From karan7868 at gmail.com Mon Jul 3 09:18:51 2017 From: karan7868 at gmail.com (Karan karan) Date: Mon, 3 Jul 2017 06:18:51 -0700 Subject: [Cryptography-dev] set_cipher_list() API Question Message-ID: Hi, I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM-SHA256') the cipher list using the API: set_cipher_list but im getting the following error : kjoshi at ubuntu64dev:~/openssl_playground$ python test_ex.py ----------------------------------- connected ('192.168.152.132', 443) Traceback (most recent call last): File "test_ex.py", line 83, in main() File "test_ex.py", line 65, in main cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection() File "test_ex.py", line 25, in create_ssl_connection cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256') File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 975, in set_cipher_list File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 67, in openssl_assert File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in exception_from_error_queue OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher match')] Below is the code that i have: cont = Context(TLSv1_2_METHOD) #cont.set_cipher_list('0xc00e') #cont.set_cipher_list('ECDHE+ECDSA+AESGCM+SHA256') #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256') cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256') client_ssl = Connection(cont, client) client_ssl.set_connect_state() client_ssl.do_handshake() session_ref = client_ssl.get_session() As seen above i tried numerous combination of word separators (_,-,+) but nothing seemed to have helped. I would appreciate if someone could please let me know on the usage of this.I'm sure there must be a way of sending a specific cipher. I'm performing a test on my local apache server. Thanks, Karan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mithrandi at mithrandi.net Mon Jul 3 10:09:51 2017 From: mithrandi at mithrandi.net (Tristan Seligmann) Date: Mon, 03 Jul 2017 14:09:51 +0000 Subject: [Cryptography-dev] set_cipher_list() API Question In-Reply-To: References: Message-ID: On Mon, 3 Jul 2017 at 15:18 Karan karan wrote: > #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256') > I believe this is the correct spelling, and it works for me. Perhaps your OpenSSL does not have this cipher compiled in? If you run `openssl ciphers ECDHE-ECDSA-AES128-GCM-SHA256` do you get an error or successful cipher output? -------------- next part -------------- An HTML attachment was scrubbed... URL: From karan7868 at gmail.com Mon Jul 3 10:11:57 2017 From: karan7868 at gmail.com (Karan karan) Date: Mon, 3 Jul 2017 07:11:57 -0700 Subject: [Cryptography-dev] set_cipher_list() API Question In-Reply-To: References: Message-ID: I set : cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256') but i see the following error in the logs : connected ('**.**.**.**', 443) Traceback (most recent call last): File "test_ex.py", line 83, in main() File "test_ex.py", line 65, in main cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection() File "test_ex.py", line 33, in create_ssl_connection client_ssl.do_handshake() File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1638, in do_handshake File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1378, in _raise_ssl_error File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in exception_from_error_queue OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')] However when i see in the wireshark i do the following ciphers set in the set client hello: TLS_EMPTY_RENEGOTIATION_INFO_SCS and 'ECDHE-ECDSA-AES128-GCM-SHA256. Im using TLS 1.2 not sure why its complaining about ssv3 protocol and using and the TLS_EMPTY_RENEGOTIATION_INFO_SCS. I'd appreciate if someone could help out on it. Thanks, Karan. On Mon, Jul 3, 2017 at 6:18 AM, Karan karan wrote: > Hi, > > I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM-SHA256') > the cipher list using the API: set_cipher_list but im getting the following > error : > > kjoshi at ubuntu64dev:~/openssl_playground$ python test_ex.py > ----------------------------------- > connected ('192.168.152.132', 443) > Traceback (most recent call last): > File "test_ex.py", line 83, in > main() > File "test_ex.py", line 65, in main > cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection() > File "test_ex.py", line 25, in create_ssl_connection > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256') > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 975, in > set_cipher_list > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 67, in > openssl_assert > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in > exception_from_error_queue > OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher > match')] > > > Below is the code that i have: > > cont = Context(TLSv1_2_METHOD) > #cont.set_cipher_list('0xc00e') > #cont.set_cipher_list('ECDHE+ECDSA+AESGCM+SHA256') > #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256') > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256') > client_ssl = Connection(cont, client) > client_ssl.set_connect_state() > client_ssl.do_handshake() > session_ref = client_ssl.get_session() > > > As seen above i tried numerous combination of word separators (_,-,+) but > nothing seemed to have helped. > > I would appreciate if someone could please let me know on the usage of > this.I'm sure there must be a way of sending a specific cipher. > I'm performing a test on my local apache server. > > Thanks, > Karan. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cory at lukasa.co.uk Mon Jul 3 10:34:57 2017 From: cory at lukasa.co.uk (Cory Benfield) Date: Mon, 3 Jul 2017 15:34:57 +0100 Subject: [Cryptography-dev] set_cipher_list() API Question In-Reply-To: References:

Message-ID: <31B04AF2-8B9A-416C-BD0C-F7AD6527B1ED@lukasa.co.uk> The ?sslv3? text is misleading: it simply relates to the way the OpenSSL internals are structured. Similarly, TLS_EMPTY_RENEGOTIATION_INFO_SCSV is a ?dummy? cipher suite used to signal to the server that renegotiation using RFC 5746 is supported: it?s not an actual cipher suite. This error is almost certainly due to the remote server not having an ECDSA certificate. When you say ECDHE-ECDSA-AES128-GCM-SHA256 you make it entirely impossible to interoperate with servers that use RSA certificates, which is probably not what you want to do. A more useful cipher suite string is "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256?, which includes both the ECDSA and RSA variants of this cipher suite. Cory > On 3 Jul 2017, at 15:11, Karan karan wrote: > > I set : cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256') > > but i see the following error in the logs : > > connected ('**.**.**.**', 443) > Traceback (most recent call last): > File "test_ex.py", line 83, in > main() > File "test_ex.py", line 65, in main > cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection() > File "test_ex.py", line 33, in create_ssl_connection > client_ssl.do_handshake() > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1638, in do_handshake > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1378, in _raise_ssl_error > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in exception_from_error_queue > OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')] > > However when i see in the wireshark i do the following ciphers set in the set client hello: > TLS_EMPTY_RENEGOTIATION_INFO_SCS and > 'ECDHE-ECDSA-AES128-GCM-SHA256. > > Im using TLS 1.2 not sure why its complaining about ssv3 protocol and using and the TLS_EMPTY_RENEGOTIATION_INFO_SCS. > > I'd appreciate if someone could help out on it. > > Thanks, > Karan. > > > > On Mon, Jul 3, 2017 at 6:18 AM, Karan karan > wrote: > Hi, > > I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM-SHA256') the cipher list using the API: set_cipher_list but im getting the following error : > > kjoshi at ubuntu64dev:~/openssl_playground$ python test_ex.py > ----------------------------------- > connected ('192.168.152.132', 443) > Traceback (most recent call last): > File "test_ex.py", line 83, in > main() > File "test_ex.py", line 65, in main > cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection() > File "test_ex.py", line 25, in create_ssl_connection > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256') > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 975, in set_cipher_list > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 67, in openssl_assert > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in exception_from_error_queue > OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher match')] > > > Below is the code that i have: > > cont = Context(TLSv1_2_METHOD) > #cont.set_cipher_list('0xc00e') > #cont.set_cipher_list('ECDHE+ECDSA+AESGCM+SHA256') > #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256') > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256') > client_ssl = Connection(cont, client) > client_ssl.set_connect_state() > client_ssl.do_handshake() > session_ref = client_ssl.get_session() > > > As seen above i tried numerous combination of word separators (_,-,+) but nothing seemed to have helped. > > I would appreciate if someone could please let me know on the usage of this.I'm sure there must be a way of sending a specific cipher. > I'm performing a test on my local apache server. > > Thanks, > Karan. > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From karan7868 at gmail.com Wed Jul 5 11:27:37 2017 From: karan7868 at gmail.com (Karan karan) Date: Wed, 5 Jul 2017 08:27:37 -0700 Subject: [Cryptography-dev] Cryptography-dev Digest, Vol 48, Issue 1 In-Reply-To: References: Message-ID: Thanks Cory! That explains the issue so looks like the cipher being set by the client just that i need to server support. Thanks, Karan. On Mon, Jul 3, 2017 at 7:35 AM, wrote: > Send Cryptography-dev mailing list submissions to > cryptography-dev at python.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mail.python.org/mailman/listinfo/cryptography-dev > or, via email, send a message with subject or body 'help' to > cryptography-dev-request at python.org > > You can reach the person managing the list at > cryptography-dev-owner at python.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Cryptography-dev digest..." > > > Today's Topics: > > 1. set_cipher_list() API Question (Karan karan) > 2. Re: set_cipher_list() API Question (Tristan Seligmann) > 3. Re: set_cipher_list() API Question (Karan karan) > 4. Re: set_cipher_list() API Question (Cory Benfield) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 3 Jul 2017 06:18:51 -0700 > From: Karan karan > To: cryptography-dev at python.org > Subject: [Cryptography-dev] set_cipher_list() API Question > Message-ID: > Y_UwsmJbAjtiXA at mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Hi, > > I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM- > SHA256') > the cipher list using the API: set_cipher_list but im getting the following > error : > > kjoshi at ubuntu64dev:~/openssl_playground$ python test_ex.py > ----------------------------------- > connected ('192.168.152.132', 443) > Traceback (most recent call last): > File "test_ex.py", line 83, in > main() > File "test_ex.py", line 65, in main > cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection() > File "test_ex.py", line 25, in create_ssl_connection > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256') > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 975, in > set_cipher_list > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 67, in > openssl_assert > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in > exception_from_error_queue > OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher > match')] > > > Below is the code that i have: > > cont = Context(TLSv1_2_METHOD) > #cont.set_cipher_list('0xc00e') > #cont.set_cipher_list('ECDHE+ECDSA+AESGCM+SHA256') > #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256') > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256') > client_ssl = Connection(cont, client) > client_ssl.set_connect_state() > client_ssl.do_handshake() > session_ref = client_ssl.get_session() > > > As seen above i tried numerous combination of word separators (_,-,+) but > nothing seemed to have helped. > > I would appreciate if someone could please let me know on the usage of > this.I'm sure there must be a way of sending a specific cipher. > I'm performing a test on my local apache server. > > Thanks, > Karan. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: attachments/20170703/636a4ae8/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Mon, 03 Jul 2017 14:09:51 +0000 > From: Tristan Seligmann > To: cryptography-dev at python.org > Subject: Re: [Cryptography-dev] set_cipher_list() API Question > Message-ID: > gmail.com> > Content-Type: text/plain; charset="utf-8" > > On Mon, 3 Jul 2017 at 15:18 Karan karan wrote: > > > #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256') > > > > I believe this is the correct spelling, and it works for me. Perhaps your > OpenSSL does not have this cipher compiled in? > > If you run `openssl ciphers ECDHE-ECDSA-AES128-GCM-SHA256` do you get an > error or successful cipher output? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: attachments/20170703/3bacbdab/attachment-0001.html> > > ------------------------------ > > Message: 3 > Date: Mon, 3 Jul 2017 07:11:57 -0700 > From: Karan karan > To: cryptography-dev at python.org > Subject: Re: [Cryptography-dev] set_cipher_list() API Question > Message-ID: > mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > I set : cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256') > > but i see the following error in the logs : > > connected ('**.**.**.**', 443) > Traceback (most recent call last): > File "test_ex.py", line 83, in > main() > File "test_ex.py", line 65, in main > cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection() > File "test_ex.py", line 33, in create_ssl_connection > client_ssl.do_handshake() > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1638, in > do_handshake > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1378, in > _raise_ssl_error > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in > exception_from_error_queue > OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert > handshake failure')] > > However when i see in the wireshark i do the following ciphers set in the > set client hello: > TLS_EMPTY_RENEGOTIATION_INFO_SCS and > 'ECDHE-ECDSA-AES128-GCM-SHA256. > > Im using TLS 1.2 not sure why its complaining about ssv3 protocol and using > and the TLS_EMPTY_RENEGOTIATION_INFO_SCS. > > I'd appreciate if someone could help out on it. > > Thanks, > Karan. > > > > On Mon, Jul 3, 2017 at 6:18 AM, Karan karan wrote: > > > Hi, > > > > I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM- > SHA256') > > the cipher list using the API: set_cipher_list but im getting the > following > > error : > > > > kjoshi at ubuntu64dev:~/openssl_playground$ python test_ex.py > > ----------------------------------- > > connected ('192.168.152.132', 443) > > Traceback (most recent call last): > > File "test_ex.py", line 83, in > > main() > > File "test_ex.py", line 65, in main > > cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection() > > File "test_ex.py", line 25, in create_ssl_connection > > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256') > > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 975, in > > set_cipher_list > > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 67, in > > openssl_assert > > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in > > exception_from_error_queue > > OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no > cipher > > match')] > > > > > > Below is the code that i have: > > > > cont = Context(TLSv1_2_METHOD) > > #cont.set_cipher_list('0xc00e') > > #cont.set_cipher_list('ECDHE+ECDSA+AESGCM+SHA256') > > #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256') > > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256') > > client_ssl = Connection(cont, client) > > client_ssl.set_connect_state() > > client_ssl.do_handshake() > > session_ref = client_ssl.get_session() > > > > > > As seen above i tried numerous combination of word separators (_,-,+) but > > nothing seemed to have helped. > > > > I would appreciate if someone could please let me know on the usage of > > this.I'm sure there must be a way of sending a specific cipher. > > I'm performing a test on my local apache server. > > > > Thanks, > > Karan. > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: attachments/20170703/c9b5c40a/attachment-0001.html> > > ------------------------------ > > Message: 4 > Date: Mon, 3 Jul 2017 15:34:57 +0100 > From: Cory Benfield > To: cryptography-dev at python.org > Subject: Re: [Cryptography-dev] set_cipher_list() API Question > Message-ID: <31B04AF2-8B9A-416C-BD0C-F7AD6527B1ED at lukasa.co.uk> > Content-Type: text/plain; charset="utf-8" > > The ?sslv3? text is misleading: it simply relates to the way the OpenSSL > internals are structured. Similarly, TLS_EMPTY_RENEGOTIATION_INFO_SCSV is > a ?dummy? cipher suite used to signal to the server that renegotiation > using RFC 5746 is supported: it?s not an actual cipher suite. > > This error is almost certainly due to the remote server not having an > ECDSA certificate. When you say ECDHE-ECDSA-AES128-GCM-SHA256 you make it > entirely impossible to interoperate with servers that use RSA certificates, > which is probably not what you want to do. A more useful cipher suite > string is "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256?, > which includes both the ECDSA and RSA variants of this cipher suite. > > Cory > > > On 3 Jul 2017, at 15:11, Karan karan wrote: > > > > I set : cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256') > > > > but i see the following error in the logs : > > > > connected ('**.**.**.**', 443) > > Traceback (most recent call last): > > File "test_ex.py", line 83, in > > main() > > File "test_ex.py", line 65, in main > > cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection() > > File "test_ex.py", line 33, in create_ssl_connection > > client_ssl.do_handshake() > > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1638, in > do_handshake > > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1378, in > _raise_ssl_error > > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in > exception_from_error_queue > > OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert > handshake failure')] > > > > However when i see in the wireshark i do the following ciphers set in > the set client hello: > > TLS_EMPTY_RENEGOTIATION_INFO_SCS and > > 'ECDHE-ECDSA-AES128-GCM-SHA256. > > > > Im using TLS 1.2 not sure why its complaining about ssv3 protocol and > using and the TLS_EMPTY_RENEGOTIATION_INFO_SCS. > > > > I'd appreciate if someone could help out on it. > > > > Thanks, > > Karan. > > > > > > > > On Mon, Jul 3, 2017 at 6:18 AM, Karan karan > wrote: > > Hi, > > > > I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM-SHA256') > the cipher list using the API: set_cipher_list but im getting the following > error : > > > > kjoshi at ubuntu64dev:~/openssl_playground$ python test_ex.py > > ----------------------------------- > > connected ('192.168.152.132', 443) > > Traceback (most recent call last): > > File "test_ex.py", line 83, in > > main() > > File "test_ex.py", line 65, in main > > cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection() > > File "test_ex.py", line 25, in create_ssl_connection > > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256') > > File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 975, in > set_cipher_list > > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 67, in > openssl_assert > > File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in > exception_from_error_queue > > OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no > cipher match')] > > > > > > Below is the code that i have: > > > > cont = Context(TLSv1_2_METHOD) > > #cont.set_cipher_list('0xc00e') > > #cont.set_cipher_list('ECDHE+ECDSA+AESGCM+SHA256') > > #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256') > > cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256') > > client_ssl = Connection(cont, client) > > client_ssl.set_connect_state() > > client_ssl.do_handshake() > > session_ref = client_ssl.get_session() > > > > > > As seen above i tried numerous combination of word separators (_,-,+) > but nothing seemed to have helped. > > > > I would appreciate if someone could please let me know on the usage of > this.I'm sure there must be a way of sending a specific cipher. > > I'm performing a test on my local apache server. > > > > Thanks, > > Karan. > > > > > > _______________________________________________ > > Cryptography-dev mailing list > > Cryptography-dev at python.org > > https://mail.python.org/mailman/listinfo/cryptography-dev > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: attachments/20170703/d372ca6f/attachment.html> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > > ------------------------------ > > End of Cryptography-dev Digest, Vol 48, Issue 1 > *********************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From karan7868 at gmail.com Wed Jul 5 11:32:56 2017 From: karan7868 at gmail.com (Karan karan) Date: Wed, 5 Jul 2017 08:32:56 -0700 Subject: [Cryptography-dev] Cert how to set email - x509.RFC822Name(email) Message-ID: Hi, I'm trying to set the email on the certificate my code below , since its a self signed so the issuer and the subject are same: email = 'admin at example.com' subject = issuer = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, country_name), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, state_name), x509.NameAttribute(NameOID.LOCALITY_NAME, locality_name), x509.NameAttribute(NameOID.ORGANIZATION_NAME, org_name), x509.NameAttribute(NameOID.COMMON_NAME, common_name) ]) *x509.RFC822Name(email)* When i check the certificate details i don't see the email id being set using s_client connect Thanks, Karan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Wed Jul 5 13:59:18 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Wed, 5 Jul 2017 10:59:18 -0700 Subject: [Cryptography-dev] Cert how to set email - x509.RFC822Name(email) In-Reply-To: References: Message-ID: RFC822Name is a general name type that you'd use within a SubjectAlternativeName. Chances are in this case you actually want the email in the subjectDN, right? If so then you just want to add another element to the list you pass to x509.Name: x509.NameAttribute(NameOID.EMAIL_ADDRESS, email_address) -Paul Kehrer (reaperhulk) On July 5, 2017 at 10:36:08 AM, Karan karan (karan7868 at gmail.com) wrote: Hi, I'm trying to set the email on the certificate my code below , since its a self signed so the issuer and the subject are same: email = 'admin at example.com' subject = issuer = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, country_name), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, state_name), x509.NameAttribute(NameOID.LOCALITY_NAME, locality_name), x509.NameAttribute(NameOID.ORGANIZATION_NAME, org_name), x509.NameAttribute(NameOID.COMMON_NAME, common_name) ]) *x509.RFC822Name(email)* When i check the certificate details i don't see the email id being set using s_client connect Thanks, Karan. _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Jul 5 14:13:36 2017 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Wed, 5 Jul 2017 20:13:36 +0200 Subject: [Cryptography-dev] LDAP string representation of cryptography.x509.Name Message-ID: <60291788-a707-c1c2-741a-bf960ad99bd6@stroeder.com> HI! The only standardized string form for X.509 names is the LDAP "String Representation of Distinguished Names" (see RFC 4514). M2Crypto allows to simply let OpenSSL lib generate such a string representation for a subject or issuer name. Is there something similar available for cryptography.x509.Name? Frankly I couldn't figure out how to directly access oid of cryptography.x509.NameAttribute to write something like this. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From alex.gaynor at gmail.com Wed Jul 5 15:49:17 2017 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Wed, 5 Jul 2017 12:49:17 -0700 Subject: [Cryptography-dev] LDAP string representation of cryptography.x509.Name In-Reply-To: References: <60291788-a707-c1c2-741a-bf960ad99bd6@stroeder.com> Message-ID: We do not currently have an API for this format. Alex On Jul 5, 2017 2:22 PM, "Michael Str?der" wrote: HI! The only standardized string form for X.509 names is the LDAP "String Representation of Distinguished Names" (see RFC 4514). M2Crypto allows to simply let OpenSSL lib generate such a string representation for a subject or issuer name. Is there something similar available for cryptography.x509.Name? Frankly I couldn't figure out how to directly access oid of cryptography.x509.NameAttribute to write something like this. Ciao, Michael. _______________________________________________ Cryptography-dev mailing list Cryptography-dev at python.org https://mail.python.org/mailman/listinfo/cryptography-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From karan7868 at gmail.com Thu Jul 13 20:49:46 2017 From: karan7868 at gmail.com (Karan karan) Date: Thu, 13 Jul 2017 17:49:46 -0700 Subject: [Cryptography-dev] Cipher/tls cipher negotiated Message-ID: Hi, I'm trying to test different cipher and protocols using the request packages, for which i extend the HTTPAdapter. Here are some of the code snippet i have : https://lukasa.co.uk/2013/01/Choosing_SSL_Version_In_Requests/ and then wrap it in Session object as follows: from ssl import SSLContext ... def create_connection(self, sessionreuse=None): """ Create a http connection over ssl Arguments: Returns: returns the Session object, which can use to be make HTTP call """ if self._ssl_version and self._cipher: self._context = SSLContext(self._ssl_version) self._context.set_ciphers(self._ciphers) cipher_adapter = SSLAdapter({'ssl_context': self._context}) if self._proxy: self._session.update(proxies) self._session.mount('https://', cipher_adapter) return self._session Then i use self._session to make get call. What i need to find is the : - SSL version negotatiated finally - Cipher used by the server. I would appreciate if some one could help out on it. Thanks, Karan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Thu Jul 13 20:54:59 2017 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Thu, 13 Jul 2017 20:54:59 -0400 Subject: [Cryptography-dev] Cipher/tls cipher negotiated In-Reply-To: References: Message-ID: This is properly a question for the requests mailing list I think. That said, if you can root around in the response object and find the SSL.Connection, you can call: - https://pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Connection.get_protocol_version - https://pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Connection.get_cipher_name Alex On Thu, Jul 13, 2017 at 8:49 PM, Karan karan wrote: > Hi, > > I'm trying to test different cipher and protocols using the request > packages, for which i extend the HTTPAdapter. Here are some of the code > snippet i have : > https://lukasa.co.uk/2013/01/Choosing_SSL_Version_In_Requests/ > > and then wrap it in Session object as follows: > > from ssl import SSLContext > ... > def create_connection(self, sessionreuse=None): > """ > Create a http connection over ssl > Arguments: > Returns: returns the Session object, which can use to be make HTTP > call > > """ > if self._ssl_version and self._cipher: > self._context = SSLContext(self._ssl_version) > self._context.set_ciphers(self._ciphers) > cipher_adapter = SSLAdapter({'ssl_context': self._context}) > if self._proxy: > self._session.update(proxies) > self._session.mount('https://', cipher_adapter) > return self._session > > Then i use self._session to make get call. > > What i need to find is the : > - SSL version negotatiated finally > - Cipher used by the server. > > I would appreciate if some one could help out on it. > > Thanks, > Karan. > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From karan7868 at gmail.com Thu Jul 13 23:00:50 2017 From: karan7868 at gmail.com (Karan karan) Date: Thu, 13 Jul 2017 20:00:50 -0700 Subject: [Cryptography-dev] Cipher/tls cipher negotiated In-Reply-To: References: Message-ID: Thanks for the prompt reply *Alex !* I have sent my question to the requests mailing list. I'm using the pythons native ssl library not the pyOpenSSL libary as i can use the ssl's library context in the Adapter. I looked into the requests response object but could'nt find a way to the ciphers from it. I wanted to use the requests package as it provides a higher level library to call into the get,post calls. But i'm not sure how i can interface the OpenSSL Context with the requests, do you know if there is any way i could do that. Thanks, Konteya. On Thu, Jul 13, 2017 at 5:49 PM, Karan karan wrote: > Hi, > > I'm trying to test different cipher and protocols using the request > packages, for which i extend the HTTPAdapter. Here are some of the code > snippet i have : > https://lukasa.co.uk/2013/01/Choosing_SSL_Version_In_Requests/ > > and then wrap it in Session object as follows: > > from ssl import SSLContext > ... > def create_connection(self, sessionreuse=None): > """ > Create a http connection over ssl > Arguments: > Returns: returns the Session object, which can use to be make HTTP > call > > """ > if self._ssl_version and self._cipher: > self._context = SSLContext(self._ssl_version) > self._context.set_ciphers(self._ciphers) > cipher_adapter = SSLAdapter({'ssl_context': self._context}) > if self._proxy: > self._session.update(proxies) > self._session.mount('https://', cipher_adapter) > return self._session > > Then i use self._session to make get call. > > What i need to find is the : > - SSL version negotatiated finally > - Cipher used by the server. > > I would appreciate if some one could help out on it. > > Thanks, > Karan. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cory at lukasa.co.uk Fri Jul 14 06:02:04 2017 From: cory at lukasa.co.uk (Cory Benfield) Date: Fri, 14 Jul 2017 11:02:04 +0100 Subject: [Cryptography-dev] Cipher/tls cipher negotiated In-Reply-To: References: Message-ID: > On 14 Jul 2017, at 01:49, Karan karan wrote: > > Hi, > > I'm trying to test different cipher and protocols using the request packages, for which i extend the HTTPAdapter. Here are some of the code snippet i have : > https://lukasa.co.uk/2013/01/Choosing_SSL_Version_In_Requests/ > > and then wrap it in Session object as follows: > > from ssl import SSLContext > ... > def create_connection(self, sessionreuse=None): > """ > Create a http connection over ssl > Arguments: > Returns: returns the Session object, which can use to be make HTTP call > > """ > if self._ssl_version and self._cipher: > self._context = SSLContext(self._ssl_version) > self._context.set_ciphers(self._ciphers) > cipher_adapter = SSLAdapter({'ssl_context': self._context}) > if self._proxy: > self._session.update(proxies) > self._session.mount('https://', cipher_adapter) > return self._session > > Then i use self._session to make get call. > > What i need to find is the : > - SSL version negotatiated finally > - Cipher used by the server. > > I would appreciate if some one could help out on it. As Alex has suggested, this is not really an appropriate question for this mailing list. In future, Stack Overflow is the best place to ask this question: the requests mailing list is defunct. However, the answer is that you need to extract the socket object out. This is difficult to do and requires accessing a bunch of undocumented properties of the response object. The response object does not expose any of these fields. If you?re willing to accept the fact that you?re accessing undocumented private parts of the code, then on Python 3 you can do this: >>> r = s.get(url, stream=True) >>> sslsocket = r.raw._fp.fp.raw._sock This will return a stdlib ssl.SSLSocket, with all associated methods. On Python 2, you want: >>> r = s.get(url, stream=True) >>> sslsocket = r.raw._fp.fp._sock Please be aware that you *must* set stream=True: otherwise, the socket object will be gone already and you cannot ask the questions you want to ask. Cory -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Mon Jul 17 11:52:10 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Mon, 17 Jul 2017 11:52:10 -0400 Subject: [Cryptography-dev] PyCA cryptography 2.0 released Message-ID: PyCA cryptography 2.0 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, message digests, and key derivation functions. We support Python 2.6-2.7, Python 3.4+, and PyPy. * BACKWARDS INCOMPATIBLE: Support for Python 3.3 has been dropped. * We now ship manylinux1 wheels linked against OpenSSL 1.1.0f. These wheels will be automatically used with most Linux distributions if you are running the latest pip. * Deprecated the use of signer on RSAPrivateKey, DSAPrivateKey, and EllipticCurvePrivateKey in favor of sign. * Deprecated the use of verifier on RSAPublicKey, DSAPublicKey, and EllipticCurvePublicKey in favor of verify. * Added support for parsing SignedCertificateTimestamp objects from X.509 certificate extensions. * Added support for ChaCha20Poly1305. * Added support for AESCCM. * Added AESGCM, a ?one shot? API for AES GCM encryption. * Added support for X25519 key exchange. * Added support for serializing and deserializing Diffie-Hellman parameters with load_pem_parameters(), load_der_parameters(), and parameter_bytes() . * The extensions attribute on Certificate, CertificateSigningRequest, CertificateRevocationList, and RevokedCertificate now caches the computed Extensions object. There should be no performance change, just a performance improvement for programs accessing the extensions attribute multiple times. Thanks to all the contributors! -Paul Kehrer (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: From readthedocs at readthedocs.org Mon Jul 17 14:59:32 2017 From: readthedocs at readthedocs.org (Read the Docs) Date: Mon, 17 Jul 2017 18:59:32 -0000 Subject: [Cryptography-dev] Failed: Cryptography (latest) Message-ID: <20170717185932.10360.70197@web02.servers.readthedocs.org> Build Failed for Cryptography (latest) You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/5700359/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From readthedocs at readthedocs.org Thu Jul 20 00:58:07 2017 From: readthedocs at readthedocs.org (Read the Docs) Date: Thu, 20 Jul 2017 04:58:07 -0000 Subject: [Cryptography-dev] Failed: Cryptography (d3c4ba3a) Message-ID: <20170720045807.9453.68427@web03.servers.readthedocs.org> Build Failed for Cryptography (latest) You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/5713885/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From deepenpatel.lintel at gmail.com Sun Jul 23 12:24:09 2017 From: deepenpatel.lintel at gmail.com (Deepen Patel) Date: Sun, 23 Jul 2017 21:54:09 +0530 Subject: [Cryptography-dev] Import Error. Message-ID: Hi, I got error like Import error. Traceback (most recent call last): File "startnode.py", line 8, in from twisted.conch import manhole, manhole_ssh File "/usr/local/lib/python2.7/dist-packages/twisted/conch/manhole_ssh.py", line 14, in from twisted.conch.ssh import factory, session File "/usr/local/lib/python2.7/dist-packages/twisted/conch/ssh/factory.py", line 18, in from twisted.conch.ssh import (_kex, transport, userauth, connection) File "/usr/local/lib/python2.7/dist-packages/twisted/conch/ssh/transport.py", line 22, in from cryptography.exceptions import UnsupportedAlgorithm ImportError: No module named cryptography.exceptions Currently, I am using virtual environments and in virtual environment this code not run properly. previously, I am running code without virtual environments. it works proper. Await your reply. Regards, Deepen Patel. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Sun Jul 23 12:27:20 2017 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Sun, 23 Jul 2017 12:27:20 -0400 Subject: [Cryptography-dev] Import Error. In-Reply-To: References: Message-ID: Hi Deepen, Without any more information, it looks like you didn't install cryptography into your virtualenv. How did you install twisted? Alex On Sun, Jul 23, 2017 at 12:24 PM, Deepen Patel wrote: > Hi, > > I got error like Import error. > > Traceback (most recent call last): > File "startnode.py", line 8, in > from twisted.conch import manhole, manhole_ssh > File "/usr/local/lib/python2.7/dist-packages/twisted/conch/manhole_ssh.py", > line 14, in > from twisted.conch.ssh import factory, session > File "/usr/local/lib/python2.7/dist-packages/twisted/conch/ssh/factory.py", > line 18, in > from twisted.conch.ssh import (_kex, transport, userauth, connection) > File "/usr/local/lib/python2.7/dist-packages/twisted/conch/ssh/transport.py", > line 22, in > from cryptography.exceptions import UnsupportedAlgorithm > ImportError: No module named cryptography.exceptions > > Currently, I am using virtual environments and in virtual environment this > code not run properly. > previously, I am running code without virtual environments. it works > proper. > > Await your reply. > > Regards, > Deepen Patel. > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Wed Jul 26 16:35:03 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Wed, 26 Jul 2017 13:35:03 -0700 Subject: [Cryptography-dev] PyCA cryptography 2.0.1 released Message-ID: PyCA cryptography 2.0.1 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, message digests, and key derivation functions. We support Python 2.6-2.7, Python 3.4+, and PyPy. * Fixed a compilation bug affecting OpenBSD. * Altered the manylinux1 wheels to statically link OpenSSL instead of dynamically linking and bundling the shared object. This should resolve crashes seen when using uwsgi or other binaries that link against OpenSSL independently. * Fixed the stack level for the signer and verifier warnings. -Paul Kehrer (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul.l.kehrer at gmail.com Wed Jul 26 23:41:44 2017 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Wed, 26 Jul 2017 20:41:44 -0700 Subject: [Cryptography-dev] PyCA cryptography 2.0.2 released Message-ID: Hot on the heels of 2.0.1 comes a 2.0.2 with just one change to the manylinux1 wheels: * Marked all symbols as hidden in the ``manylinux1`` wheel to avoid a bug with symbol resolution in certain scenarios. -Paul Kehrer (reaperhulk) -------------- next part -------------- An HTML attachment was scrubbed... URL: