[Twisted-Python] Specifying ciphers in ssl.optionsForClientTLS
Jason J. W. Williams
jasonjwwilliams at gmail.com
Mon Feb 16 19:16:16 MST 2015
> As the documentation for extraCertificateOptions says, if you need to use it it's a bug in the interface. As such, please file it :-). This escape-hatch was presented specifically so we could discover which features of that interface were really necessary customizations and which were just unfortunate compromises with OpenSSL's API.
Will do. Saw that note but wanted to make sure I wasn't missing a
better approach before filing a bug.
> In this case, no, there's no other way to get acceptable ciphers in there, and this should probably just be added to optionsForClientTLS.
>
> Another reasonable fix might be to allow RC4, since I think the default cipher suites that we have selected might be more appropriate for servers than for clients; the major browsers will still negotiate RC4 so we might want a slightly more permissive list. Hopefully someone more cryptographically enlightened than I am can opine as to whether this is a reasonable thing to do in 2015...
I'd advocate for adding the acceptableCiphers argument to
optionsForClientTLS over loosening the default cipher list. I think
having a secure default and making loosening that default an explicit
action is a good behavior. That way a less secure cipher list is
always an active choice.
-J
More information about the Twisted-Python
mailing list