> As the documentation for extraCertificateOptions says, if you need to use it > it's a bug in the interface. As such, please file it :-). This escape-hatch > was presented specifically so we could discover which features of that > interface were really necessary customizations and which were just > unfortunate compromises with OpenSSL's API.
Will do. Saw that note but wanted to make sure I wasn't missing a better approach before filing a bug. > In this case, no, there's no other way to get acceptable ciphers in there, > and this should probably just be added to optionsForClientTLS. > > Another reasonable fix might be to allow RC4, since I think the default > cipher suites that we have selected might be more appropriate for servers > than for clients; the major browsers will still negotiate RC4 so we might > want a slightly more permissive list. Hopefully someone more > cryptographically enlightened than I am can opine as to whether this is a > reasonable thing to do in 2015... I'd advocate for adding the acceptableCiphers argument to optionsForClientTLS over loosening the default cipher list. I think having a secure default and making loosening that default an explicit action is a good behavior. That way a less secure cipher list is always an active choice. -J _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
