[Python-Dev] Controlling the cipher list for SSL connections
Greetings,
I would like to be able to set the cipher list when creating an SSL
connection. It appears that the current SSL module doesn't provide
this functionality.
The attached patch (against trunk) adds this ability to SSLSocket.
Thank you,
--Chris
PS: Please reply directly to me, as I'm not subscribed to this list.
Index: Python-2.7/Lib/ssl.py
===
--- Python-2.7/Lib/ssl.py (revision 74703)
+++ Python-2.7/Lib/ssl.py (working copy)
@@ -88,7 +88,7 @@
server_side=False, cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23, ca_certs=None,
do_handshake_on_connect=True,
- suppress_ragged_eofs=True):
+ suppress_ragged_eofs=True, cipher_list=None):
socket.__init__(self, _sock=sock._sock)
# the initializer for socket trashes the methods (tsk, tsk), so...
self.send = lambda data, flags=0: SSLSocket.send(self, data, flags)
@@ -110,7 +110,8 @@
# yes, create the SSL object
self._sslobj = _ssl.sslwrap(self._sock, server_side,
keyfile, certfile,
- cert_reqs, ssl_version, ca_certs)
+ cert_reqs, ssl_version,
+ ca_certs, cipher_list)
if do_handshake_on_connect:
timeout = self.gettimeout()
try:
Index: Python-2.7/Modules/_ssl.c
===
--- Python-2.7/Modules/_ssl.c (revision 74703)
+++ Python-2.7/Modules/_ssl.c (working copy)
@@ -261,7 +261,8 @@
enum py_ssl_server_or_client socket_type,
enum py_ssl_cert_requirements certreq,
enum py_ssl_version proto_version,
- char *cacerts_file)
+ char *cacerts_file,
+ char *cipher_list)
{
PySSLObject *self;
char *errstr = NULL;
@@ -366,6 +367,9 @@
SSL_CTX_set_verify(self->ctx, verification_mode,
NULL); /* set verify lvl */
+ if (cipher_list)
+ SSL_CTX_set_cipher_list(self->ctx, cipher_list);
+
PySSL_BEGIN_ALLOW_THREADS
self->ssl = SSL_new(self->ctx); /* New ssl struct */
PySSL_END_ALLOW_THREADS
@@ -407,14 +411,17 @@
char *key_file = NULL;
char *cert_file = NULL;
char *cacerts_file = NULL;
+ char *cipher_list = NULL;
- if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap",
+
+ if (!PyArg_ParseTuple(args, "O!i|zziizz:sslwrap",
PySocketModule.Sock_Type,
&Sock,
&server_side,
&key_file, &cert_file,
&verification_mode, &protocol,
- &cacerts_file))
+ &cacerts_file,
+ &cipher_list))
return NULL;
/*
@@ -427,12 +434,12 @@
return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
server_side, verification_mode,
- protocol, cacerts_file);
+ protocol, cacerts_file, cipher_list);
}
PyDoc_STRVAR(ssl_doc,
"sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n"
-" cacertsfile]) -> sslobject");
+" cacertsfile, cipherlist]) -> sslobject");
/* SSL object methods */
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Controlling the cipher list for SSL connections
Done. Attached to Issue 3597, which is a similar request to mine. Best Regards, --Chris ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Controlling the cipher list for SSL connections
Bill, For now, using pyOpenSSL is acceptable. I just discovered that the web.py framework wants pyOpenSSL. Since my project is also using web.py, I'll need pyOpenSSL anyway. Thank you, --Chris On Thu, Sep 10, 2009 at 1:14 PM, Bill Janssen wrote: > Chris, > > OK, seems reasonable. Thanks. In the near term, can you do this with > M2Crypto or PyOpenSSL? > > When I started this update in 2007, we were trying to keep the API > simple to avoid confusing people and avoid competition with the two > full-fledged toolkits out there. But I don't see any real reason not to > extend the API a bit. > > Bill > > Chris Frantz wrote: > >> Bill, >> >> I agree that it's usually better to let the SSL implementation pick >> the ciphers. >> >> I have a certain device that I'd like to talk to that is running on an >> underpowered embedded CPU. When I let OpenSSL pick the ciphers, it >> chooses something like EDH-RSA-AES-SHA and takes about 3.5 seconds to >> finish the handshake. If I can restrict the cipher list to >> RSA-RC4-SHA I can reduce the handshake time to less than a second and >> improve the throughput of any bulk data transfer over the connection. >> >> --Chris >> >> >> >> On Thu, Sep 10, 2009 at 12:09 PM, Bill Janssen wrote: >> > Thanks, Chris. Can you explain why you want to set the cipher list >> > explicitly? IMO, it's usually better to select a security scheme (TLS1, >> > or SSLv3, etc.), and let the implementation pick the cipher list. >> > >> > Bill >> > >> > Chris Frantz wrote: >> > >> >> Done. >> >> >> >> Attached to Issue 3597, which is a similar request to mine. >> >> >> >> Best Regards, >> >> --Chris >> >> ___ >> >> Python-Dev mailing list >> >> Python-Dev@python.org >> >> http://mail.python.org/mailman/listinfo/python-dev >> >> Unsubscribe: >> >> http://mail.python.org/mailman/options/python-dev/janssen%40parc.com >> > > ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Controlling the cipher list for SSL connections
Bill, I agree that it's usually better to let the SSL implementation pick the ciphers. I have a certain device that I'd like to talk to that is running on an underpowered embedded CPU. When I let OpenSSL pick the ciphers, it chooses something like EDH-RSA-AES-SHA and takes about 3.5 seconds to finish the handshake. If I can restrict the cipher list to RSA-RC4-SHA I can reduce the handshake time to less than a second and improve the throughput of any bulk data transfer over the connection. --Chris On Thu, Sep 10, 2009 at 12:09 PM, Bill Janssen wrote: > Thanks, Chris. Can you explain why you want to set the cipher list > explicitly? IMO, it's usually better to select a security scheme (TLS1, > or SSLv3, etc.), and let the implementation pick the cipher list. > > Bill > > Chris Frantz wrote: > >> Done. >> >> Attached to Issue 3597, which is a similar request to mine. >> >> Best Regards, >> --Chris >> ___ >> Python-Dev mailing list >> Python-Dev@python.org >> http://mail.python.org/mailman/listinfo/python-dev >> Unsubscribe: >> http://mail.python.org/mailman/options/python-dev/janssen%40parc.com > ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
