Specifying SSL Ciphers
39 views
Skip to first unread message
![Wood, Rohn (NIH/NIAID) [C]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjUZ08iUWaZfeE9ZzjSOZvLVgM2gQS_OMiBiodOEZLAh15iyMM5k=s40-c)
Wood, Rohn (NIH/NIAID) [C]
Nov 27, 2017, 5:59:11 PM11/27/17
to jup...@googlegroups.com
et al,
What is the best method for specyfing a cipher list to the nodejs configurable proxy? I noted that jupyterhub proxy.py script invokes the proxy and it appears to parse the /jupyter_hub.config file for related ssl parameters and invoke them if present. At this point, I can only add a ciphers list via:
cmd = self.command + [
'--ip', public_server.ip,
'--port', str(public_server.port),
'--api-ip', api_server.ip,
'--api-port', str(api_server.port),
'--error-target', url_path_join(self.hub.url, 'error'),
'--ssl-ciphers', 'EDH+aRSA+AESGCM:EDH+aRSA+AES:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA256:RSA+AES+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'
It would preferable to have this passed from the jupyterhub_config file, ala,
c.JupyterHub.ssl_ciphers = 'EDH+aRSA+AESGCM:EDH+aRSA+AES:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA256:RSA+AES+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'
and have the proxy.py script parse it out, via:
if self.ssl_ciphers:
cmd.extend(['--ssl-ciphers','EDH+aRSA+AESGCM:EDH+aRSA+AES:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA256:RSA+AES+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'])
I did try this -- but was unsuccessful (to date).
Still, am I missing something obvious that more reliably survive a code update?
Thanks!
ROhn
---
Rohn J. Wood, MPA, Contractor
Senior Systems Engineer, Unix System Administrator Consultant
Global Biomedical Research Support Program (GBRSP/OCICB)
NIAID\NIH\DHHS
Rocky Mountain Laboratories
Bldg. 28 Rm. 1B108A
903 S. 4th St.
Hamilton, MT 59840
406.363.9433 FAX: 406.363.9388
SRA International Inc, a CSRA company
******************************************************************
The information in this e-mail and any of its attachments is confidential and may contain sensitive information. It should not be used by anyone who is not the original intended recipient. If you have received this e-mail in error please inform the sender and delete it from your mailbox or any other storage devices. National Institute of Allergy and Infectious Diseases shall not accept liability for any statements made that are sender's own and not expressly made on behalf of the NIAID by one of its representatives.
******************************************************************
What is the best method for specyfing a cipher list to the nodejs configurable proxy? I noted that jupyterhub proxy.py script invokes the proxy and it appears to parse the /jupyter_hub.config file for related ssl parameters and invoke them if present. At this point, I can only add a ciphers list via:
cmd = self.command + [
'--ip', public_server.ip,
'--port', str(public_server.port),
'--api-ip', api_server.ip,
'--api-port', str(api_server.port),
'--error-target', url_path_join(self.hub.url, 'error'),
'--ssl-ciphers', 'EDH+aRSA+AESGCM:EDH+aRSA+AES:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA256:RSA+AES+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'
It would preferable to have this passed from the jupyterhub_config file, ala,
c.JupyterHub.ssl_ciphers = 'EDH+aRSA+AESGCM:EDH+aRSA+AES:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA256:RSA+AES+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'
and have the proxy.py script parse it out, via:
if self.ssl_ciphers:
cmd.extend(['--ssl-ciphers','EDH+aRSA+AESGCM:EDH+aRSA+AES:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA256:RSA+AES+SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'])
I did try this -- but was unsuccessful (to date).
Still, am I missing something obvious that more reliably survive a code update?
Thanks!
ROhn
---
Rohn J. Wood, MPA, Contractor
Senior Systems Engineer, Unix System Administrator Consultant
Global Biomedical Research Support Program (GBRSP/OCICB)
NIAID\NIH\DHHS
Rocky Mountain Laboratories
Bldg. 28 Rm. 1B108A
903 S. 4th St.
Hamilton, MT 59840
406.363.9433 FAX: 406.363.9388
SRA International Inc, a CSRA company
******************************************************************
The information in this e-mail and any of its attachments is confidential and may contain sensitive information. It should not be used by anyone who is not the original intended recipient. If you have received this e-mail in error please inform the sender and delete it from your mailbox or any other storage devices. National Institute of Allergy and Infectious Diseases shall not accept liability for any statements made that are sender's own and not expressly made on behalf of the NIAID by one of its representatives.
******************************************************************
MinRK
Dec 13, 2017, 8:11:13 AM12/13/17
to Project Jupyter
You should be able to do this by setting ConfigurableHTTPProxy.command (in JupyterHub 0.8):
c.ConfigurableHTTPProxy.command = ['configurable-http-proxy, '--ssl-ciphers=...']
-Min
--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+unsubscribe@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/BLUPR09MB0833B12A95610C710F97EA65E3250%40BLUPR09MB0833.namprd09.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages