> On 17 Feb 2015, at 09:52, Glyph Lefkowitz <[email protected]> wrote: > > >> On Feb 16, 2015, at 4:53 PM, Jason J. W. Williams >> <[email protected]> wrote: >> >> Hi, >> >> I need to loosen up the default cipher list to allow RC4 (some sites >> our customers use like myaccounts.socalgas.com still use it). >> >> I was going to pass the following dict into the >> extraCertificateOptions argument of ssl.optionsForClientTLS, but was >> curious if there as a better way: >> >> {"acceptableCiphers" : <IAcceptableCiphers object>} > > > As the documentation for extraCertificateOptions says, if you need to use it > it's a bug in the interface. As such, please file it :-). This escape-hatch > was presented specifically so we could discover which features of that > interface were really necessary customizations and which were just > unfortunate compromises with OpenSSL's API. > > In this case, no, there's no other way to get acceptable ciphers in there, > and this should probably just be added to optionsForClientTLS. > > Another reasonable fix might be to allow RC4, since I think the default > cipher suites that we have selected might be more appropriate for servers > than for clients; the major browsers will still negotiate RC4 so we might > want a slightly more permissive list. Hopefully someone more > cryptographically enlightened than I am can opine as to whether this is a > reasonable thing to do in 2015... > > -g > _______________________________________________ > Twisted-Python mailing list > [email protected] > http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Some browsers won’t — Firefox refuses to use RC4 :) - Hawkie
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Twisted-Python mailing list [email protected] http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
