AES256-SHA:DES-CBC3-SHA:!DSS"
+          "ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:" \
+          "ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
 
 _LOGGER = logging.getLogger(__name__)