4

I'm using Cherrypy 3.8.0 with Python 2 to use SSL/TLS using pyOpenSSL.

I want to disable SSL3 to avoid POODLE (or other weak ciphers).

Here's what I have so far:

  server_config={
          'server.socket_port': 443,
          'server.ssl_module':'pyopenssl',
          'server.ssl_certificate':'/path/myserver.crt',
          'server.ssl_private_key':'/path/myserver.key',
      }

This is similar to this question but for python 2 and pyopenssl.

How can I specify or exclude specific ciphers? Thanks!

Community
  • 1
  • 1
jrel
  • 187
  • 1
  • 11

1 Answers1

6

To disable SSL3, you should set the ssl_context variable yourself rather than accepting the default. Here's an example using Python's built-in ssl module (in lieu of the built-in cherrypy ssl module).

import cherrypy
from OpenSSL import SSL

ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)

...

server_config = {
    'server.socket_host': '0.0.0.0',
    'server.socket_port': 443,
    'server.ssl_context': ctx
}

cherrypy.config.update(server_config)

where in this case, SSL is from the OpenSSL module.

It's worth noting that beginning in Python 3.2.3, the ssl module disables certain weak ciphers by default.

Furthermore, you can specifically set all the ciphers you want with

ciphers = {
    'DHE-RSA-AE256-SHA',
    ...
    'RC4-SHA'
}

ctx.set_cipher_list(':'.join(ciphers))

If you're using the CherryPyWSGIServer from the web.wsgiserver module, you would set the default ciphers with

CherryPyWSGIServer.ssl_adapter.context.set_cipher_list(':'.join(ciphers))

Lastly, here are some sources (asking similar questions) that you may want to look at:

Community
  • 1
  • 1
Michael Recachinas
  • 2,739
  • 2
  • 20
  • 29
  • Thanks Michael. But I'm getting an error that says: 'module' object has no attribute 'SSLContext'. A little searching shows I need python 2.7.9 for this, but my distro is fixed at 2.7.6 for now. :/ So I'm still in need of a 2.7.6 answer if possible. – jrel Jan 20 '16 at 03:52
  • 1
    Ah sorry, you may not have gotten my update -- error in porting it from the other question: `ctx = SSL.SSLContext` -> `ctx = SSL.Context(SSL.SSLv23_METHOD)` – Michael Recachinas Jan 20 '16 at 03:56
  • Unfortunately, this is still not working for me. Specifically, I'm getting a browser error that says 'ssl_error_no_cypher_overlap' – jrel Jan 20 '16 at 04:33
  • 2
    Which browser are you using? You might find this link (from my answer) useful: http://stackoverflow.com/a/29304038/4760801 – Michael Recachinas Jan 20 '16 at 04:38
  • 1
    I'm testing with the latest firefox. Interesting link though. Sounds like it may be best to upgrade to 2.7.9 and get the SSL upgrades, unless I want to override pyopenssl. – jrel Jan 20 '16 at 04:43