Issue #1050 new

Patch to allow selecting SSL ciphers

Anonymous created an issue

Sorry to add clutter to your ticket system but I don't frequent IRC and thought this may be be best way to submit. This is just a tiny little patch to allow a config item ssl_ciphers so things like SSLv2 or weak ciphers can be turned off with something like server.ssl_ciphers = "HIGH:!SSLv2".

{{{ diff -Nru CherryPy-3.1.2/cherrypy/_cpserver.py CherryPy-3.1.2-avery/cherrypy/_cpserver.py --- CherryPy-3.1.2/cherrypy/_cpserver.py 2009-04-13 00:38:03.000000000 -0500 +++ CherryPy-3.1.2-avery/cherrypy/_cpserver.py 2011-02-22 17:11:38.000000000 -0600 @@ -55,6 +55,7 @@ instance = None ssl_certificate = None ssl_private_key = None + ssl_ciphers = "DEFAULT" nodelay = True

 def __init__(self):

diff -Nru CherryPy-3.1.2/cherrypy/_cpwsgi_server.py CherryPy-3.1.2-avery/cherrypy/_cpwsgi_server.py --- CherryPy-3.1.2/cherrypy/_cpwsgi_server.py 2009-04-13 00:38:03.000000000 -0500 +++ CherryPy-3.1.2-avery/cherrypy/_cpwsgi_server.py 2011-02-22 17:12:06.000000000 -0600 @@ -52,4 +52,4 @@ self.nodelay = server.nodelay self.ssl_certificate = server.ssl_certificate self.ssl_private_key = server.ssl_private_key - + self.ssl_ciphers = server.ssl_ciphers diff -Nru CherryPy-3.1.2/cherrypy/wsgiserver/init.py CherryPy-3.1.2-avery/cherrypy/wsgiserver/init.py --- CherryPy-3.1.2/cherrypy/wsgiserver/init.py 2009-04-13 00:38:02.000000000 -0500 +++ CherryPy-3.1.2-avery/cherrypy/wsgiserver/init.py 2011-02-22 17:12:41.000000000 -0600 @@ -1625,6 +1625,7 @@

         # See http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/442473
         ctx = SSL.Context(SSL.SSLv23_METHOD)
  • ctx.set_cipher_list(self.ssl_ciphers) ctx.use_privatekey_file(self.ssl_private_key) ctx.use_certificate_file(self.ssl_certificate) self.socket = SSLConnection(ctx, self.socket) }}}

Reported by avery@monchichi.org

Comments (2)

  1. Log in to comment