[Python-Dev] Controlling the cipher list for SSL connections

Mon Sep 7 18:09:36 CEST 2009

Greetings,

I would like to be able to set the cipher list when creating an SSL
connection.  It appears that the current SSL module doesn't provide
this functionality.

The attached patch (against trunk) adds this ability to SSLSocket.

Thank you,
--Chris

PS: Please reply directly to me, as I'm not subscribed to this list.

Index: Python-2.7/Lib/ssl.py
===================================================================

--- Python-2.7/Lib/ssl.py    (revision 74703)
+++ Python-2.7/Lib/ssl.py    (working copy)
@@ -88,7 +88,7 @@
                  server_side=False, cert_reqs=CERT_NONE,
                  ssl_version=PROTOCOL_SSLv23, ca_certs=None,
                  do_handshake_on_connect=True,
-                 suppress_ragged_eofs=True):
+                 suppress_ragged_eofs=True, cipher_list=None):
         socket.__init__(self, _sock=sock._sock)
         # the initializer for socket trashes the methods (tsk, tsk), so...
         self.send = lambda data, flags=0: SSLSocket.send(self, data, flags)
@@ -110,7 +110,8 @@
             # yes, create the SSL object
             self._sslobj = _ssl.sslwrap(self._sock, server_side,
                                         keyfile, certfile,
-                                        cert_reqs, ssl_version, ca_certs)
+                                        cert_reqs, ssl_version,
+                                        ca_certs, cipher_list)
             if do_handshake_on_connect:
                 timeout = self.gettimeout()
                 try:
Index: Python-2.7/Modules/_ssl.c
===================================================================
--- Python-2.7/Modules/_ssl.c    (revision 74703)
+++ Python-2.7/Modules/_ssl.c    (working copy)
@@ -261,7 +261,8 @@
            enum py_ssl_server_or_client socket_type,
            enum py_ssl_cert_requirements certreq,
            enum py_ssl_version proto_version,
-           char *cacerts_file)
+           char *cacerts_file,
+           char *cipher_list)
 {
     PySSLObject *self;
     char *errstr = NULL;
@@ -366,6 +367,9 @@
     SSL_CTX_set_verify(self->ctx, verification_mode,
                NULL); /* set verify lvl */

+    if (cipher_list)
+        SSL_CTX_set_cipher_list(self->ctx, cipher_list);
+
     PySSL_BEGIN_ALLOW_THREADS
     self->ssl = SSL_new(self->ctx); /* New ssl struct */
     PySSL_END_ALLOW_THREADS
@@ -407,14 +411,17 @@
     char *key_file = NULL;
     char *cert_file = NULL;
     char *cacerts_file = NULL;
+    char *cipher_list = NULL;

-    if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap",
+
+    if (!PyArg_ParseTuple(args, "O!i|zziizz:sslwrap",
                   PySocketModule.Sock_Type,
                   &Sock,
                   &server_side,
                   &key_file, &cert_file,
                   &verification_mode, &protocol,
-                  &cacerts_file))
+                  &cacerts_file,
+                  &cipher_list))
         return NULL;

     /*
@@ -427,12 +434,12 @@

     return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
                        server_side, verification_mode,
-                       protocol, cacerts_file);
+                       protocol, cacerts_file, cipher_list);
 }

 PyDoc_STRVAR(ssl_doc,
 "sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n"
-"                              cacertsfile]) -> sslobject");
+"                              cacertsfile, cipherlist]) -> sslobject");

 /* SSL object methods */
