Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Ciphers RC4 #67867

Closed
mogli mannequin opened this issue Mar 16, 2015 · 9 comments
Closed

SSL Ciphers RC4 #67867

mogli mannequin opened this issue Mar 16, 2015 · 9 comments
Labels
docs Documentation in the Doc dir type-bug An unexpected behavior, bug, or error

Comments

@mogli
Copy link
Mannequin

mogli mannequin commented Mar 16, 2015

BPO 23679
Nosy @vstinner, @benjaminp, @alex, @bitdancer, @dstufft

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2015-03-16.17:45:38.773>
created_at = <Date 2015-03-16.11:31:05.698>
labels = ['type-bug', 'docs']
title = 'SSL Ciphers RC4'
updated_at = <Date 2015-03-17.09:37:13.996>
user = 'https://bugs.python.org/mogli'

bugs.python.org fields:

activity = <Date 2015-03-17.09:37:13.996>
actor = 'mogli'
assignee = 'docs@python'
closed = True
closed_date = <Date 2015-03-16.17:45:38.773>
closer = 'python-dev'
components = ['Documentation']
creation = <Date 2015-03-16.11:31:05.698>
creator = 'mogli'
dependencies = []
files = []
hgrepos = []
issue_num = 23679
keywords = []
message_count = 9.0
messages = ['238194', '238212', '238219', '238222', '238230', '238231', '238232', '238234', '238268']
nosy_count = 8.0
nosy_names = ['vstinner', 'benjamin.peterson', 'alex', 'r.david.murray', 'docs@python', 'python-dev', 'dstufft', 'mogli']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue23679'
versions = ['Python 2.7']
@mogli
Copy link
Mannequin Author

mogli mannequin commented Mar 16, 2015

The documentation (https://docs.python.org/2/library/ssl.html) says:
The settings in Python 2.7.9 are: PROTOCOL_SSLv23, OP_NO_SSLv2, and OP_NO_SSLv3 with high encryption cipher suites without RC4

But it still seems to use RC4: https://www.howsmyssl.com/a/check

Also the test at https://www.ssllabs.com/ssltest/viewMyClient.html says it still supports SSLv3 (not so sure about this one).

@mogli mogli mannequin added the type-security A security issue label Mar 16, 2015
@alex
Copy link
Member

alex commented Mar 16, 2015

I believe RC4 will still be used under 2.7.9 on clients, this is changed for 2.7.10

@benjaminp
Copy link
Contributor

RC4 is dropped in the next releases.

@vstinner
Copy link
Member

You can explicitly disable RC4 if you create a SSLContext and then call set_ciphers() with the right list of ciphers. See for examples cipher lists of Python 2.7 (development branch):
https://hg.python.org/cpython/file/0b44c749ae51/Lib/ssl.py#l150

Add ":!RC4" at the end of the cipher list to disable RC4.

OpenSSL cipher list format:
https://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT

@mogli
Copy link
Mannequin Author

mogli mannequin commented Mar 16, 2015

So it seems the docs are wrong.

@benjaminp
Copy link
Contributor

They're correct for the next release. :(

@bitdancer
Copy link
Member

But the doc explicitly says 2.7.9, so no, they are not correct. There also should be versionchanged directive, I think.

@bitdancer bitdancer added the docs Documentation in the Doc dir label Mar 16, 2015
@bitdancer bitdancer reopened this Mar 16, 2015
@bitdancer bitdancer added type-bug An unexpected behavior, bug, or error and removed type-security A security issue labels Mar 16, 2015
@python-dev
Copy link
Mannequin

python-dev mannequin commented Mar 16, 2015

New changeset e1dfa5f0709f by Benjamin Peterson in branch '2.7':
versionchanged for rc4 removal (closes bpo-23679)
https://hg.python.org/cpython/rev/e1dfa5f0709f

New changeset 2a6a63828a40 by Benjamin Peterson in branch '3.4':
versionchanged for rc4 removal (closes bpo-23679)
https://hg.python.org/cpython/rev/2a6a63828a40

New changeset 87c102d0df39 by Benjamin Peterson in branch 'default':
merge 3.4 (bpo-23679)
https://hg.python.org/cpython/rev/87c102d0df39

@python-dev python-dev mannequin closed this as completed Mar 16, 2015
@mogli
Copy link
Mannequin Author

mogli mannequin commented Mar 17, 2015

That was fast, great job!

For the record: The SSLv3 issue I also wrote about was a false positive because the test only works with Javascript. Python 2.7.9 has SSLv3 disabled by default as it should.

urllib2.urlopen("https://sslv3.dshield.org")  # fails as it should

@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Documentation in the Doc dir type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alex @vstinner @benjaminp @bitdancer