Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl: get list of enabled ciphers #72053

Closed
tiran opened this issue Aug 26, 2016 · 9 comments
Closed

ssl: get list of enabled ciphers #72053

tiran opened this issue Aug 26, 2016 · 9 comments
Labels
stdlib Python modules in the Lib dir type-feature A feature request or enhancement

Comments

@tiran
Copy link
Member

tiran commented Aug 26, 2016

BPO 27866
Nosy @pitrou, @giampaolo, @tiran, @alex, @vadmium, @dstufft
Files
  • Add-SSLContext.get_ciphers.patch
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2016-09-06.12:27:20.362>
created_at = <Date 2016-08-26.11:29:14.266>
labels = ['type-feature', 'library']
title = 'ssl: get list of enabled ciphers'
updated_at = <Date 2016-09-12.10:00:39.491>
user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2016-09-12.10:00:39.491>
actor = 'python-dev'
assignee = 'none'
closed = True
closed_date = <Date 2016-09-06.12:27:20.362>
closer = 'berker.peksag'
components = ['Library (Lib)']
creation = <Date 2016-08-26.11:29:14.266>
creator = 'christian.heimes'
dependencies = []
files = ['44307']
hgrepos = []
issue_num = 27866
keywords = ['patch']
message_count = 9.0
messages = ['273703', '274113', '274115', '274443', '274515', '274540', '274545', '274552', '276011']
nosy_count = 8.0
nosy_names = ['janssen', 'pitrou', 'giampaolo.rodola', 'christian.heimes', 'alex', 'python-dev', 'martin.panter', 'dstufft']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue27866'
versions = ['Python 3.6']
    @tiran
    Copy link
    Member Author

    tiran commented Aug 26, 2016

    SSLContext has a set_ciphers() method but no method to get the actual list of enabled ciphers. https://github.com/tiran/cpython/tree/feature/openssl_ciphers implements get_ciphers()

    >>> import ssl, pprint
>>> ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
>>> ctx.set_ciphers('ECDHE+AESGCM:!ECDSA')
>>> pprint.pprint(ctx.get_ciphers())
[{'alg_bits': 256,
  'description': 'ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  '
                 'Enc=AESGCM(256) Mac=AEAD',
  'id': 50380848,
  'name': 'ECDHE-RSA-AES256-GCM-SHA384',
  'protocol': 'TLSv1/SSLv3',
  'strength_bits': 256},
 {'alg_bits': 128,
  'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  '
                 'Enc=AESGCM(128) Mac=AEAD',
  'id': 50380847,
  'name': 'ECDHE-RSA-AES128-GCM-SHA256',
  'protocol': 'TLSv1/SSLv3',
  'strength_bits': 128}]

    With OpenSSL 1.1 the dict will have more fields.

    Both the return value and functionality is different to https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.shared_ciphers .

    @tiran tiran added stdlib Python modules in the Lib dir type-feature A feature request or enhancement labels Aug 26, 2016
    @pitrou
    Copy link
    Member

    pitrou commented Sep 1, 2016

    What does "kea" mean? Key exchange?

    @tiran
    Copy link
    Member Author

    tiran commented Sep 1, 2016

    KEA stands for key exchange algorithm.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Sep 5, 2016

    New changeset ca8d7cb55a8e by Christian Heimes in branch 'default':
    Issue bpo-27866: Add SSLContext.get_ciphers() method to get a list of all enabled ciphers.
    https://hg.python.org/cpython/rev/ca8d7cb55a8e

    @vadmium
    Copy link
    Member

    vadmium commented Sep 6, 2016

    Fails on the Gentoo buildbots:
    http://buildbot.python.org/all/builders/x86%20Gentoo%20Non-Debug%20with%20X%203.x/builds/1368/steps/test/logs/stdio

    ======================================================================
    ERROR: test_get_ciphers (test.test_ssl.ContextTests)
    ----------------------------------------------------------------------

    Traceback (most recent call last):
  File "/buildbot/buildarea/3.x.ware-gentoo-x86.nondebug/build/Lib/test/test_ssl.py", line 840, in test_get_ciphers
    ctx.set_ciphers('ECDHE+AESGCM:!ECDSA')
ssl.SSLError: ('No cipher can be selected.',)

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Sep 6, 2016

    New changeset 9377ed49746b by Christian Heimes in branch 'default':
    bpo-27866: relax test case for set_cipher() and allow more cipher suites
    https://hg.python.org/cpython/rev/9377ed49746b

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Sep 6, 2016

    New changeset dad4c42869f6 by Christian Heimes in branch 'default':
    bpo-27866: relax get_cipher() test even more. Gentoo buildbot has no ECDHE
    https://hg.python.org/cpython/rev/dad4c42869f6

    @tiran
    Copy link
    Member Author

    tiran commented Sep 6, 2016

    I have relaxed the tests and stabilized the buildbots. Some Gentoo machines don't have ECDHE cipher suites enabled.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Sep 12, 2016

    New changeset 2a1c7d0fdde6 by Victor Stinner in branch 'default':
    Issue bpo-27866: Fix refleak in cipher_to_dict()
    https://hg.python.org/cpython/rev/2a1c7d0fdde6

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    stdlib Python modules in the Lib dir type-feature A feature request or enhancement
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    4 participants
    @berkerpeksag @tiran @vadmium @pitrou