classification
Title: ssl: get list of enabled ciphers
Type: enhancement Stage: resolved
Components: Library (Lib) Versions: Python 3.6
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: alex, christian.heimes, dstufft, giampaolo.rodola, janssen, martin.panter, pitrou, python-dev
Priority: normal Keywords: patch

Created on 2016-08-26 11:29 by christian.heimes, last changed 2016-09-12 10:00 by python-dev. This issue is now closed.

Files
File name Uploaded Description Edit
Add-SSLContext.get_ciphers.patch christian.heimes, 2016-08-31 20:10
Messages (9)
msg273703 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-08-26 11:29
SSLContext has a set_ciphers() method but no method to get the actual list of enabled ciphers. https://github.com/tiran/cpython/tree/feature/openssl_ciphers implements get_ciphers()

>>> import ssl, pprint
>>> ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
>>> ctx.set_ciphers('ECDHE+AESGCM:!ECDSA')
>>> pprint.pprint(ctx.get_ciphers())
[{'alg_bits': 256,
  'description': 'ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  '
                 'Enc=AESGCM(256) Mac=AEAD',
  'id': 50380848,
  'name': 'ECDHE-RSA-AES256-GCM-SHA384',
  'protocol': 'TLSv1/SSLv3',
  'strength_bits': 256},
 {'alg_bits': 128,
  'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  '
                 'Enc=AESGCM(128) Mac=AEAD',
  'id': 50380847,
  'name': 'ECDHE-RSA-AES128-GCM-SHA256',
  'protocol': 'TLSv1/SSLv3',
  'strength_bits': 128}]

With OpenSSL 1.1 the dict will have more fields.

Both the return value and functionality is different to https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.shared_ciphers .
msg274113 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2016-09-01 09:33
What does "kea" mean? Key exchange?
msg274115 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-01 10:21
KEA stands for key exchange algorithm.
msg274443 - (view) Author: Roundup Robot (python-dev) Date: 2016-09-05 22:05
New changeset ca8d7cb55a8e by Christian Heimes in branch 'default':
Issue #27866: Add SSLContext.get_ciphers() method to get a list of all enabled ciphers.
https://hg.python.org/cpython/rev/ca8d7cb55a8e
msg274515 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2016-09-06 04:32
Fails on the Gentoo buildbots:
http://buildbot.python.org/all/builders/x86%20Gentoo%20Non-Debug%20with%20X%203.x/builds/1368/steps/test/logs/stdio

======================================================================
ERROR: test_get_ciphers (test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/buildbot/buildarea/3.x.ware-gentoo-x86.nondebug/build/Lib/test/test_ssl.py", line 840, in test_get_ciphers
    ctx.set_ciphers('ECDHE+AESGCM:!ECDSA')
ssl.SSLError: ('No cipher can be selected.',)
msg274540 - (view) Author: Roundup Robot (python-dev) Date: 2016-09-06 08:46
New changeset 9377ed49746b by Christian Heimes in branch 'default':
Issue 27866: relax test case for set_cipher() and allow more cipher suites
https://hg.python.org/cpython/rev/9377ed49746b
msg274545 - (view) Author: Roundup Robot (python-dev) Date: 2016-09-06 09:27
New changeset dad4c42869f6 by Christian Heimes in branch 'default':
Issue 27866: relax get_cipher() test even more. Gentoo buildbot has no ECDHE
https://hg.python.org/cpython/rev/dad4c42869f6
msg274552 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-06 11:16
I have relaxed the tests and stabilized the buildbots. Some Gentoo machines don't have ECDHE cipher suites enabled.
msg276011 - (view) Author: Roundup Robot (python-dev) Date: 2016-09-12 10:00
New changeset 2a1c7d0fdde6 by Victor Stinner in branch 'default':
Issue #27866: Fix refleak in cipher_to_dict()
https://hg.python.org/cpython/rev/2a1c7d0fdde6
History
Date User Action Args
2016-09-12 10:00:39python-devsetmessages: + msg276011
2016-09-06 12:27:20berker.peksagsetstatus: open -> closed
2016-09-06 11:16:51christian.heimessetresolution: fixed
dependencies: - Make OpenSSL module compatible with OpenSSL 1.1.0
messages: + msg274552
stage: patch review -> resolved
2016-09-06 09:27:35python-devsetmessages: + msg274545
2016-09-06 08:46:00python-devsetmessages: + msg274540
2016-09-06 04:32:51martin.pantersetnosy: + martin.panter
messages: + msg274515
2016-09-05 22:05:06python-devsetnosy: + python-dev
messages: + msg274443
2016-09-01 10:21:35christian.heimessetmessages: + msg274115
2016-09-01 09:33:46pitrousetnosy: + pitrou
messages: + msg274113
2016-08-31 20:11:08christian.heimessetstage: patch review
2016-08-31 20:10:58christian.heimessetfiles: + Add-SSLContext.get_ciphers.patch
keywords: + patch
dependencies: + Make OpenSSL module compatible with OpenSSL 1.1.0
2016-08-26 11:29:14christian.heimescreate