classification
Title: SSL Ciphers RC4
Type: behavior Stage: resolved
Components: Documentation Versions: Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: docs@python Nosy List: alex, benjamin.peterson, docs@python, dstufft, mogli, python-dev, r.david.murray, vstinner
Priority: normal Keywords:

Created on 2015-03-16 11:31 by mogli, last changed 2015-03-17 09:37 by mogli. This issue is now closed.

Messages (9)
msg238194 - (view) Author: mogli (mogli) Date: 2015-03-16 11:31
The documentation (https://docs.python.org/2/library/ssl.html) says:
The settings in Python 2.7.9 are: PROTOCOL_SSLv23, OP_NO_SSLv2, and OP_NO_SSLv3 with high encryption cipher suites without RC4

But it still seems to use RC4: https://www.howsmyssl.com/a/check

Also the test at https://www.ssllabs.com/ssltest/viewMyClient.html says it still supports SSLv3 (not so sure about this one).
msg238212 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2015-03-16 15:31
I believe RC4 will still be used under 2.7.9 on clients, this is changed for 2.7.10
msg238219 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2015-03-16 16:38
RC4 is dropped in the next releases.
msg238222 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2015-03-16 16:42
You can explicitly disable RC4 if you create a SSLContext and then call set_ciphers() with the right list of ciphers. See for examples cipher lists of Python 2.7 (development branch):
https://hg.python.org/cpython/file/0b44c749ae51/Lib/ssl.py#l150

Add ":!RC4" at the end of the cipher list to disable RC4.

OpenSSL cipher list format:
https://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT
msg238230 - (view) Author: mogli (mogli) Date: 2015-03-16 17:28
So it seems the docs are wrong.
msg238231 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2015-03-16 17:33
They're correct for the next release. :(
msg238232 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2015-03-16 17:40
But the doc explicitly says 2.7.9, so no, they are not correct.  There also should be versionchanged directive, I think.
msg238234 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-03-16 17:45
New changeset e1dfa5f0709f by Benjamin Peterson in branch '2.7':
versionchanged for rc4 removal (closes #23679)
https://hg.python.org/cpython/rev/e1dfa5f0709f

New changeset 2a6a63828a40 by Benjamin Peterson in branch '3.4':
versionchanged for rc4 removal (closes #23679)
https://hg.python.org/cpython/rev/2a6a63828a40

New changeset 87c102d0df39 by Benjamin Peterson in branch 'default':
merge 3.4 (#23679)
https://hg.python.org/cpython/rev/87c102d0df39
msg238268 - (view) Author: mogli (mogli) Date: 2015-03-17 09:37
That was fast, great job!

For the record: The SSLv3 issue I also wrote about was a false positive because the test only works with Javascript. Python 2.7.9 has SSLv3 disabled by default as it should.

urllib2.urlopen("https://sslv3.dshield.org")  # fails as it should
History
Date User Action Args
2015-03-17 09:37:13moglisetmessages: + msg238268
2015-03-16 17:45:38python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg238234

resolution: fixed
stage: needs patch -> resolved
2015-03-16 17:40:51r.david.murraysetresolution: duplicate -> (no value)
2015-03-16 17:40:40r.david.murraysetstatus: closed -> open

type: security -> behavior
dependencies: - SSL module should not offer RC4 based cipher suites for clients by default
assignee: docs@python
components: + Documentation

nosy: + r.david.murray, docs@python
messages: + msg238232
stage: needs patch
2015-03-16 17:33:06benjamin.petersonsetmessages: + msg238231
2015-03-16 17:28:07moglisetmessages: + msg238230
2015-03-16 16:42:36vstinnersetnosy: + vstinner
messages: + msg238222
2015-03-16 16:38:21benjamin.petersonsetstatus: open -> closed

nosy: + benjamin.peterson
messages: + msg238219

dependencies: + SSL module should not offer RC4 based cipher suites for clients by default
resolution: duplicate
2015-03-16 15:31:18alexsetmessages: + msg238212
2015-03-16 15:26:46r.david.murraysetnosy: + alex, dstufft
2015-03-16 11:31:05moglicreate