[Python-checkins] cpython (merge 3.2 -> default): Add a subsection explaning cipher selection.

antoine.pitrou python-checkins at python.org
Wed Jan 4 02:56:05 CET 2012


http://hg.python.org/cpython/rev/8f7c4b16c8d7
changeset:   74263:8f7c4b16c8d7
parent:      74261:405f65676010
parent:      74262:b8f978aa2614
user:        Antoine Pitrou <solipsis at pitrou.net>
date:        Wed Jan 04 02:54:12 2012 +0100
summary:
  Add a subsection explaning cipher selection.

files:
  Doc/library/ssl.rst |  19 +++++++++++++++++++
  1 files changed, 19 insertions(+), 0 deletions(-)


diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -1174,6 +1174,25 @@
 The SSL context created above will allow SSLv3 and TLSv1 connections, but
 not SSLv2.
 
+Cipher selection
+^^^^^^^^^^^^^^^^
+
+If you have advanced security requirements, fine-tuning of the ciphers
+enabled when negotiating a SSL session is possible through the
+:meth:`SSLContext.set_ciphers` method.  Starting from Python 3.2.3, the
+ssl module disables certain weak ciphers by default, but you may want
+to further restrict the cipher choice.  For example::
+
+   context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+   context.set_ciphers('HIGH:!aNULL:!eNULL')
+
+The ``!aNULL:!eNULL`` part of the cipher spec is necessary to disable ciphers
+which don't provide both encryption and authentication.  Be sure to read
+OpenSSL's documentation about the `cipher list
+format <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`_.
+If you want to check which ciphers are enabled by a given cipher list,
+use the ``openssl ciphers`` command on your system.
+
 
 .. seealso::
 

-- 
Repository URL: http://hg.python.org/cpython


More information about the Python-checkins mailing list