Issue 13635: Python SSL stack doesn't support ordering of Ciphers

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/57844

classification

Title:	Python SSL stack doesn't support ordering of Ciphers
Type:	enhancement	Stage:	resolved
Components:	Library (Lib)	Versions:	Python 3.3

process

Dependencies:	Superseder:
Status:	closed	Resolution:	fixed
Assigned To:	Nosy List:	jcea, naif, pitrou, python-dev
Priority:	normal	Keywords:

Created on 2011年12月19日 10:44 by naif, last changed 2022年04月11日 14:57 by admin. This issue is now closed.

Messages (5)
msg149831 - (view)	Author: naif (naif)	Date: 2011年12月19日 10:44
The list of Ciphers for Python SSL binding for OpenSSL cannot be ordered in a specific list of preference. This is a requirement for strict security environment where the ordered cipher list it's very important. Apache support the ordering of ciphers trough the configuration of SSLHonorCipherOrder: http://www.carbonwind.net/blog/post/Setting-the-preferred-cipher-suite-on-Apache-22x.aspx Also Internet Explorer 7 support Ciphers order configuration: https://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx?Redirected=true Not having the ordered cipher list doesn't allow Python SSL stack configuration to be compliant with high security environment, de-facto representing a security vulnerability. We suggest to fix the issue of lacking that feature.
msg149835 - (view)	Author: Antoine Pitrou (pitrou) * (Python committer)	Date: 2011年12月19日 10:49
Apparently it's just a matter of exposing SSL_OP_CIPHER_SERVER_PREFERENCE?
msg149837 - (view)	Author: naif (naif)	Date: 2011年12月19日 10:55
Looking at the code from mod_ssl i would say that this is the preference required https://issues.apache.org/bugzilla/show_bug.cgi?id=28665
msg149848 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2011年12月19日 12:27
New changeset c706f76c9ea8 by Antoine Pitrou in branch 'default': Issue #13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers http://hg.python.org/cpython/rev/c706f76c9ea8
msg149850 - (view)	Author: Antoine Pitrou (pitrou) * (Python committer)	Date: 2011年12月19日 12:34
The new option is now committed in 3.3. Thanks for the report!

History
Date	User	Action	Args
2022年04月11日 14:57:24	admin	set	github: 57844
2011年12月20日 01:32:13	jcea	set	nosy: + jcea
2011年12月19日 12:34:22	pitrou	set	status: open -> closed resolution: fixed messages: + msg149850 stage: resolved
2011年12月19日 12:27:50	python-dev	set	nosy: + python-dev messages: + msg149848
2011年12月19日 10:55:58	naif	set	messages: + msg149837
2011年12月19日 10:49:02	pitrou	set	versions: - Python 2.6, Python 3.1, Python 2.7, Python 3.2, Python 3.4 nosy: + pitrou messages: + msg149835 type: security -> enhancement
2011年12月19日 10:44:02	naif	create

homepage