➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2008-08-19 03:38 by heikki, last changed 2022-04-11 14:56 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| py-ssl.diff | cfrantz, 2009-09-07 16:29 | Patch to allow developer to control the cipher list. | ||
| Messages (5) | |||
|---|---|---|---|
| msg71406 - (view) | Author: Heikki Toivonen (heikki) | Date: 2008-08-19 03:38 | |
The 2.6 documentation states selecting the most compatible SSLv23 mode
may mean low quality ciphers, which does not really help the application
developers. It would be better to provide a way to set the allowed
ciphers. Even better, IMO, would be if the ssl module would default to
the stronger ciphers. I use the following default in M2Crypto:
set_cipher_list('ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH').
|
|||
| msg72446 - (view) | Author: Bill Janssen (janssen) *  |
Date: 2008-09-04 01:14 | |
I'm afraid you're ahead of me in knowledge here. I've experimented with the ciphers a bit, but there seem to be various compatibility issues. I finally decided to let the OpenSSL folks and various standard groups worry about this; the designation of SSL 2, SSL 3, or TLS 1, is supposed to select the appropriate cipher groups. Now, as to making the default be different: we discussed this on python-dev a bit. I think it might make sense to default to TLS 1, even at the expense of compatibility, but we (the two or three of us actually discussing it) finally decided to go with what the current Python socket.ssl module used. |
|||
| msg72573 - (view) | Author: Heikki Toivonen (heikki) | Date: 2008-09-05 07:05 | |
Yeah, compatibility can be a problem. The cipher list I used for M2Crypto was recommended in the book Network Security with OpenSSL (I think). Besides removing unsafe ciphers, it orders the remaining ciphers from strongest to weakest, based on the hope/assumption/practice that peers will hopefully select the first matching cipher. It is not foolproof, though, so for truly compatible application you'd probably need to try with different ciphers lists if you run into errors. However, I have never run into a problem myself with that list, nor has anyone reported any bugs against M2Crypto because of that. Defaulting to TLSv1 should select a better cipher list than otherwise, but I would be a bit concerned about that in turn being an even bigger compatibility issue. I guess I could ask around. |
|||
| msg92374 - (view) | Author: Chris Frantz (cfrantz) | Date: 2009-09-07 16:29 | |
I believe the attached patch provides the desired functionality. By default, the SSL library selects appropriate ciphers. If the user creates an SSLSocket with a cipher_list, the string is passed directly to SSL_CTX_set_cipher_list(). |
|||
| msg103744 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2010-04-20 20:18 | |
I had never seen this issue but committed almost exactly the same feature in r80151. The parameters is named "ciphers" rather than "cipher_list" and allows you to override the allowed ciphers when creating an SSL object. It will be available in Python 2.7 and 3.2. (note that OpenSSL itself defaults to what it considers strong ciphers, at least in the most recent versions) |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:56:37 | admin | set | github: 47847 |
| 2010-04-20 20:18:06 | pitrou | set | status: open -> closed versions: + Python 2.7, Python 3.2, - Python 2.6 nosy: + pitrou messages: + msg103744 resolution: out of date |
| 2009-09-07 16:29:53 | cfrantz | set | files:
+ py-ssl.diff nosy: + cfrantz messages: + msg92374 keywords: + patch |
| 2008-09-05 07:05:27 | heikki | set | messages: + msg72573 |
| 2008-09-04 01:14:26 | janssen | set | nosy:
+ janssen messages: + msg72446 |
| 2008-08-19 03:38:10 | heikki | create | |