[Python-Dev] Controlling the cipher list for SSL connections (original) (raw)

Chris Frantz frantzcj at gmail.com
Mon Sep 7 18:09:36 CEST 2009

Greetings,

I would like to be able to set the cipher list when creating an SSL connection.  It appears that the current SSL module doesn't provide this functionality.

The attached patch (against trunk) adds this ability to SSLSocket.

Thank you, --Chris

PS: Please reply directly to me, as I'm not subscribed to this list.

Index: Python-2.7/Lib/ssl.py

--- Python-2.7/Lib/ssl.py    (revision 74703) +++ Python-2.7/Lib/ssl.py    (working copy) @@ -88,7 +88,7 @@                   server_side=False, cert_reqs=CERT_NONE,                   ssl_version=PROTOCOL_SSLv23, ca_certs=None,                   do_handshake_on_connect=True, -                 suppress_ragged_eofs=True): +                 suppress_ragged_eofs=True, cipher_list=None):          socket.init(self, _sock=sock._sock)          # the initializer for socket trashes the methods (tsk, tsk), so...          self.send = lambda data, flags=0: SSLSocket.send(self, data, flags) @@ -110,7 +110,8 @@              # yes, create the SSL object              self._sslobj = _ssl.sslwrap(self._sock, server_side,                                          keyfile, certfile, -                                        cert_reqs, ssl_version, ca_certs) +                                        cert_reqs, ssl_version, +                                        ca_certs, cipher_list)              if do_handshake_on_connect:                  timeout = self.gettimeout()                  try: Index: Python-2.7/Modules/_ssl.c

--- Python-2.7/Modules/_ssl.c    (revision 74703) +++ Python-2.7/Modules/_ssl.c    (working copy) @@ -261,7 +261,8 @@             enum py_ssl_server_or_client socket_type,             enum py_ssl_cert_requirements certreq,             enum py_ssl_version proto_version, -           char *cacerts_file) +           char *cacerts_file, +           char *cipher_list)  {      PySSLObject *self;      char errstr = NULL; @@ -366,6 +367,9 @@      SSL_CTX_set_verify(self->ctx, verification_mode,                 NULL); / set verify lvl */

+    if (cipher_list) +        SSL_CTX_set_cipher_list(self->ctx, cipher_list); +      PySSL_BEGIN_ALLOW_THREADS      self->ssl = SSL_new(self->ctx); /* New ssl struct */      PySSL_END_ALLOW_THREADS @@ -407,14 +411,17 @@      char *key_file = NULL;      char *cert_file = NULL;      char *cacerts_file = NULL; +    char *cipher_list = NULL;

-    if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap", + +    if (!PyArg_ParseTuple(args, "O!i|zziizz:sslwrap",                    PySocketModule.Sock_Type,                    &Sock,                    &server_side,                    &key_file, &cert_file,                    &verification_mode, &protocol, -                  &cacerts_file)) +                  &cacerts_file, +                  &cipher_list))          return NULL;

     /* @@ -427,12 +434,12 @@

     return (PyObject *) newPySSLObject(Sock, key_file, cert_file,                         server_side, verification_mode, -                       protocol, cacerts_file); +                       protocol, cacerts_file, cipher_list);  }

 PyDoc_STRVAR(ssl_doc,  "sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n" -"                              cacertsfile]) -> sslobject"); +"                              cacertsfile, cipherlist]) -> sslobject");

 /* SSL object methods */

More information about the Python-Dev mailing list