Ticket #6663 enhancement new
Allow CertificateOptions to set acceptable SSL ciphers
|Reported by:||hynek||Owned by:|
|Cc:||hs@…, zooko, mithrandi@…, tobias.oberstein@…||Branch:||
(diff, github, buildbot, log)
This is pretty important: we need to expose PyOpenSSL’s set_cipher_list to CertificateOptions so users can configure their acceptable SSL ciphers. zooko already called for it in #2061.
What happens if not, can be witnessed with our web page: we allow MD5 hashes and DES ciphers which are both patently insecure.
This is not an OpenSSL issue – these are options that need to be configurable if you want to deploy OpenSSL-based services in a responsible way. E.g. it’s impossible to configure a web server that offers perfect forward secrecy.
I’m going to plug my own work and use http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ as an example: it doesn’t matter whether you agree or not with my recommendations, we need to give our users the necessary control over the ciphers if we expect them to be able to use Twisted w/o an HTTP proxy. And we also should set half-way secure defaults (like no DES & MD5) which people will have to break on purpose if they need to for some reason.
I propose to add an option called ciphers to CertificateOptions which take an OpenSSL cipher string that is pretty universal (the same you pass into Apache or nginx) and pass it into the contexts.