[Python-Dev] Controlling the cipher list for SSL connections
Chris Frantz
frantzcj at gmail.com
Mon Sep 7 18:09:36 CEST 2009
More information about the Python-Dev mailing list
Mon Sep 7 18:09:36 CEST 2009
- Previous message: [Python-Dev] Problems with hex-conversion functions
- Next message: [Python-Dev] Controlling the cipher list for SSL connections
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Greetings,
I would like to be able to set the cipher list when creating an SSL
connection. It appears that the current SSL module doesn't provide
this functionality.
The attached patch (against trunk) adds this ability to SSLSocket.
Thank you,
--Chris
PS: Please reply directly to me, as I'm not subscribed to this list.
Index: Python-2.7/Lib/ssl.py
===================================================================
--- Python-2.7/Lib/ssl.py (revision 74703)
+++ Python-2.7/Lib/ssl.py (working copy)
@@ -88,7 +88,7 @@
server_side=False, cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23, ca_certs=None,
do_handshake_on_connect=True,
- suppress_ragged_eofs=True):
+ suppress_ragged_eofs=True, cipher_list=None):
socket.__init__(self, _sock=sock._sock)
# the initializer for socket trashes the methods (tsk, tsk), so...
self.send = lambda data, flags=0: SSLSocket.send(self, data, flags)
@@ -110,7 +110,8 @@
# yes, create the SSL object
self._sslobj = _ssl.sslwrap(self._sock, server_side,
keyfile, certfile,
- cert_reqs, ssl_version, ca_certs)
+ cert_reqs, ssl_version,
+ ca_certs, cipher_list)
if do_handshake_on_connect:
timeout = self.gettimeout()
try:
Index: Python-2.7/Modules/_ssl.c
===================================================================
--- Python-2.7/Modules/_ssl.c (revision 74703)
+++ Python-2.7/Modules/_ssl.c (working copy)
@@ -261,7 +261,8 @@
enum py_ssl_server_or_client socket_type,
enum py_ssl_cert_requirements certreq,
enum py_ssl_version proto_version,
- char *cacerts_file)
+ char *cacerts_file,
+ char *cipher_list)
{
PySSLObject *self;
char *errstr = NULL;
@@ -366,6 +367,9 @@
SSL_CTX_set_verify(self->ctx, verification_mode,
NULL); /* set verify lvl */
+ if (cipher_list)
+ SSL_CTX_set_cipher_list(self->ctx, cipher_list);
+
PySSL_BEGIN_ALLOW_THREADS
self->ssl = SSL_new(self->ctx); /* New ssl struct */
PySSL_END_ALLOW_THREADS
@@ -407,14 +411,17 @@
char *key_file = NULL;
char *cert_file = NULL;
char *cacerts_file = NULL;
+ char *cipher_list = NULL;
- if (!PyArg_ParseTuple(args, "O!i|zziiz:sslwrap",
+
+ if (!PyArg_ParseTuple(args, "O!i|zziizz:sslwrap",
PySocketModule.Sock_Type,
&Sock,
&server_side,
&key_file, &cert_file,
&verification_mode, &protocol,
- &cacerts_file))
+ &cacerts_file,
+ &cipher_list))
return NULL;
/*
@@ -427,12 +434,12 @@
return (PyObject *) newPySSLObject(Sock, key_file, cert_file,
server_side, verification_mode,
- protocol, cacerts_file);
+ protocol, cacerts_file, cipher_list);
}
PyDoc_STRVAR(ssl_doc,
"sslwrap(socket, server_side, [keyfile, certfile, certs_mode, protocol,\n"
-" cacertsfile]) -> sslobject");
+" cacertsfile, cipherlist]) -> sslobject");
/* SSL object methods */
- Previous message: [Python-Dev] Problems with hex-conversion functions
- Next message: [Python-Dev] Controlling the cipher list for SSL connections
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list