[Twisted-Python] Specifying ciphers in ssl.optionsForClientTLS

[HawkOwl]

> On 17 Feb 2015, at 09:52, Glyph Lefkowitz <glyph at twistedmatrix.com> wrote:
> 
> 
>> On Feb 16, 2015, at 4:53 PM, Jason J. W. Williams <jasonjwwilliams at gmail.com> wrote:
>> 
>> Hi,
>> 
>> I need to loosen up the default cipher list to allow RC4 (some sites
>> our customers use like myaccounts.socalgas.com still use it).
>> 
>> I was going to pass the following dict into the
>> extraCertificateOptions argument of ssl.optionsForClientTLS, but was
>> curious if there as a better way:
>> 
>> {"acceptableCiphers" : <IAcceptableCiphers object>}
> 
> 
> As the documentation for extraCertificateOptions says, if you need to use it it's a bug in the interface.  As such, please file it :-).  This escape-hatch was presented specifically so we could discover which features of that interface were really necessary customizations and which were just unfortunate compromises with OpenSSL's API.
> 
> In this case, no, there's no other way to get acceptable ciphers in there, and this should probably just be added to optionsForClientTLS.
> 
> Another reasonable fix might be to allow RC4, since I think the default cipher suites that we have selected might be more appropriate for servers than for clients; the major browsers will still negotiate RC4 so we might want a slightly more permissive list.  Hopefully someone more cryptographically enlightened than I am can opine as to whether this is a reasonable thing to do in 2015...
> 
> -g
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

Some browsers won’t — Firefox refuses to use RC4 :)

- Hawkie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/twisted-python/attachments/20150217/31f25a62/attachment.sig>