![]() The variables crt, private_key and private_key hold the correct values accordingly. Let me start with what does work functionally, but suffers from the weak cipher problem: I tried your suggestion, which looks promising, but got an error as described below. Ideally is to go for TLS1.1 above but supposed RC4 is ok for avoiding the CBC, this is suggested by phonefactor as well to mitigate - !aNULL:!eNULL:!EXPORT:!DSS :!DES:RC4- SHA:RC4-MD 5:ALLĪlso saw the place where ssl python is used in ssl_builtin.py and ssl_pyopenssl.py (wondering we can modify from there but looks like has to be done in ) Ref OpenSSL’s documentation about the cipher list format. >context = ssl.SSLContext(ssl.PROTOCO L_TLSv1) The !aNULL:!eNULL part of the cipher spec is necessary to disable ciphers which don’t provide both encryption and authentication Starting from Python 3.2.3, the ssl module disables certain weak ciphers by default, but you may want to further restrict the cipher choice. >context = ssl.SSLContext(ssl.PROTOCO L_SSLv23)Į.g. The SSL context created below will allow SSLv3 and TLSv1 connections, but not SSLv2. See the reference for ssl libray for python internal - Į.g. set_ciphers to select the crypto and this patch stated the weak crypto is disabled ![]() Not sure if you also catch this, there is also. I couldn't find any specific instructions on how to mitigate the BEAST under 'buitin' SSL. ![]() ![]() So I guess, at this point ,the problem is partially solved under the 'builtin' SSL option. The BEAST is still described by SSLLABS scan a s a venerability(whileusing either builtin or openssl). The results in SSLLABS scan were significantly different, and removed support for many ciphers. What id did manage to do is tell CherryPy to use the 'builtin' ssl (of Python 2.7.3) instead of openssl. This part didn't work by tweaking the registry, so the assumption is that openssl ignores he Registry setting? (BTW, the Windows openssl version i am using is 0.98.12) I was looking for ways to configure the SSL with specific cipher suites enabled. However, it seems (by experiment) that openssl as used with CerryPy ignores some settings. Some changes I made to the Windows Registry SCHANNEL were reflected in the test by SSLLABS. It also seems that it ignores the Windows Server setup for the most part, but not entirely, which threw me off. You are correct that CherryPy can support both 'builtin"and 'openssl'. Better to find out the openssl used by CherryPy. So I am thinking if Python will be using the latest openssl and hence CherryPy. This is a better ciphersuite list when you have openssl 1.0.1 or above: OpenSSL v0.9.8w is the current version in broad use and it only supports TLS v1.0. In OpenSSL versions 0.9.6d and later, the protocol-level mitigation is enabled by default, thus making it not vulnerable to the BEAST attack. I suspect it is openssl as a overall and saw Python can specified SSL version ( I am not Python savvy though) The challenge is what SSL adaptor does CherryPy uses?Ī) Built in SSL from Python - _bu iltin Would be at the web server level since it may have its own SSL library, which is why Apache and IIS has different set of instruction.and browser is another as well, but not to your concern. Any CBC suite when used with SSL 3.0 or TLS 1.0 is vulnerable to BEAST.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |