Python SSL stack doesn't support ordering of Ciphers

[naif]

BPO	13635
Nosy	@jcea, @pitrou

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2011-12-19.12:34:22.126>
created_at = <Date 2011-12-19.10:44:02.596>
labels = ['type-feature', 'library']
title = "Python SSL stack doesn't support ordering of Ciphers"
updated_at = <Date 2011-12-20.01:32:13.507>
user = 'https://bugs.python.org/naif'

bugs.python.org fields:

activity = <Date 2011-12-20.01:32:13.507>
actor = 'jcea'
assignee = 'none'
closed = True
closed_date = <Date 2011-12-19.12:34:22.126>
closer = 'pitrou'
components = ['Library (Lib)']
creation = <Date 2011-12-19.10:44:02.596>
creator = 'naif'
dependencies = []
files = []
hgrepos = []
issue_num = 13635
keywords = []
message_count = 5.0
messages = ['149831', '149835', '149837', '149848', '149850']
nosy_count = 4.0
nosy_names = ['jcea', 'pitrou', 'python-dev', 'naif']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue13635'
versions = ['Python 3.3']

[naif]

The list of Ciphers for Python SSL binding for OpenSSL cannot be ordered in a specific list of preference.

This is a requirement for strict security environment where the ordered cipher list it's very important.

Apache support the ordering of ciphers trough the configuration of SSLHonorCipherOrder:
http://www.carbonwind.net/blog/post/Setting-the-preferred-cipher-suite-on-Apache-22x.aspx

Also Internet Explorer 7 support Ciphers order configuration:
https://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx?Redirected=true

Not having the ordered cipher list doesn't allow Python SSL stack configuration to be compliant with high security environment, de-facto representing a security vulnerability.

We suggest to fix the issue of lacking that feature.

[pitrou]

Apparently it's just a matter of exposing SSL_OP_CIPHER_SERVER_PREFERENCE?

[naif]

Looking at the code from mod_ssl i would say that this is the preference required https://issues.apache.org/bugzilla/show_bug.cgi?id=28665

[python-dev]

New changeset c706f76c9ea8 by Antoine Pitrou in branch 'default':
Issue bpo-13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
http://hg.python.org/cpython/rev/c706f76c9ea8

[pitrou]

The new option is now committed in 3.3. Thanks for the report!