[Twisted-Python] Specifying ciphers in ssl.optionsForClientTLS
Hynek Schlawack
hs at ox.cx
Mon Feb 16 23:14:28 MST 2015
On 17 Feb 2015, at 2:52, Glyph Lefkowitz wrote:
>> I need to loosen up the default cipher list to allow RC4 (some sites
>> our customers use like myaccounts.socalgas.com still use it).
>>
>> I was going to pass the following dict into the
>> extraCertificateOptions argument of ssl.optionsForClientTLS, but was
>> curious if there as a better way:
>>
>> {"acceptableCiphers" : <IAcceptableCiphers object>}
>
>
> As the documentation for extraCertificateOptions says, if you need to
> use it it's a bug in the interface. As such, please file it :-).
> This escape-hatch was presented specifically so we could discover
> which features of that interface were really necessary customizations
> and which were just unfortunate compromises with OpenSSL's API.
>
> In this case, no, there's no other way to get acceptable ciphers in
> there, and this should probably just be added to optionsForClientTLS.
Yes.
> Another reasonable fix might be to allow RC4, since I think the
> default cipher suites that we have selected might be more appropriate
> for servers than for clients; the major browsers will still negotiate
> RC4 so we might want a slightly more permissive list. Hopefully
> someone more cryptographically enlightened than I am can opine as to
> whether this is a reasonable thing to do in 2015...
I’m still maintaining that watering down the defaults is an invitation
to downgrade attacks that affect *everyone*. And RC4 looks worse with
every month passing.
More information about the Twisted-Python
mailing list