> On Feb 16, 2015, at 4:53 PM, Jason J. W. Williams <jasonjwwilli...@gmail.com>
> wrote:
>
> Hi,
>
> I need to loosen up the default cipher list to allow RC4 (some sites
> our customers use like myaccounts.socalgas.com still use it).
>
> I was going to pass the following dict into the
> extraCertificateOptions argument of ssl.optionsForClientTLS, but was
> curious if there as a better way:
>
> {"acceptableCiphers" : <IAcceptableCiphers object>}
As the documentation for extraCertificateOptions says, if you need to use it
it's a bug in the interface. As such, please file it :-). This escape-hatch
was presented specifically so we could discover which features of that
interface were really necessary customizations and which were just unfortunate
compromises with OpenSSL's API.
In this case, no, there's no other way to get acceptable ciphers in there, and
this should probably just be added to optionsForClientTLS.
Another reasonable fix might be to allow RC4, since I think the default cipher
suites that we have selected might be more appropriate for servers than for
clients; the major browsers will still negotiate RC4 so we might want a
slightly more permissive list. Hopefully someone more cryptographically
enlightened than I am can opine as to whether this is a reasonable thing to do
in 2015...
-g
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
