How to disable SSL3 and weak ciphers with cherrypy builtin ssl module (python 3) - McMap

About

How to disable SSL3 and weak ciphers with cherrypy builtin ssl module (python 3)

Asked 12/1, 2016 at 10:19 Answered 14/1, 2016 at 20:42

python python-3.x ssl cherrypy

B

1

7

I have configured Cherrypy 3.8.0 with Python 3 to use SSL/TLS. However, I want to disable SSL3 to avoid POODLE. I searched through the documentation but I am unsure on how to implement it.

I am using the cherrypy/python builtin ssl module, not pyOpenSSL which I am unable to use under Python 3.

Bouilli answered 12/1, 2016 at 10:19 Comment(0)

C

8

To disable SSL3, you should set the ssl_context variable yourself rather than accepting the default. Here's an example using Python's built-in ssl module (in lieu of the built-in cherrypy ssl module).

import cherrypy
import ssl

ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.options |= ssl.OP_NO_SSLv2 
ctx.options |= ssl.OP_NO_SSLv3

cherrypy.config.update(server_config)

where in this case, SSL is from the OpenSSL module.

It's worth noting that beginning in Python 3.2.3, the ssl module disables certain weak ciphers by default.

Furthermore, you can specifically set all the ciphers you want with

ciphers = {
    'DHE-RSA-AE256-SHA',
    ...
    'RC4-SHA'
}

ctx.set_ciphers(':'.join(ciphers))

If you're using the CherryPyWSGIServer from the web.wsgiserver module, you would set the default ciphers with

CherryPyWSGIServer.ssl_adapter.context.set_cipher_list(':'.join(ciphers))

Here is part of the documentation detailing the above: http://docs.cherrypy.org/en/latest/pkg/cherrypy.wsgiserver.html#module-cherrypy.wsgiserver.ssl_builtin

Lastly, here are some sources (asking similar questions) that you may want to look at:

Crossarm answered 14/1, 2016 at 20:42 Comment(9)

Hi Michael, unfortunately I need to use Python’s builtin ssl module, with CherryPy, not pyopenssl - which provides OpenSSL module. I tried your solution but checking with openssl s_client ... -ssl3 it connects with ssl3, which I need to ensure to be disabled. – Bouilli 14/1, 2016 at 21:14

@fbrundu -- My mistake, I saw you say Python3 but I gave you the Python2 answer anyway! I've edited the answer above. Let me know if it works. – Crossarm 15/1, 2016 at 0:5

I am sorry but it doesn't work. Running with openssl s_client ... -ssl3 it always gives me Protocol : SSLv3 .. Could it be that ssl_context works only with pyOpenSSL which does not work with cherrypy on Python3 ? – Bouilli 15/1, 2016 at 9:10

I have implemented a "proxy" in python2 just to test your solution. Now it cannot connect: it gives me SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure – Bouilli 19/1, 2016 at 9:16

@MichaelRecachinas - Any chance you could repost your python 2 solution over at #34833432. Thanks! – Sale 20/1, 2016 at 3:35

@Sale -- Just did. Glad I could help with that one, but this one is still confusing me. I'm going to edit as I found something that should work. – Crossarm 20/1, 2016 at 3:38

@fbrundu -- I edited the above to include docs.cherrypy.org/en/latest/pkg/… for your Python 3 ssl issue. Let me know if this helps. – Crossarm 20/1, 2016 at 4:19

@MichaelRecachinas Unfortunately, it does not work. If I ask for SSLv3 it runs on SSLv3. If you need more information please ask. Thanks – Bouilli 20/1, 2016 at 11:19

Hi @MichaelRecachinas, I am giving you the bounty for the effort and because I think your answer may work but it does not due to Cherrypy. But I cannot accept the answer until it does not work, sorry. – Bouilli 21/1, 2016 at 8:15

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.