[Python-Dev] Controlling the cipher list for SSL connections (original) (raw)

Chris Frantz frantzcj at gmail.com
Thu Sep 10 20:26:09 CEST 2009

Bill,

For now, using pyOpenSSL is acceptable. I just discovered that the web.py framework wants pyOpenSSL. Since my project is also using web.py, I'll need pyOpenSSL anyway.

Thank you, --Chris

On Thu, Sep 10, 2009 at 1:14 PM, Bill Janssen<janssen at parc.com> wrote:

Chris,

OK, seems reasonable.  Thanks.  In the near term, can you do this with M2Crypto or PyOpenSSL? When I started this update in 2007, we were trying to keep the API simple to avoid confusing people and avoid competition with the two full-fledged toolkits out there.  But I don't see any real reason not to extend the API a bit. Bill Chris Frantz <frantzcj at gmail.com> wrote:

Bill,

I agree that it's usually better to let the SSL implementation pick the ciphers. I have a certain device that I'd like to talk to that is running on an underpowered embedded CPU.   When I let OpenSSL pick the ciphers, it chooses something like EDH-RSA-AES-SHA and takes about 3.5 seconds to finish  the handshake.  If I can restrict the cipher list to RSA-RC4-SHA I can reduce the handshake time to less than a second and improve the throughput of any bulk data transfer over the connection. --Chris

On Thu, Sep 10, 2009 at 12:09 PM, Bill Janssen<janssen at parc.com> wrote: > Thanks, Chris.  Can you explain why you want to set the cipher list > explicitly?  IMO, it's usually better to select a security scheme (TLS1, > or SSLv3, etc.), and let the implementation pick the cipher list. > > Bill > > Chris Frantz <frantzcj at gmail.com> wrote: > >> Done. >> >> Attached to Issue 3597, which is a similar request to mine. >> >> Best Regards, >> --Chris _>> ________________________ >> Python-Dev mailing list >> Python-Dev at python.org >> http://mail.python.org/mailman/listinfo/python-dev >> Unsubscribe: http://mail.python.org/mailman/options/python-dev/janssen%40parc.com >

More information about the Python-Dev mailing list