Antoine Pitrou <pit...@free.fr> added the comment: > So, with this patch it should be possible to strictly enable ciphers such as: > ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 > ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 > ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1 > ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1 > > Which ciphers did you negotiated succesfully?
I didn't try to negotiate a specific cipher, I just saw that the selected cipher was ECDHE-RSA-AES256-SHA (using a standard self-signed certificate). I suppose other ciphers are accessible as well. > While with the implementation of http://bugs.python.org/issue13627 > (DH/DHE ciphers) we should be able to negotiate: You mean issue13626. > Do you expect it would be a difficult step to handle also the DH/DHE > (non ECC) negotiation? No, but that's issue13626 :) > Additionally it would be imho very important if the Python language > would provide a "default ciphers setup" that look at maximum > compatibility, performance and security. You have the set_ciphers() method which allows you to set a "cipher string": http://docs.python.org/dev/library/ssl.html#ssl.SSLContext.set_ciphers OpenSSL itself has several generic cipher settings available: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT For example the following setting gives you only ECDH ciphers with strong encryption and authentication: $ openssl ciphers -v 'kEECDH:!NULL:!aNULL' ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1 ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 We are not cryptography experts and I don't think it would be a good idea to maintain our own list of ciphers. (furthermore, I don't think "maximum compatibility, performance and security" are generally compatible with each other) ---------- title: Python SSL stack doesn't support Elliptic Curve ciphers -> Python SSL stack doesn't support Elliptic Curve ciphers _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13627> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
