[Python-Dev] Controlling the cipher list for SSL connections
Michael Foord
fuzzyman at voidspace.org.uk
Mon Sep 7 18:15:21 CEST 2009
Hello Chris,
Can you post your patch to the Python bug tracker please -
http://bugs.python.org
Patches posted to this list tend to get lost...
Thanks
Michael
Chris Frantz wrote:
> Greetings,
>
> I would like to be able to set the cipher list when creating an SSL
> connection. It appears that the current SSL module doesn't provide
> this functionality.
>
> The attached patch (against trunk) adds this ability to SSLSocket.
>
> Thank you,
> --Chris
>
> PS: Please reply directly to me, as I'm not subscribed to this list.
>
> Index: Python-2.7/Lib/ssl.py
> ===================================================================
> --- Python-2.7/Lib/ssl.py (revision 74703)
> +++ Python-2.7/Lib/ssl.py (working copy)
> @@ -88,7 +88,7 @@
> server_side=False, cert_reqs=CERT_NONE,
> ssl_version=PROTOCOL_SSLv23, ca_certs=None,
> do_handshake_on_connect=True,
> - suppress_ragged_eofs=True):
> + suppress_ragged_eofs=True, cipher_list=None):
> socket.__init__(self, _sock=sock._sock)
> # the initializer for socket trashes the methods (tsk, tsk), so...
> self.send = lambda data, flags=0: SSLSocket.send(self, data, flags)
> @@ -110,7 +110,8 @@
> # yes, create the SSL object
> self._sslobj = _ssl.sslwrap(self._sock, server_side,
> keyfile, certfile,
> - cert_reqs, ssl_version, ca_certs)
> + cert_reqs, ssl_version,
> + ca_certs, cipher_list)
> if do_handshake_on_connect:
> timeout = self.gettimeout()
> try:
> Index: Python-2.7/Modules/_ssl.c
> ===================================================================
> --- Python-2.7/Modules/_ssl.c (revision 74703)
> +++ Python-2.7/Modules/_ssl.c (working copy)
> @@ -261,7 +261,8 @@
> enum py_ssl_server_or_client socket_type,
> enum py_ssl_cert_requirements certreq,
> enum py_ssl_version proto_version,
> - char *cacerts_file)
> + char *cacerts_file,
> + char *cipher_list)
> {
> PySSLObject *self;
> char *errstr = NULL;
> @@ -366,6 +367,9 @@
> SSL_CTX_set_verify(self->ctx, verification_mode,
> NULL); /* set verify lvl */
>
> + if (cipher_list)
> + SSL_CTX_set_cipher_list(self->ctx, cipher_list);
> +
> PySSL_BEGIN_ALLOW_THREADS
> self->ssl = SSL_new(self->ctx); /* New ssl struct */
> PySSL_END_ALLOW_THREADS
> @@ -407,14 +411,17 @@
> char *key_file = NULL;
> char *cert_file = NULL;
> char *cacerts_file = NULL;
> + char *cipher_list = NULL;
>
> - if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap",
> +
> + if (!PyArg_ParseTuple(args, "O!i|zziizz:sslwrap",
> PySocketModule.Sock_Type,
> &Sock,
> &server_side,
> &key_file, &cert_file,
> &verification_mode, &protocol,
> - &cacerts_file))
> + &cacerts_file,
> + &cipher_list))
> return NULL;
>
> /*
> @@ -427,12 +434,12 @@
>
> return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
> server_side, verification_mode,
> - protocol, cacerts_file);
> + protocol, cacerts_file, cipher_list);
> }
>
> PyDoc_STRVAR(ssl_doc,
> "sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n"
> -" cacertsfile]) -> sslobject");
> +" cacertsfile, cipherlist]) -> sslobject");
>
> /* SSL object methods */
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/fuzzyman%40voidspace.org.uk
>
--
http://www.ironpythoninaction.com/
http://www.voidspace.org.uk/blog
More information about the Python-Dev
mailing list