[Twisted-Python] Specifying ciphers in ssl.optionsForClientTLS
Glyph Lefkowitz
glyph at twistedmatrix.com
Mon Feb 16 18:52:43 MST 2015
> On Feb 16, 2015, at 4:53 PM, Jason J. W. Williams <jasonjwwilliams at gmail.com> wrote:
>
> Hi,
>
> I need to loosen up the default cipher list to allow RC4 (some sites
> our customers use like myaccounts.socalgas.com still use it).
>
> I was going to pass the following dict into the
> extraCertificateOptions argument of ssl.optionsForClientTLS, but was
> curious if there as a better way:
>
> {"acceptableCiphers" : <IAcceptableCiphers object>}
As the documentation for extraCertificateOptions says, if you need to use it it's a bug in the interface. As such, please file it :-). This escape-hatch was presented specifically so we could discover which features of that interface were really necessary customizations and which were just unfortunate compromises with OpenSSL's API.
In this case, no, there's no other way to get acceptable ciphers in there, and this should probably just be added to optionsForClientTLS.
Another reasonable fix might be to allow RC4, since I think the default cipher suites that we have selected might be more appropriate for servers than for clients; the major browsers will still negotiate RC4 so we might want a slightly more permissive list. Hopefully someone more cryptographically enlightened than I am can opine as to whether this is a reasonable thing to do in 2015...
-g
More information about the Twisted-Python
mailing list