ssl: get list of enabled ciphers

[tiran]

BPO	27866
Nosy	@pitrou, @giampaolo, @tiran, @alex, @vadmium, @dstufft
Files	Add-SSLContext.get_ciphers.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-09-06.12:27:20.362>
created_at = <Date 2016-08-26.11:29:14.266>
labels = ['type-feature', 'library']
title = 'ssl: get list of enabled ciphers'
updated_at = <Date 2016-09-12.10:00:39.491>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2016-09-12.10:00:39.491>
actor = 'python-dev'
assignee = 'none'
closed = True
closed_date = <Date 2016-09-06.12:27:20.362>
closer = 'berker.peksag'
components = ['Library (Lib)']
creation = <Date 2016-08-26.11:29:14.266>
creator = 'christian.heimes'
dependencies = []
files = ['44307']
hgrepos = []
issue_num = 27866
keywords = ['patch']
message_count = 9.0
messages = ['273703', '274113', '274115', '274443', '274515', '274540', '274545', '274552', '276011']
nosy_count = 8.0
nosy_names = ['janssen', 'pitrou', 'giampaolo.rodola', 'christian.heimes', 'alex', 'python-dev', 'martin.panter', 'dstufft']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue27866'
versions = ['Python 3.6']

[tiran]

SSLContext has a set_ciphers() method but no method to get the actual list of enabled ciphers. https://github.com/tiran/cpython/tree/feature/openssl_ciphers implements get_ciphers()

>>> import ssl, pprint
>>> ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
>>> ctx.set_ciphers('ECDHE+AESGCM:!ECDSA')
>>> pprint.pprint(ctx.get_ciphers())
[{'alg_bits': 256,
  'description': 'ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  '
                 'Enc=AESGCM(256) Mac=AEAD',
  'id': 50380848,
  'name': 'ECDHE-RSA-AES256-GCM-SHA384',
  'protocol': 'TLSv1/SSLv3',
  'strength_bits': 256},
 {'alg_bits': 128,
  'description': 'ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  '
                 'Enc=AESGCM(128) Mac=AEAD',
  'id': 50380847,
  'name': 'ECDHE-RSA-AES128-GCM-SHA256',
  'protocol': 'TLSv1/SSLv3',
  'strength_bits': 128}]

With OpenSSL 1.1 the dict will have more fields.

Both the return value and functionality is different to https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.shared_ciphers .

[pitrou]

What does "kea" mean? Key exchange?

[tiran]

KEA stands for key exchange algorithm.

[python-dev]

New changeset ca8d7cb55a8e by Christian Heimes in branch 'default':
Issue bpo-27866: Add SSLContext.get_ciphers() method to get a list of all enabled ciphers.
https://hg.python.org/cpython/rev/ca8d7cb55a8e

[vadmium]

Fails on the Gentoo buildbots:
http://buildbot.python.org/all/builders/x86%20Gentoo%20Non-Debug%20with%20X%203.x/builds/1368/steps/test/logs/stdio

======================================================================
ERROR: test_get_ciphers (test.test_ssl.ContextTests)
----------------------------------------------------------------------

Traceback (most recent call last):
  File "/buildbot/buildarea/3.x.ware-gentoo-x86.nondebug/build/Lib/test/test_ssl.py", line 840, in test_get_ciphers
    ctx.set_ciphers('ECDHE+AESGCM:!ECDSA')
ssl.SSLError: ('No cipher can be selected.',)

[python-dev]

New changeset 9377ed49746b by Christian Heimes in branch 'default':
bpo-27866: relax test case for set_cipher() and allow more cipher suites
https://hg.python.org/cpython/rev/9377ed49746b

[python-dev]

New changeset dad4c42869f6 by Christian Heimes in branch 'default':
bpo-27866: relax get_cipher() test even more. Gentoo buildbot has no ECDHE
https://hg.python.org/cpython/rev/dad4c42869f6

[tiran]

I have relaxed the tests and stabilized the buildbots. Some Gentoo machines don't have ECDHE cipher suites enabled.

[python-dev]

New changeset 2a1c7d0fdde6 by Victor Stinner in branch 'default':
Issue bpo-27866: Fix refleak in cipher_to_dict()
https://hg.python.org/cpython/rev/2a1c7d0fdde6