Python SSL stack doesn't support ordering of Ciphers #57844

naif · 2011-12-19T10:44:03Z

BPO	13635
Nosy	@jcea, @pitrou

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2011-12-19.12:34:22.126>
created_at = <Date 2011-12-19.10:44:02.596>
labels = ['type-feature', 'library']
title = "Python SSL stack doesn't support ordering of Ciphers"
updated_at = <Date 2011-12-20.01:32:13.507>
user = 'https://bugs.python.org/naif'

bugs.python.org fields:

activity = <Date 2011-12-20.01:32:13.507>
actor = 'jcea'
assignee = 'none'
closed = True
closed_date = <Date 2011-12-19.12:34:22.126>
closer = 'pitrou'
components = ['Library (Lib)']
creation = <Date 2011-12-19.10:44:02.596>
creator = 'naif'
dependencies = []
files = []
hgrepos = []
issue_num = 13635
keywords = []
message_count = 5.0
messages = ['149831', '149835', '149837', '149848', '149850']
nosy_count = 4.0
nosy_names = ['jcea', 'pitrou', 'python-dev', 'naif']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue13635'
versions = ['Python 3.3']

naif · 2011-12-19T10:44:02Z

The list of Ciphers for Python SSL binding for OpenSSL cannot be ordered in a specific list of preference.

This is a requirement for strict security environment where the ordered cipher list it's very important.

Apache support the ordering of ciphers trough the configuration of SSLHonorCipherOrder:
http://www.carbonwind.net/blog/post/Setting-the-preferred-cipher-suite-on-Apache-22x.aspx

Also Internet Explorer 7 support Ciphers order configuration:
https://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx?Redirected=true

Not having the ordered cipher list doesn't allow Python SSL stack configuration to be compliant with high security environment, de-facto representing a security vulnerability.

We suggest to fix the issue of lacking that feature.

pitrou · 2011-12-19T10:49:02Z

Apparently it's just a matter of exposing SSL_OP_CIPHER_SERVER_PREFERENCE?

naif · 2011-12-19T10:55:58Z

Looking at the code from mod_ssl i would say that this is the preference required https://issues.apache.org/bugzilla/show_bug.cgi?id=28665

python-dev · 2011-12-19T12:27:50Z

New changeset c706f76c9ea8 by Antoine Pitrou in branch 'default':
Issue bpo-13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
http://hg.python.org/cpython/rev/c706f76c9ea8

pitrou · 2011-12-19T12:34:22Z

The new option is now committed in 3.3. Thanks for the report!

naif mannequin added type-security A security issue stdlib Python modules in the Lib dir labels Dec 19, 2011

pitrou added type-feature A feature request or enhancement and removed type-security A security issue labels Dec 19, 2011

pitrou closed this as completed Dec 19, 2011

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Python SSL stack doesn't support ordering of Ciphers #57844

Python SSL stack doesn't support ordering of Ciphers #57844

naif mannequin commented Dec 19, 2011

naif mannequin commented Dec 19, 2011

pitrou commented Dec 19, 2011

naif mannequin commented Dec 19, 2011

python-dev mannequin commented Dec 19, 2011

pitrou commented Dec 19, 2011

Python SSL stack doesn't support ordering of Ciphers #57844

Python SSL stack doesn't support ordering of Ciphers #57844

Comments

naif mannequin commented Dec 19, 2011

naif mannequin commented Dec 19, 2011

pitrou commented Dec 19, 2011

naif mannequin commented Dec 19, 2011

python-dev mannequin commented Dec 19, 2011

pitrou commented Dec 19, 2011