Require ECDH key exchange & remove dh_params (#4429)

* remove dh_params and set better cipher string
author: Amber Brown <hawkowl@atleastfornow.net> 2019-01-22 21:58:50 +1100
committer: GitHub <noreply@github.com> 2019-01-22 21:58:50 +1100
commit: 23b08135998e932d5d600941bd42389db0628a11 (patch)
tree: cea4e213399995b4393541fb70d46cd05e399df1 /synapse/crypto
parent: Merge pull request #4402 from matrix-org/erikj/fed_v2_invite_server (diff)
download: synapse-23b08135998e932d5d600941bd42389db0628a11.tar.xz
1 files changed, 4 insertions, 2 deletions
diff --git a/synapse/crypto/context_factory.py b/synapse/crypto/context_factory.py
index 02b76dfcfb..6ba3eca7b2 100644
--- a/synapse/crypto/context_factory.py
+++ b/synapse/crypto/context_factory.py
@@ -46,8 +46,10 @@ class ServerContextFactory(ContextFactory):
         if not config.no_tls:
             context.use_privatekey(config.tls_private_key)
 
-        context.load_tmp_dh(config.tls_dh_params_path)
-        context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")
+        # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        context.set_cipher_list(
+            "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1"
+        )
 
     def getContext(self):
         return self._context
author	Amber Brown <hawkowl@atleastfornow.net>	2019-01-22 21:58:50 +1100
committer	GitHub <noreply@github.com>	2019-01-22 21:58:50 +1100
commit	23b08135998e932d5d600941bd42389db0628a11 (patch)
tree	cea4e213399995b4393541fb70d46cd05e399df1 /synapse/crypto
parent	Merge pull request #4402 from matrix-org/erikj/fed_v2_invite_server (diff)
download	synapse-23b08135998e932d5d600941bd42389db0628a11.tar.xz