[issue13636] Python SSL Stack doesn't have a Secure Default set of ciphers
naif
report at bugs.python.org
Mon Dec 19 13:53:00 CET 2011
naif <naif at globaleaks.org> added the comment:
To disable SSLv2 you must specifically disable it.
Look, i tried a server we're working on http://github.com/hellais/tor2web that's running on:
privacyresearch.infosecurity.ch port 8888
With 'HIGH:!aNULL:!eNULL' SSLv2 can connect:
openssl s_client -connect privacyresearch.infosecurity.ch:8888 -ssl2
SSLv2, Cipher is DES-CBC3-MD5
So it negotiated SSLv2 with 3DES that's not a good choice, SSLv2 must be disabled.
We must disable SSLv1 with !SSLv2, for example i am using just now 'HIGH:!aNULL:!eNULL:!SSLv2:@STRENGTH' .
Trying to connect with SSLv2 fail:
openssl s_client -connect privacyresearch.infosecurity.ch:8888 -ssl2
140735092141340:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
Trying to connect by default, it select a strong cipher (i still didn't setup the dh/stuff):
openssl s_client -connect privacyresearch.infosecurity.ch:8888
Connect with: TLSv1/SSLv3, Cipher is AES256-SHA
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13636>
_______________________________________
More information about the Python-bugs-list
mailing list