classification
Title: Python SSL stack doesn't support ordering of Ciphers
Type: enhancement Stage: resolved
Components: Library (Lib) Versions: Python 3.3
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: jcea, naif, pitrou, python-dev
Priority: normal Keywords:

Created on 2011-12-19 10:44 by naif, last changed 2011-12-20 01:32 by jcea. This issue is now closed.

Messages (5)
msg149831 - (view) Author: naif (naif) Date: 2011-12-19 10:44
The list of Ciphers for Python SSL binding for OpenSSL cannot be ordered in a specific list of preference.

This is a requirement for strict security environment where the ordered cipher list it's very important.

Apache support the ordering of ciphers trough the configuration of SSLHonorCipherOrder:
http://www.carbonwind.net/blog/post/Setting-the-preferred-cipher-suite-on-Apache-22x.aspx

Also Internet Explorer 7 support Ciphers order configuration:
https://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx?Redirected=true

Not having the ordered cipher list doesn't allow Python SSL stack configuration to be compliant with high security environment, de-facto representing a security vulnerability.

We suggest to fix the issue of lacking that feature.
msg149835 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-12-19 10:49
Apparently it's just a matter of exposing SSL_OP_CIPHER_SERVER_PREFERENCE?
msg149837 - (view) Author: naif (naif) Date: 2011-12-19 10:55
Looking at the code from mod_ssl i would say that this is the preference required https://issues.apache.org/bugzilla/show_bug.cgi?id=28665
msg149848 - (view) Author: Roundup Robot (python-dev) Date: 2011-12-19 12:27
New changeset c706f76c9ea8 by Antoine Pitrou in branch 'default':
Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
http://hg.python.org/cpython/rev/c706f76c9ea8
msg149850 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-12-19 12:34
The new option is now committed in 3.3. Thanks for the report!
History
Date User Action Args
2011-12-20 01:32:13jceasetnosy: + jcea
2011-12-19 12:34:22pitrousetstatus: open -> closed
resolution: fixed
messages: + msg149850

stage: resolved
2011-12-19 12:27:50python-devsetnosy: + python-dev
messages: + msg149848
2011-12-19 10:55:58naifsetmessages: + msg149837
2011-12-19 10:49:02pitrousetversions: - Python 2.6, Python 3.1, Python 2.7, Python 3.2, Python 3.4
nosy: + pitrou

messages: + msg149835

type: security -> enhancement
2011-12-19 10:44:02naifcreate