Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
assignee = None
closed_at = <Date 2011-12-19.12:34:22.126>
created_at = <Date 2011-12-19.10:44:02.596>
labels = ['type-feature', 'library']
title = "Python SSL stack doesn't support ordering of Ciphers"
updated_at = <Date 2011-12-20.01:32:13.507>
user = 'https://bugs.python.org/naif'
activity = <Date 2011-12-20.01:32:13.507>
actor = 'jcea'
assignee = 'none'
closed = True
closed_date = <Date 2011-12-19.12:34:22.126>
closer = 'pitrou'
components = ['Library (Lib)']
creation = <Date 2011-12-19.10:44:02.596>
creator = 'naif'
dependencies = 
files = 
hgrepos = 
issue_num = 13635
keywords = 
message_count = 5.0
messages = ['149831', '149835', '149837', '149848', '149850']
nosy_count = 4.0
nosy_names = ['jcea', 'pitrou', 'python-dev', 'naif']
pr_nums = 
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue13635'
versions = ['Python 3.3']
The text was updated successfully, but these errors were encountered:
The list of Ciphers for Python SSL binding for OpenSSL cannot be ordered in a specific list of preference.
This is a requirement for strict security environment where the ordered cipher list it's very important.
Apache support the ordering of ciphers trough the configuration of SSLHonorCipherOrder:
Also Internet Explorer 7 support Ciphers order configuration:
Not having the ordered cipher list doesn't allow Python SSL stack configuration to be compliant with high security environment, de-facto representing a security vulnerability.
We suggest to fix the issue of lacking that feature.
Sorry, something went wrong.
Apparently it's just a matter of exposing SSL_OP_CIPHER_SERVER_PREFERENCE?
Looking at the code from mod_ssl i would say that this is the preference required https://issues.apache.org/bugzilla/show_bug.cgi?id=28665
New changeset c706f76c9ea8 by Antoine Pitrou in branch 'default':
Issue bpo-13635: Add ssl.OP_CIPHER_SERVER_PREFERENCE, so that SSL servers
The new option is now committed in 3.3. Thanks for the report!
No branches or pull requests