server side ssl socket does not honor the "ciphers" setting

[EricLin89]

If I initialize a green socket as below:

ciphers = "EECDH+ECDSA+SHA384"     # my customized ciphers
_socket = eventlet.listen((ip, int(port)), family)
_socket = eventlet.wrap_ssl(_socket,
                            certfile='/path/to/cert',
                            keyfile='/path/to/key',
                            server_side=True,
                            do_handshake_on_connect=False,
                            ssl_version=ssl.PROTOCOL_TLSv1_2,
                            ciphers=ciphers)
# some other stuff to start the server

Then I scanned the server with nmap to list the cipher suites used by this server. It comes out that the result is not what I passed to eventlet.wrap_ssl, but rather the default cipher suites defined in Python standard ssl.py library.

After digging into the code for a whole day, finally I got to the GreenSSLSocket.accept() method in eventlet/green/ssl.py:

new_ssl = type(self)(
	newsock,
	keyfile=self.keyfile,
	certfile=self.certfile,
	server_side=True,
	cert_reqs=self.cert_reqs,
	ssl_version=self.ssl_version,
	ca_certs=self.ca_certs,
	do_handshake_on_connect=False,
	suppress_ragged_eofs=self.suppress_ragged_eofs)
return (new_ssl, addr)

the "ciphers" argument is not passed when constructing the new_ssl object, That's why the cipher setting passed to eventlet.wrap_ssl seems to not working at all!

After I modified the above code as below, the problem is solved.

new_ssl = type(self)(
	newsock,
	keyfile=self.keyfile,
	certfile=self.certfile,
	server_side=True,
	cert_reqs=self.cert_reqs,
	ssl_version=self.ssl_version,
	ca_certs=self.ca_certs,
	do_handshake_on_connect=False,
	suppress_ragged_eofs=self.suppress_ragged_eofs,
	ciphers=self.ciphers)
return (new_ssl, addr)

[jiajunsu]

This bug may has been fixed in #717