[Twisted-Python] Specifying ciphers in ssl.optionsForClientTLS

[Hynek Schlawack]

On 17 Feb 2015, at 2:52, Glyph Lefkowitz wrote:

>> I need to loosen up the default cipher list to allow RC4 (some sites
>> our customers use like myaccounts.socalgas.com still use it).
>>
>> I was going to pass the following dict into the
>> extraCertificateOptions argument of ssl.optionsForClientTLS, but was
>> curious if there as a better way:
>>
>> {"acceptableCiphers" : <IAcceptableCiphers object>}
>
>
> As the documentation for extraCertificateOptions says, if you need to 
> use it it's a bug in the interface.  As such, please file it :-).  
> This escape-hatch was presented specifically so we could discover 
> which features of that interface were really necessary customizations 
> and which were just unfortunate compromises with OpenSSL's API.
>
> In this case, no, there's no other way to get acceptable ciphers in 
> there, and this should probably just be added to optionsForClientTLS.

Yes.

> Another reasonable fix might be to allow RC4, since I think the 
> default cipher suites that we have selected might be more appropriate 
> for servers than for clients; the major browsers will still negotiate 
> RC4 so we might want a slightly more permissive list.  Hopefully 
> someone more cryptographically enlightened than I am can opine as to 
> whether this is a reasonable thing to do in 2015...

I’m still maintaining that watering down the defaults is an invitation 
to downgrade attacks that affect *everyone*.  And RC4 looks worse with 
every month passing.