Issue 13635: Python SSL stack doesn't support ordering of Ciphers (original) (raw)

Issue13635

Created on 2011-12-19 10:44 by naif, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (5)
msg149831 - (view)	Author: naif (naif)	Date: 2011-12-19 10:44
The list of Ciphers for Python SSL binding for OpenSSL cannot be ordered in a specific list of preference. This is a requirement for strict security environment where the ordered cipher list it's very important. Apache support the ordering of ciphers trough the configuration of SSLHonorCipherOrder: http://www.carbonwind.net/blog/post/Setting-the-preferred-cipher-suite-on-Apache-22x.aspx Also Internet Explorer 7 support Ciphers order configuration: https://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx?Redirected=true Not having the ordered cipher list doesn't allow Python SSL stack configuration to be compliant with high security environment, de-facto representing a security vulnerability. We suggest to fix the issue of lacking that feature.
msg149835 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2011-12-19 10:49
Apparently it's just a matter of exposing SSL_OP_CIPHER_SERVER_PREFERENCE?
msg149837 - (view)	Author: naif (naif)	Date: 2011-12-19 10:55
Looking at the code from mod_ssl i would say that this is the preference required https://issues.apache.org/bugzilla/show_bug.cgi?id=28665
msg149848 - (view)	Author: Roundup Robot (python-dev)	Date: 2011-12-19 12:27
New changeset c706f76c9ea8 by Antoine Pitrou in branch 'default': Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers http://hg.python.org/cpython/rev/c706f76c9ea8
msg149850 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2011-12-19 12:34
The new option is now committed in 3.3. Thanks for the report!