This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Python SSL stack doesn't support ordering of Ciphers
Type: enhancement Stage: resolved
Components: Library (Lib) Versions: Python 3.3
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: jcea, naif, pitrou, python-dev
Priority: normal Keywords:

Created on 2011-12-19 10:44 by naif, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (5)
msg149831 - (view) Author: naif (naif) Date: 2011-12-19 10:44
The list of Ciphers for Python SSL binding for OpenSSL cannot be ordered in a specific list of preference.

This is a requirement for strict security environment where the ordered cipher list it's very important.

Apache support the ordering of ciphers trough the configuration of SSLHonorCipherOrder:

Also Internet Explorer 7 support Ciphers order configuration:

Not having the ordered cipher list doesn't allow Python SSL stack configuration to be compliant with high security environment, de-facto representing a security vulnerability.

We suggest to fix the issue of lacking that feature.
msg149835 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-12-19 10:49
Apparently it's just a matter of exposing SSL_OP_CIPHER_SERVER_PREFERENCE?
msg149837 - (view) Author: naif (naif) Date: 2011-12-19 10:55
Looking at the code from mod_ssl i would say that this is the preference required
msg149848 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2011-12-19 12:27
New changeset c706f76c9ea8 by Antoine Pitrou in branch 'default':
Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
msg149850 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-12-19 12:34
The new option is now committed in 3.3. Thanks for the report!
Date User Action Args
2022-04-11 14:57:24adminsetgithub: 57844
2011-12-20 01:32:13jceasetnosy: + jcea
2011-12-19 12:34:22pitrousetstatus: open -> closed
resolution: fixed
messages: + msg149850

stage: resolved
2011-12-19 12:27:50python-devsetnosy: + python-dev
messages: + msg149848
2011-12-19 10:55:58naifsetmessages: + msg149837
2011-12-19 10:49:02pitrousetversions: - Python 2.6, Python 3.1, Python 2.7, Python 3.2, Python 3.4
nosy: + pitrou

messages: + msg149835

type: security -> enhancement
2011-12-19 10:44:02naifcreate