Disallow unsecure TLS ciphers.

wireapp · Sep 10, 2018 · af8299d · af8299d
1 parent a4779b3
commit af8299d
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/services/spar/package.yaml b/services/spar/package.yaml
@@ -23,7 +23,7 @@ dependencies:
   - bytestring-conversion
   - case-insensitive
   - cassandra-util
-  - connection
+  - connection >= 0.3
   - containers
   - cookie
   - cryptonite
@@ -51,6 +51,7 @@ dependencies:
   - text
   - time
   - tinylog
+  - tls
   - transformers
   - types-common
   - uri-bytestring

diff --git a/services/spar/src/Spar/Run.hs b/services/spar/src/Spar/Run.hs
@@ -43,6 +43,7 @@ import qualified Cassandra.Schema as Cas
 import qualified Cassandra.Settings as Cas
 import qualified Network.Connection as TLS
 import qualified Network.HTTP.Client.TLS as TLS
+import qualified Network.TLS.Extra.Cipher as TLS
 import qualified Network.Wai.Handler.Warp as Warp
 import qualified Network.Wai.Utilities.Server as WU
 import qualified SAML2.WebSSO as SAML
@@ -127,6 +128,7 @@ sparManager disableCertificateValidation = newManager (TLS.mkManagerSettings tls
   where
     tlss = TLS.TLSSettingsSimple
       { TLS.settingDisableCertificateValidation = disableCertificateValidation
+      , TLS.settingSupportedCiphers = TLS.ciphersuite_default  -- this is why we are pinned to https://github.com/vincenthz/hs-connection/pull/34
       , TLS.settingDisableSession = False
       , TLS.settingUseServerName = False
       }

diff --git a/stack.yaml b/stack.yaml
@@ -78,6 +78,10 @@ packages:
     git: https://github.com/wireapp/hspec-wai
     commit: ca10d13deab929f1cc3a569abea2e7fbe35fdbe3  # https://github.com/hspec/hspec-wai/pull/49
   extra-dep: true
+- location:
+    git: https://github.com/wireapp/hs-connection
+    commit: efa861d210eec95a4124a1c961bf961694539fa9  # https://github.com/vincenthz/hs-connection/pull/34
+  extra-dep: true
 
 extra-deps:
 - base-prelude-1.3