Disable weak ciphers with cherrypy (python 2) - McMap

About

Disable weak ciphers with cherrypy (python 2)

Asked 16/1, 2016 at 22:38 Answered 20/1, 2016 at 3:37

python python-2.7 ssl openssl cherrypy

H

1

4

I'm using Cherrypy 3.8.0 with Python 2 to use SSL/TLS using pyOpenSSL.

I want to disable SSL3 to avoid POODLE (or other weak ciphers).

Here's what I have so far:

  server_config={
          'server.socket_port': 443,
          'server.ssl_module':'pyopenssl',
          'server.ssl_certificate':'/path/myserver.crt',
          'server.ssl_private_key':'/path/myserver.key',
      }

This is similar to this question but for python 2 and pyopenssl.

How can I specify or exclude specific ciphers? Thanks!

Hautesalpes answered 16/1, 2016 at 22:38 Comment(0)

A

6

To disable SSL3, you should set the ssl_context variable yourself rather than accepting the default. Here's an example using Python's built-in ssl module (in lieu of the built-in cherrypy ssl module).

import cherrypy
from OpenSSL import SSL

ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)

...

server_config = {
    'server.socket_host': '0.0.0.0',
    'server.socket_port': 443,
    'server.ssl_context': ctx
}

cherrypy.config.update(server_config)

where in this case, SSL is from the OpenSSL module.

It's worth noting that beginning in Python 3.2.3, the ssl module disables certain weak ciphers by default.

Furthermore, you can specifically set all the ciphers you want with

ciphers = {
    'DHE-RSA-AE256-SHA',
    ...
    'RC4-SHA'
}

ctx.set_cipher_list(':'.join(ciphers))

If you're using the CherryPyWSGIServer from the web.wsgiserver module, you would set the default ciphers with

CherryPyWSGIServer.ssl_adapter.context.set_cipher_list(':'.join(ciphers))

Lastly, here are some sources (asking similar questions) that you may want to look at:

Aurelioaurelius answered 20/1, 2016 at 3:37 Comment(5)

Thanks Michael. But I'm getting an error that says: 'module' object has no attribute 'SSLContext'. A little searching shows I need python 2.7.9 for this, but my distro is fixed at 2.7.6 for now. :/ So I'm still in need of a 2.7.6 answer if possible. – Hautesalpes 20/1, 2016 at 3:52

Ah sorry, you may not have gotten my update -- error in porting it from the other question: ctx = SSL.SSLContext -> ctx = SSL.Context(SSL.SSLv23_METHOD) – Aurelioaurelius 20/1, 2016 at 3:56

Unfortunately, this is still not working for me. Specifically, I'm getting a browser error that says 'ssl_error_no_cypher_overlap' – Hautesalpes 20/1, 2016 at 4:33

Which browser are you using? You might find this link (from my answer) useful: https://mcmap.net/q/1621245/-how-to-block-ssl-protocols-in-favor-of-tls – Aurelioaurelius 20/1, 2016 at 4:38

I'm testing with the latest firefox. Interesting link though. Sounds like it may be best to upgrade to 2.7.9 and get the SSL upgrades, unless I want to override pyopenssl. – Hautesalpes 20/1, 2016 at 4:43

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.