[Cryptography-dev] set_cipher_list() API Question

Cory Benfield cory at lukasa.co.uk
Mon Jul 3 10:34:57 EDT 2017 

The “sslv3” text is misleading: it simply relates to the way the OpenSSL internals are structured. Similarly, TLS_EMPTY_RENEGOTIATION_INFO_SCSV is a “dummy” cipher suite used to signal to the server that renegotiation using RFC 5746 is supported: it’s not an actual cipher suite.

This error is almost certainly due to the remote server not having an ECDSA certificate. When you say ECDHE-ECDSA-AES128-GCM-SHA256 you make it entirely impossible to interoperate with servers that use RSA certificates, which is probably not what you want to do. A more useful cipher suite string is "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256”, which includes both the ECDSA and RSA variants of this cipher suite.

Cory

> On 3 Jul 2017, at 15:11, Karan karan <karan7868 at gmail.com> wrote:
> 
> I set : cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256')
> 
> but i see the following error in the logs :
> 
> connected ('**.**.**.**', 443)
> Traceback (most recent call last):
>   File "test_ex.py", line 83, in <module>
>     main()
>   File "test_ex.py", line 65, in main
>     cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()
>   File "test_ex.py", line 33, in create_ssl_connection
>     client_ssl.do_handshake()
>   File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1638, in do_handshake
>   File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1378, in _raise_ssl_error
>   File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in exception_from_error_queue
> OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')]
> 
> However when i see in the wireshark i do the following ciphers set in the set client hello:
> TLS_EMPTY_RENEGOTIATION_INFO_SCS and 
> 'ECDHE-ECDSA-AES128-GCM-SHA256.
> 
> Im using TLS 1.2 not sure why its complaining about ssv3 protocol and using and the TLS_EMPTY_RENEGOTIATION_INFO_SCS.
> 
> I'd appreciate if someone could help out on it.
> 
> Thanks,
> Karan.
> 
> 
> 
> On Mon, Jul 3, 2017 at 6:18 AM, Karan karan <karan7868 at gmail.com <mailto:karan7868 at gmail.com>> wrote:
> Hi,
> 
> I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM-SHA256') the cipher list using the API: set_cipher_list but im getting the following error :
> 
> kjoshi at ubuntu64dev:~/openssl_playground$ python test_ex.py 
> -----------------------------------
> connected ('192.168.152.132', 443)
> Traceback (most recent call last):
>   File "test_ex.py", line 83, in <module>
>     main()
>   File "test_ex.py", line 65, in main
>     cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()
>   File "test_ex.py", line 25, in create_ssl_connection
>     cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256')
>   File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 975, in set_cipher_list
>   File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 67, in openssl_assert
>   File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in exception_from_error_queue
> OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher match')]
> 
> 
> Below is the code that i have:
> 
> cont = Context(TLSv1_2_METHOD)
>                 #cont.set_cipher_list('0xc00e')
>                 #cont.set_cipher_list('ECDHE+ECDSA+AESGCM+SHA256')
>                 #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256')
>                 cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256')
>                 client_ssl = Connection(cont, client)
>                 client_ssl.set_connect_state()
>                 client_ssl.do_handshake()
>                 session_ref = client_ssl.get_session()
> 
> 
> As seen above i tried numerous combination of word separators (_,-,+) but nothing seemed to have helped.
> 
> I would appreciate if someone could please let me know on the usage of this.I'm sure there must be a way of sending a specific cipher. 
> I'm performing a test on my local apache server.
> 
> Thanks,
> Karan.
> 
> 
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20170703/d372ca6f/attachment-0001.html>

More information about the Cryptography-dev mailing list